From f0e5f8344ad086d994305807ff0cbbcdf1228419 Mon Sep 17 00:00:00 2001 From: Patrick Lewis <4015312+locus313@users.noreply.github.com> Date: Sun, 21 Jun 2026 13:46:59 -0700 Subject: [PATCH] chore: update actions/checkout to v7 and auto-maintain README SHA - Update all actions/checkout references in README from v4 to v7.0.0 pinned to commit SHA 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 - Replace mutable 'ref: main' in usage example with pinned commit SHA - Add workflow to auto-update pinned SHA in README on every push to main - Update CHANGELOG Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/update-readme-sha.yml | 41 +++++++++++++++++++++++++ CHANGELOG.md | 16 +++++----- README.md | 16 +++++----- 3 files changed, 56 insertions(+), 17 deletions(-) create mode 100644 .github/workflows/update-readme-sha.yml diff --git a/.github/workflows/update-readme-sha.yml b/.github/workflows/update-readme-sha.yml new file mode 100644 index 0000000..0612720 --- /dev/null +++ b/.github/workflows/update-readme-sha.yml @@ -0,0 +1,41 @@ +name: Update README SHA reference + +on: + push: + branches: + - main + paths-ignore: + - 'README.md' + - '**.md' + - 'LICENSE' + - '.github/FUNDING.yml' + +jobs: + update-sha: + name: Update pinned SHA in README + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Checkout code + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + ref: main + fetch-depth: 2 + + - name: Update SHA in README.md + run: | + NEW_SHA="${{ github.sha }}" + sed -i "s|ref: [0-9a-f]\{40\}|ref: ${NEW_SHA}|g" README.md + + - name: Commit updated README.md + run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + if git diff --quiet README.md; then + echo "No SHA change detected, skipping commit." + else + git add README.md + git commit -m "chore: update pinned SHA in README to ${{ github.sha }}" + git push + fi diff --git a/CHANGELOG.md b/CHANGELOG.md index 92c53cb..41e237a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,15 +7,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). ## [Unreleased] ### Added -- `AGENTS.md` — AI agent guide with project overview, directory map, build/run, key patterns, and adding-a-new-script walkthrough -- `.github/workflows/ci.yml` — shellcheck CI on all `.sh` files for every PR -- `.github/workflows/copilot-setup-steps.yml` — pre-installs jq, shellcheck, and gitleaks for Copilot cloud agent -- `.github/ISSUE_TEMPLATE/bug_report.yml` — structured bug report form -- `.github/ISSUE_TEMPLATE/feature_request.yml` — structured feature request form -- `.github/PULL_REQUEST_TEMPLATE.md` — PR checklist derived from script conventions -- `.github/dependabot.yml` — monthly GitHub Actions version updates -- `.mcp.json` — GitHub MCP server configuration for Copilot CLI -- Maintenance matrix section in `.github/copilot-instructions.md` +- `github-copilot-report`: NDJSON usage-metrics endpoints, Entra ID enrichment via `az rest`, auto-detection of credits per seat with promo/standard table, `--no-entra` flag +- README: GitHub Actions integration examples (workflow_dispatch, artifact upload, environment protection) +- `.github/workflows/update-readme-sha.yml` — automatically updates the pinned commit SHA in README.md on every push to `main` + +### Changed +- README: updated all `actions/checkout` references from `v4` to `v7.0.0` (pinned SHA `9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0`) +- README: replaced `ref: main` in the GitHub Actions usage example with a pinned commit SHA, and updated the accompanying note to recommend SHA pinning --- diff --git a/README.md b/README.md index 8613ac6..63bdb84 100644 --- a/README.md +++ b/README.md @@ -853,15 +853,15 @@ You can use these scripts in your own repository's workflows without copying or ```yaml - name: Checkout github-api-scripts - uses: actions/checkout@v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: locus313/github-api-scripts - ref: main # Pin to a specific tag or SHA in production + ref: 1325656e2dad4f6b16b183cdd3676e05f00cb2b4 path: github-api-scripts ``` > [!NOTE] -> For production workflows, pin `ref` to a specific tag (e.g., `v1.0.0`) or commit SHA rather than a branch name to ensure reproducibility and prevent unexpected changes. +> For production workflows, pin `ref` to a specific commit SHA rather than a branch name to ensure reproducibility and prevent unexpected changes. --- @@ -882,7 +882,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout github-api-scripts - uses: actions/checkout@v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: locus313/github-api-scripts ref: main @@ -914,7 +914,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout github-api-scripts - uses: actions/checkout@v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: locus313/github-api-scripts ref: main @@ -960,7 +960,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout github-api-scripts - uses: actions/checkout@v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: locus313/github-api-scripts ref: main @@ -1000,10 +1000,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout your repository - uses: actions/checkout@v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Checkout github-api-scripts - uses: actions/checkout@v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: repository: locus313/github-api-scripts ref: main