Skip to content

build(deps): bump action SHAs + resolve 3 supply-chain TODOs#15

Draft
bryanfawcett wants to merge 1 commit into
mainfrom
claude/sleepy-albattani-lkc8v2
Draft

build(deps): bump action SHAs + resolve 3 supply-chain TODOs#15
bryanfawcett wants to merge 1 commit into
mainfrom
claude/sleepy-albattani-lkc8v2

Conversation

@bryanfawcett

@bryanfawcett bryanfawcett commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Summary

Enterprise supply-chain hardening pass: incorporates the open Dependabot PR #14 SHA bumps and resolves the 3 TODO(supply-chain) pins that were left in the tree because the SHA values weren't yet known at authoring time. Zero floating action tags remain in the org's reusable workflows after this PR.

SHA bumps (from Dependabot PR #14 — incorporated directly)

Action From To Files
actions/checkout v6.0.2 de0fac2e v6.0.3 df4cb1c0 12 workflow files
pnpm/action-setup v6.0.2 71c92474 v6.0.8 0e279bb9 docs-mdx, nextjs
astral-sh/setup-uv v8.1.0 08807647 v8.2.0 fac544c0 python-monorepo ×4
github/codeql-action v4.35.2 95e58e9a v4.36.2 8aad20d1 codeql ×3, scorecard
actions/dependency-review-action v4.9.0 2031cfc0 v5.0.0 a1d282b3 dependency-review
DavidAnson/markdownlint-cli2-action v23.0.0 ce4853d4 v23.2.0 ded1f948 lint
actions/stale v10.2.0 b5d41d4e v10.3.0 eb5cf3af stale

TODO SHA pins resolved (NA-03 §7.1.1)

These three pins were left as TODO stubs in the original PR because SHA resolution required a live GitHub API call. All three are now fully pinned:

  • ossf/scorecard-action@v2 → v2.4.3 (4eaacf05) — in reusable-openssf-scorecard.yml
  • actions/upload-artifact@v4 → v7.0.1 (043fb46d) — in reusable-openssf-scorecard.yml; also brings forward the major-version bump that Dependabot PR build(deps): bump the all group across 1 directory with 8 updates #14 would have applied as a floating @v7 tag
  • foundry-rs/foundry-toolchain@v1 → v1.8.0 (c7450ba6) — in reusable-ci-solidity.yml ×4

ORG_SETTINGS.md

  • Secret scanning non-provider patterns: corrected from "Enabled for public repos" → "Enabled org-wide" (private repos should have the same coverage per the intended security posture)

Test plan

Breaking changes

actions/dependency-review-action v4 → v5 is a major bump. The action's interface in this workflow is limited to fail-on-severity and comment-summary-in-pr inputs, both of which are unchanged in v5. No caller-side changes needed.

https://claude.ai/code/session_01BpyforRsUYR5iVDTrP9YKh

Generated by Claude Code

@claude
build(deps): bump action SHAs + resolve 3 supply-chain TODOs
3014988 
Applies the Dependabot #14 SHA bumps (8 actions across 12 workflow
files) and resolves the 3 outstanding TODO(supply-chain) pins that
Dependabot does not track:

SHA bumps (from Dependabot PR #14):
- actions/checkout          v6.0.2 → v6.0.3 (df4cb1c)
- pnpm/action-setup         v6.0.2 → v6.0.8 (0e279bb)
- astral-sh/setup-uv        v8.1.0 → v8.2.0 (fac544c)
- github/codeql-action      v4.35.2 → v4.36.2 (8aad20d)
- actions/dependency-review-action v4.9.0 → v5.0.0 (a1d282b)
- DavidAnson/markdownlint-cli2-action v23.0.0 → v23.2.0 (ded1f94)
- actions/stale             v10.2.0 → v10.3.0 (eb5cf3a)

TODO SHA pins resolved (NA-03 §7.1.1):
- ossf/scorecard-action@v2 → v2.4.3 SHA (4eaacf0)
- actions/upload-artifact@v4 → v7.0.1 SHA (043fb46)
  (major-version bump; v7 is the current stable)
- foundry-rs/foundry-toolchain@v1 → v1.8.0 SHA (c7450ba) ×4
  (all four uses in reusable-ci-solidity.yml)

ORG_SETTINGS.md:
- Secret scanning non-provider patterns: "Enabled for public repos"
  → "Enabled org-wide" (correct intended state)

Closes #14 (Dependabot PR incorporated directly).

https://claude.ai/code/session_01BpyforRsUYR5iVDTrP9YKh
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bryanfawcett @claude