Skip to content

Commit c42017f

Browse files
github-actions[bot]don-petry
github-actions[bot]
and
don-petry
committed
docs(standards): address Copilot review — SHA-pin rationale and adoption guidance
- Add explicit comment that no semver tags exist for this internal reusable workflow, so SHA pinning is intentional (not a deviation from @v1 guidance that applies to external actions) - Include lookup command so maintainers know how to get the current SHA - Clarify "To adopt" line to point at standards/ template and warn against copying the local-ref .github/workflows/ version Addresses Copilot review comments on PR #145. Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
1 parent 5a086da commit c42017f

1 file changed

Lines changed: 8 additions & 1 deletion

File tree

standards/workflows/dependabot-rebase.yml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,10 @@
88
# lives in the reusable workflow above.
99
# • You MAY change: the SHA in the `uses:` line when upgrading the reusable
1010
# workflow version (bump SHA to latest main of petry-projects/.github).
11+
# • SHA-pinned intentionally (not @v1): no semver tags are maintained for
12+
# this internal reusable workflow. Downstream repos pin to a specific
13+
# commit SHA and bump deliberately. To look up the current SHA:
14+
# gh api repos/petry-projects/.github/branches/main --jq '.commit.sha'
1115
# • You MUST NOT change: trigger event, the concurrency group name,
1216
# the explicit secrets block, or the job-level `permissions:` block —
1317
# reusable workflows can be granted no more permissions than the calling
@@ -18,7 +22,10 @@
1822
# ─────────────────────────────────────────────────────────────────────────────
1923
#
2024
# Dependabot update-and-merge — thin caller for the org-level reusable.
21-
# To adopt: copy this file to .github/workflows/dependabot-rebase.yml in your repo.
25+
# To adopt: copy THIS file (standards/workflows/dependabot-rebase.yml) to
26+
# .github/workflows/dependabot-rebase.yml in your repo. Do NOT copy
27+
# .github/workflows/dependabot-rebase.yml from this repo — that file uses a
28+
# local ref only valid in the source-of-truth repo.
2229
# Required org/repo secrets (inherited):
2330
# APP_ID — GitHub App ID with contents:write and pull-requests:write
2431
# APP_PRIVATE_KEY — GitHub App private key

0 commit comments

Comments
 (0)