From 11c4606354dd87f4077110507dfbbb6949b78f6c Mon Sep 17 00:00:00 2001 From: Chemaclass Date: Mon, 8 Jun 2026 12:05:56 +0200 Subject: [PATCH] docs(installation): document Renovate/Dependabot auto-bump for the Action SHA pin A commit-SHA pin is the most secure way to use the action but tedious to bump by hand. Add Renovate and Dependabot config snippets that keep the pin (and its human-readable tag comment) fresh automatically. Closes #701 --- docs/installation.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/docs/installation.md b/docs/installation.md index 988d2997..49bc4531 100644 --- a/docs/installation.md +++ b/docs/installation.md @@ -301,6 +301,39 @@ jobs: asset (sha256) and fails the install on any mismatch. Set it to `false` only when pinning a release published before checksum assets existed. +### Keep the SHA pin fresh automatically + +A commit-SHA pin is the most secure, but bumping it by hand is tedious. Let a bot do it +and keep the `# {{ pkg.version }}` comment as the human-readable tracker. + +::: code-group +```json [Renovate - renovate.json] +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": ["config:recommended"], + "packageRules": [ + { + "matchManagers": ["github-actions"], + "matchPackageNames": ["TypedDevs/bashunit"], + "pinDigests": true + } + ] +} +``` + +```yaml [Dependabot - .github/dependabot.yml] +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly +``` +::: + +Renovate updates the pinned SHA and refreshes the trailing `# tag` comment in the same PR. +Dependabot bumps `github-actions` pins on the schedule you set. + ::: tip See bashunit's own pipeline for a real example: https://github.com/TypedDevs/bashunit/blob/main/.github/workflows/tests.yml :::