Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/check-buildah-remote.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@ jobs:
name: Check Buildah Remote
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6.0.2
- uses: actions/checkout@v7.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] version-pinning-consistency

The file uses actions/checkout@v7.0.0 (specific patch), maintaining per-file consistency with the prior v6.0.2 pin. The codebase-wide inconsistency between major-only and patch-specific pinning is pre-existing.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] versioning-convention-inconsistency

The SHA-pinned files and tag-based files represent two intentionally different management groups. Consider adopting SHA-pinning for the Renovate-managed files as well for supply-chain security.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] patch-version-inconsistency

Within the tag-based references, some files use @v7.0.0 (exact patch) while others use @v7 (major only). This mirrors the pre-existing pattern and has no functional impact but could be standardized.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] inconsistent-version-format

Mixed version formats within the PR: some files use v7.0.0 (full semver), others use v7 (major-only). This mirrors the pre-existing pattern (v6.0.2 vs v6) preserved by Renovate.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] version-pinning-inconsistency

The PR uses tag references (v7, v7.0.0) while some other workflow files use SHA pinning. The modified files already used tag references before this PR, so the convention is maintained.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] version-pinning-convention

The repository has two intentionally distinct groups of workflows: templated files using SHA-pinning (in Renovate ignorePaths) and locally-maintained workflows using tag-based references (managed by Renovate). This PR maintains the pre-existing tag-based pattern — no new inconsistency is introduced.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[info] edge cases

The v7 breaking change ('Block checking out fork PR for pull_request_target and workflow_run') does not affect any of the six modified workflows, as none use pull_request_target or workflow_run triggers.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] version-pinning-consistency

Pre-existing inconsistent version pinning pattern. These 6 locally-managed workflows use tag-based pinning (@v7/@v7.0.0) while externally-templated workflows use SHA hash pinning. Not introduced by this PR.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] action-version-pinning-convention

The repository has two groups of workflow files: SHA-pinned versions managed outside Renovate via ignorePaths, and tag-based versions managed by Renovate with automerge. This PR correctly updates the Renovate-managed group from v6 to v7, but perpetuates the tag-vs-SHA inconsistency across all 6 changed files. This is a pre-existing architectural decision, not a defect introduced by this PR.

Suggested fix: Consider migrating all workflow files to SHA-pinned versions for supply-chain security consistency.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] version format consistency

Inconsistent version tag format within this PR: check-buildah-remote.yaml and go-ci.yaml use v7.0.0 while check-readmes.yaml, check-task-owners.yaml, verify-dead-code.yaml, and yaml-lint.yaml use v7. This mirrors the pre-existing v6.0.2 vs v6 pattern.

Suggested fix: Standardize on a single version format (either v7.0.0 or v7) across all non-templated workflow files.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] version-pinning-inconsistency

Non-templated workflows use two version pinning patterns: @v7.0.0 (check-buildah-remote.yaml, go-ci.yaml) and @v7 (check-readmes.yaml, check-task-owners.yaml, verify-dead-code.yaml, yaml-lint.yaml). This inconsistency pre-dates this PR — the same files previously used @v6.0.2 vs @v6 respectively. Renovate correctly preserves each file's existing pinning style.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] version-pinning-convention

Six workflow files use tag-based action references (@v7, @v7.0.0) while other workflows use SHA-pinned references. This is a pre-existing condition — each file preserves its prior pinning format — but represents an opportunity to standardize for supply-chain security.

Suggested fix: Consider SHA-pinning all checkout references (actions/checkout@ # v7.0.0) for consistency with the subset of workflows that already use SHA pins.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] version-pinning-convention

Renovate-managed workflow files use tag-based pinning (v7/v7.0.0) rather than SHA-hash pinning used in other workflow files. This is a pre-existing, intentional split confirmed by renovate.json ignorePaths configuration — not a regression introduced by this PR.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] dependency-update-pattern

Non-templated workflow files use tag-based action references while templated files use SHA-pinned references with version comments. This creates two different security postures, though the split is pre-existing and likely intentional.

- name: Install Go
uses: actions/setup-go@v6.4.0
uses: actions/setup-go@v7.0.0
with:
go-version-file: './task-generator/remote/go.mod'
- name: Check buildah remote
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/check-readmes.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] version-pinning-consistency

The file updates actions/checkout@v6 to v7, maintaining the major-version-only pinning style. The codebase-wide inconsistency is pre-existing and unrelated to this PR.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] version-format-inconsistency

Inconsistent version tag format within this PR: some files use v7.0.0 while others use v7. This mirrors the pre-existing pattern (v6.0.2 vs v6) and is not introduced by this PR.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] version-precision-consistency

Uses major-only version 'v7' while other files in the PR use 'v7.0.0'. This is a pre-existing inconsistency (was 'v6' vs 'v6.0.2') preserved by Renovate's per-file update strategy, not a regression. Consider standardizing version precision across non-templated workflow files.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] version-precision-consistency

Inconsistent version precision within this PR: some files use major-only version (v7) while others use full semantic versions (v7.0.0). This mirrors the pre-existing inconsistency — Renovate preserves each file's original precision style. Cosmetic only.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] versioning-convention

Inconsistent action version format: uses @v7 (major-only) while other workflows use @v7.0.0 (full semantic version). This pre-existing inconsistency could be standardized to match the convention used by other actions (e.g., actions/setup-go@v6.4.0).

Suggested fix: Change actions/checkout@v7 to actions/checkout@v7.0.0


- name: Install oc
run: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/check-task-owners.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] versioning-convention

Inconsistent action version format: uses @v7 (major-only) while other workflows use @v7.0.0 (full semantic version). This pre-existing inconsistency could be standardized to match the convention used by other actions (e.g., actions/setup-go@v6.4.0).

Suggested fix: Change actions/checkout@v7 to actions/checkout@v7.0.0


- name: Check task owners
run: |
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/go-ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ jobs:
- task-generator/remote
- task-generator/trusted-artifacts
steps:
- uses: actions/checkout@v6.0.2
- uses: actions/setup-go@v6.4.0
- uses: actions/checkout@v7.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[info] version-pinning-consistency

The file updates actions/checkout@v6.0.2 to v7.0.0, maintaining the specific patch version pattern consistent with actions/setup-go@v6.4.0.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] version-reference-consistency

Inconsistent actions/checkout version format within non-templated workflows. go-ci.yaml and check-buildah-remote.yaml use patch-level tags (@v7.0.0) while check-readmes.yaml, check-task-owners.yaml, verify-dead-code.yaml, and yaml-lint.yaml use major-only tags (@v7). This is a pre-existing inconsistency that Renovate faithfully preserves.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[medium] inconsistent-dependency-versioning

The actions/checkout action is pinned inconsistently across workflow files. After this PR merges, the repository will have three different pinning styles: SHA-pinned v6.0.1 (in workflow files excluded from this Renovate group), major version tag v7 (4 files), and full semver v7.0.0 (2 files). This pre-existing inconsistency is perpetuated by the update.

Suggested fix: Standardize on one versioning approach across all workflow files managed by Renovate's github-actions group.

- uses: actions/setup-go@v7.0.0
with:
go-version-file: './${{matrix.path}}/go.mod'
cache-dependency-path: ./${{matrix.path}}/go.sum
Expand All @@ -33,9 +33,9 @@ jobs:
- task-generator/remote
- task-generator/trusted-artifacts
steps:
- uses: actions/checkout@v6.0.2
- uses: actions/checkout@v7.0.0
- name: Install Go
uses: actions/setup-go@v6.4.0
uses: actions/setup-go@v7.0.0
with:
go-version-file: './${{matrix.path}}/go.mod'
cache-dependency-path: ./${{matrix.path}}/go.sum
Expand Down Expand Up @@ -77,8 +77,8 @@ jobs:
- task-generator/remote
- task-generator/trusted-artifacts
steps:
- uses: actions/checkout@v6.0.2
- uses: actions/setup-go@v6.4.0
- uses: actions/checkout@v7.0.0
- uses: actions/setup-go@v7.0.0
with:
go-version-file: './${{matrix.path}}/go.mod'
cache-dependency-path: ./${{matrix.path}}/go.sum
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/verify-dead-code.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] versioning-convention

Inconsistent action version format: uses @v7 (major-only) while other workflows use @v7.0.0 (full semantic version). This pre-existing inconsistency could be standardized to match the convention used by other actions (e.g., actions/setup-go@v6.4.0).

Suggested fix: Change actions/checkout@v7 to actions/checkout@v7.0.0

with:
fetch-depth: 0

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/yaml-lint.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,6 @@ jobs:
yamllint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[info] edge-case

actions/checkout v7.0.0 blocks checking out fork PRs for pull_request_target and workflow_run triggers. None of the 6 modified workflows use those triggers, so this is safe.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] versioning-convention

Inconsistent action version format: uses @v7 (major-only) while other workflows use @v7.0.0 (full semantic version). This pre-existing inconsistency could be standardized to match the convention used by other actions (e.g., actions/setup-go@v6.4.0).

Suggested fix: Change actions/checkout@v7 to actions/checkout@v7.0.0

- name: Lint YAML files
run: yamllint .
Loading