Skip to content

chore: add dependabot config and pin GitHub Actions#104

Merged
gavinsharp merged 2 commits intomainfrom
gavinsharp/dependabot-actions
Mar 12, 2026
Merged

chore: add dependabot config and pin GitHub Actions#104
gavinsharp merged 2 commits intomainfrom
gavinsharp/dependabot-actions

Conversation

@gavinsharp
Copy link
Contributor

@gavinsharp gavinsharp commented Mar 11, 2026
edited by cursor bot
Loading

Add .github/dependabot.yml to manage GitHub Actions updates monthly, with all actions pinned to commit hashes for supply chain security.

Changes:

  • Created dependabot config for monthly GitHub Actions checks
  • Pinned actions/checkout: v4 → de0fac2 (v6)
  • Pinned actions/setup-java: v1 → be666c2 (v5)

Commit hash pinning protects against tag mutations and ensures reproducible builds.

🤖 Generated with Claude Code

Note

Low Risk
Low risk: CI-only changes that primarily improve supply-chain safety, with minor risk of build differences from upgrading/pinning GitHub Actions and selecting a specific JDK distribution.

Overview
Adds .github/dependabot.yml to run monthly Dependabot checks for GitHub Actions.

Updates .github/workflows/ci.yml to pin actions/checkout and actions/setup-java to commit SHAs (instead of tags) and moves setup-java to v5-style config by specifying the zulu distribution.

Written by Cursor Bugbot for commit bdc8dd9. This will update automatically on new commits. Configure here.

@gavinsharp @claude
chore: add dependabot config and pin GitHub Actions to commit hashes
b007749 
Add .github/dependabot.yml to manage GitHub Actions updates monthly, with all actions pinned to commit hashes for supply chain security:
- actions/checkout: v4 → de0fac2 (v6)
- actions/setup-java: v1 → be666c2 (v5)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
cursor[bot]
cursor bot reviewed Mar 11, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

@gavinsharp @claude
fix: add required distribution input for setup-java v5
bdc8dd9 
setup-java v2+ requires a distribution input. Using "zulu" to match
the default behavior from v1.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@gavinsharp gavinsharp requested a review from rossmpowell March 11, 2026 15:24
@gavinsharp gavinsharp merged commit 7988fee into main Mar 12, 2026
5 checks passed
@gavinsharp gavinsharp deleted the gavinsharp/dependabot-actions branch March 12, 2026 15:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@rossmpowell rossmpowell rossmpowell approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gavinsharp @rossmpowell