feat: Add automated GitHub Actions pinning workflow#187
Draft
feat: Add automated GitHub Actions pinning workflow#187
Conversation
Adds a scheduled workflow that scans TypeScript source under src/ for `uses: 'owner/repo@ref'` literals, resolves each action to the latest stable release commit SHA, and opens a PR with the pinned updates. Closes #186 https://claude.ai/code/session_01Avf49PnGcNWmgpViU3uzyE
Converts the maintenance script from .mjs to .ts so it participates in the project's lint/type-check pipeline. Adds scripts/ to the dev tsconfig includes and to the eslint scope, and invokes the script via ts-node from the workflow. https://claude.ai/code/session_01Avf49PnGcNWmgpViU3uzyE
Replaces ts-node with tsx in the update-actions workflow, drops the
default src argument, and has the script scan src/, .projen/, and
.projenrc.ts for action references. Reworks the regex to also handle
inline `{ name: ..., uses: ... }` entries without corrupting the
surrounding properties.
https://claude.ai/code/session_01Avf49PnGcNWmgpViU3uzyE
Relocates the action-pinning maintenance script into the main source tree so it's covered by the standard tsconfig and eslint scope without bespoke includes. Drops the now-unnecessary `scripts/` directory and its projenrc hooks; the workflow invokes the script at its new path. https://claude.ai/code/session_01Avf49PnGcNWmgpViU3uzyE
Adds a `update-github-actions` bin entry pointing at the compiled pinning script, and introduces `UpdateActionsWorkflow` as a reusable projen Component so downstream projects can add the same scheduled maintenance workflow to their own pipelines. This addresses the stretch goal from #186. The repo's own `.projenrc.ts` now consumes the new class with a `command` override that runs the script from source (since the bin isn't yet installed when this package builds itself). https://claude.ai/code/session_01Avf49PnGcNWmgpViU3uzyE
Downstream consumers of UpdateActionsWorkflow have their action references in `.projenrc.ts` and `.projen/` rather than in their application source, so the default now targets those paths only. `projen-pipelines` itself extends the list with `src` since it embeds action strings in its hand-authored library code. https://claude.ai/code/session_01Avf49PnGcNWmgpViU3uzyE
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Covers default path scoping, custom paths/command/schedule/runner/labels/ branch/prerelease overrides, GitHub App token vs GITHUB_TOKEN fallback, job outputs, and the defensive error when github integration is disabled. Achieves 100% coverage for the new component. https://claude.ai/code/session_01Avf49PnGcNWmgpViU3uzyE
Refactors the script's core logic into testable @internal functions (isScannable, walk, collect, repoRoot, rewriteContent, renderSummary) gated behind `require.main === module` for the CLI entry point. The @internal JSDoc tag keeps them off the public jsii API surface. Adds 16 tests covering extension filtering, directory walking with mixed file/dir inputs, sub-path action resolution, standalone vs inline rewrite behavior, comment refresh, no-op on matching SHA, unresolved references, and the markdown summary format. https://claude.ai/code/session_01Avf49PnGcNWmgpViU3uzyE
Adds `.js`, `.cjs`, and `.mjs` to the scannable extensions so projects using `.projenrc.js` benefit from the same pinning maintenance. The default scan paths now include both `.projenrc.ts` and `.projenrc.js`; `collect` silently skips non-existent paths so either variant works without configuration. https://claude.ai/code/session_01Avf49PnGcNWmgpViU3uzyE
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
hoegertn
changed the title
Lock128
reviewed
Apr 20, 2026
| name: 'Set git identity', | ||
| run: [ | ||
| 'git config user.name "github-actions[bot]"', | ||
| 'git config user.email "41898282+github-actions[bot]@users.noreply.github.com"', |
Contributor
There was a problem hiding this comment.
is this hardcoded id good?
Contributor
Author
There was a problem hiding this comment.
afaik this is the "magic" number of the github-actions bot
Lock128
reviewed
Apr 20, 2026
| }, | ||
| { | ||
| name: 'Create Pull Request', | ||
| uses: 'peter-evans/create-pull-request@v8', |
Contributor
Author
There was a problem hiding this comment.
Might switch to "gh pr create" later. afair projen is migrating right now.
Lock128
reviewed
Apr 20, 2026
| '', | ||
| '*Automatically created by the `update-actions` workflow.*', | ||
| ].join('\n'), | ||
| 'author': 'github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>', |
Contributor
Author
There was a problem hiding this comment.
afaik this is the "magic" number of the github-actions bot
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds a scheduled workflow and supporting tooling to automatically pin GitHub Action references to their latest stable release commit SHAs. This addresses the challenge that action references embedded as TypeScript string literals in
src/are invisible to Dependabot and Renovate, causing versions to drift over time.Changes
New script:
src/security/update-github-actions.ts— A Node.js CLI tool that:uses: 'owner/repo@ref'literalsNew workflow:
.github/workflows/update-actions.yml— Runs weekly (Monday 06:00 UTC) and on manual dispatch:upgrade): Runs the pinning script, regenerates the project, and creates a patch artifactpr): Downloads the patch and opens a PR with the changes using a GitHub App tokenConfiguration: Updated
.projenrc.tsto define the workflow and addedtsxas a build dependency for running TypeScript directlyDocumentation: Added a new "Maintenance" section to
README.mdexplaining the workflow, how to run the script locally, and how to review resulting PRsMotivation
Generated GitHub Actions workflows in this repository reference actions as string literals (e.g.,
actions/checkout@v6). Unlike real workflow YAML files, these are not tracked by Dependabot or Renovate, leading to stale action versions and potential security gaps. This automation keeps pinned actions current by resolving them to the latest stable release SHAs on a weekly schedule.Test Plan
The workflow is configured to run on schedule and via
workflow_dispatch. Manual testing can be performed locally:GH_TOKEN=$(gh auth token) npx tsx src/security/update-github-actions.ts src .projen .projenrc.tsThe generated workflow will be validated by CI on merge.
https://claude.ai/code/session_01Avf49PnGcNWmgpViU3uzyE