Skip to content

v0.0.12

Choose a tag to compare

View all tags
@github-actions github-actions released this 22 Jan 16:38
· 5 commits to main since this release
v0.0.12
1e63abf
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

🩹 [Patch]: Pin GitHub Actions to specific versions for improved security (#23)

GitHub Actions are now pinned to specific commit SHAs instead of version tags, improving security by preventing supply chain attacks through tag manipulation. Additionally, Dependabot has been configured to run daily with a 7-day cooldown to keep dependencies up-to-date automatically.

GitHub Actions SHA pinning

All workflow files now reference actions by their full commit SHA rather than version tags. This ensures workflows always use a verified, immutable version of each action.

Changed actions:

  • actions/checkout@v5actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 (v6.0.1)
  • PSModule/Auto-Release@v1PSModule/Auto-Release@eabd533035e2cb9822160f26f2eda584bd012356 (v1.9.5)
  • super-linter/super-linter@latestsuper-linter/super-linter@d5b0a2ab116623730dd094f15ddc1b6b25bf7b99 (v8.3.2)
  • PSModule/GitHub-Script@v1PSModule/GitHub-Script@2010983167dc7a41bcd84cb88e698ec18eccb7ca (v1.7.8)

Dependabot configuration

Dependabot now checks for updates daily with a 7-day cooldown between updates, replacing the previous weekly schedule. This provides faster awareness of security updates while avoiding excessive noise.

schedule:
  interval: daily
cooldown:
  default-days: 7

Linter configuration

Added configuration to disable validation checks that are not applicable to this repository:

  • VALIDATE_BIOME_FORMAT: false
  • VALIDATE_JSCPD: false
Assets 2
Loading