Background
projen-pipelines generates GitHub Actions workflows programmatically. The referenced actions (actions/checkout, actions/setup-node, aws-actions/configure-aws-credentials, aws-actions/amazon-ecr-login, cdklabs/generate-issue-body, etc.) are hardcoded as string literals inside the TypeScript source (primarily under src/engine/github/ and friends), not in real .github/workflows/*.yml files.
Because of that:
Dependabot and Renovate cannot detect them. Both tools scan YAML workflow files; they don't parse TS source for uses: references embedded in generated strings.
Action versions silently drift and eventually fall behind on security patches and bug fixes.
Every consumer of projen-pipelines inherits whatever versions were current when a maintainer last did a manual bump — which is not a great posture for a library that produces CI/CD for regulated workloads.
Recent supply-chain incidents (e.g. tj-actions/changed-files, March 2025) have raised the bar: pinning is expected, and automated pinning with version comments is the current best practice.
Goal
Add a scheduled maintenance workflow to this repository that keeps the action references in generated pipelines up to date automatically, with a PR-based review flow.
Proposed Behavior
A new workflow, e.g. .github/workflows/update-actions.yml, that:
- Runs on a weekly schedule (cron: '0 6 * * 1') and on workflow_dispatch.
- Scans TS source under src/ for action references using a stable regex, e.g. uses:\s*(['"]?)([\w.-]+/[\w.-]+)@([^\s'"]+).
- For each unique owner/repo, queries the GitHub Releases/Tags API for the latest stable release (skipping pre-releases unless explicitly allowed).
- Resolves the release tag to a full commit SHA, keeping the tag as a trailing comment (actions/checkout@ # v5.0.0) — this is the current OpenSSF / StepSecurity best practice.
- Updates the string literals in source.
- Runs npx projen build to regenerate snapshots / examples and verify nothing breaks.
- Opens (or updates) a single PR labeled dependencies + github-actions with a changelog-style body listing each bumped action and the diff in releases.
Open Questions
- Scope: This issue covers actions generated by the GitHub engine. The GitLab and CodeCatalyst engines have analogous concerns (pinned image tags, included templates) — track as separate issues
- Consumer-side rollout: Should projen-pipelines also be able to emit this update workflow into downstream consumer projects (opt-in, via updateActionsWorkflow: true on the engine options), so that every generated pipeline benefits — not just this repo's own?
- Tooling: Build in-house, or wrap an existing tool like suzuki-shunsuke/pinact which already handles SHA-pinning and re-pinning on version updates? Pinact looks like a strong fit.
Acceptance Criteria
[ ] Scheduled workflow exists and runs green on main.
[ ] A dry-run against the current codebase produces a sensible PR (or no-op if everything is already latest).
[ ] All current action references in src/ are inventoried in the PR description.
[ ] Documentation in README.md (or docs/) describes the workflow and how maintainers should review its PRs.
[ ] (Stretch) updateActionsWorkflow option exposed on GithubCDKPipeline for downstream consumers.
Background
projen-pipelines generates GitHub Actions workflows programmatically. The referenced actions (actions/checkout, actions/setup-node, aws-actions/configure-aws-credentials, aws-actions/amazon-ecr-login, cdklabs/generate-issue-body, etc.) are hardcoded as string literals inside the TypeScript source (primarily under src/engine/github/ and friends), not in real .github/workflows/*.yml files.
Because of that:
Dependabot and Renovate cannot detect them. Both tools scan YAML workflow files; they don't parse TS source for uses: references embedded in generated strings.
Action versions silently drift and eventually fall behind on security patches and bug fixes.
Every consumer of projen-pipelines inherits whatever versions were current when a maintainer last did a manual bump — which is not a great posture for a library that produces CI/CD for regulated workloads.
Recent supply-chain incidents (e.g. tj-actions/changed-files, March 2025) have raised the bar: pinning is expected, and automated pinning with version comments is the current best practice.
Goal
Add a scheduled maintenance workflow to this repository that keeps the action references in generated pipelines up to date automatically, with a PR-based review flow.
Proposed Behavior
A new workflow, e.g. .github/workflows/update-actions.yml, that:
Open Questions
Acceptance Criteria
[ ] Scheduled workflow exists and runs green on main.
[ ] A dry-run against the current codebase produces a sensible PR (or no-op if everything is already latest).
[ ] All current action references in src/ are inventoried in the PR description.
[ ] Documentation in README.md (or docs/) describes the workflow and how maintainers should review its PRs.
[ ] (Stretch) updateActionsWorkflow option exposed on GithubCDKPipeline for downstream consumers.