Skip to content

Commit 75cf8f4

Browse files
committed
Auto-sync version comments after Dependabot Actions bumps
When Dependabot updates a SHA pin on a uses: line that carries a trailing `# zizmor: ignore[...]` comment, its comment-rewriter often chokes and leaves the `# vX.Y.Z` version comment stale. zizmor's ref-version-mismatch audit then turns red until the comment is fixed by hand — see PR #70 for an example. Add a workflow that fires on every push to dependabot/github_actions/**, runs `zizmor --fix=safe .github/workflows`, and pushes a fixup commit back to the dependabot branch when there's anything to fix. Modeled on the `basecamp/fizzy` repo's `dependabot-sync-saas-lockfile.yml` pattern (push trigger, contents: write, `git diff --cached --quiet` guard to prevent loops). zizmor's CLI is installed via the prebuilt linux-x86_64 tarball at a pinned version since the official zizmorcore/zizmor-action exposes only audit-shaped inputs and cannot apply fixes.
1 parent b7afa5c commit 75cf8f4

1 file changed

Lines changed: 40 additions & 0 deletions

File tree

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
name: Sync Action version comments
2+
3+
on:
4+
push:
5+
branches: ["dependabot/github_actions/**"]
6+
paths:
7+
- ".github/workflows/*.yml"
8+
- ".github/workflows/*.yaml"
9+
10+
permissions: {}
11+
12+
jobs:
13+
sync:
14+
name: Sync version comments
15+
runs-on: ubuntu-latest
16+
permissions:
17+
contents: write
18+
steps:
19+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked] -- credentials needed for git push
20+
21+
- name: Install zizmor
22+
env:
23+
ZIZMOR_VERSION: 1.24.1
24+
run: |
25+
curl -fsSL \
26+
"https://github.com/zizmorcore/zizmor/releases/download/v${ZIZMOR_VERSION}/zizmor-x86_64-unknown-linux-gnu.tar.gz" \
27+
| sudo tar xz -C /usr/local/bin
28+
29+
- name: Apply safe fixes (e.g. ref-version-mismatch)
30+
run: zizmor --fix=safe .github/workflows
31+
32+
- name: Commit and push fixups
33+
run: |
34+
git add .github/workflows
35+
if ! git diff --cached --quiet; then
36+
git config user.name "github-actions[bot]"
37+
git config user.email "github-actions[bot]@users.noreply.github.com"
38+
git commit -m "Sync version comments after Dependabot Actions bump"
39+
git push
40+
fi

0 commit comments

Comments
 (0)