Skip to content

Auto-sync version comments after Dependabot Actions bumps #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jeremy merged 2 commits into from
May 1, 2026
Merged

Auto-sync version comments after Dependabot Actions bumps #76

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
28eb998
Auto-sync version comments after Dependabot Actions bumps
jeremy May 1, 2026
94db357
Address PR review: verify zizmor checksum and re-trigger CI
jeremy May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions .github/workflows/dependabot-sync-actions-comments.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
name: Sync Action version comments

on:
push:
branches: ["dependabot/github_actions/**"]
paths:
- ".github/workflows/*.yml"
- ".github/workflows/*.yaml"

permissions: {}

jobs:
sync:
name: Sync version comments
runs-on: ubuntu-latest
permissions:
contents: write
actions: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked] -- credentials needed for git push

- name: Install zizmor
env:
ZIZMOR_VERSION: 1.24.1
ZIZMOR_SHA256: a8000f3c683319a523d3b20df0e75457ba591f049cfcbfa98966631b56733c03
run: |
cd "$RUNNER_TEMP"
curl -fsSL -o zizmor.tar.gz \
"https://github.com/zizmorcore/zizmor/releases/download/v${ZIZMOR_VERSION}/zizmor-x86_64-unknown-linux-gnu.tar.gz"
echo "${ZIZMOR_SHA256} zizmor.tar.gz" | sha256sum --check --status
mkdir -p zizmor-bin
tar xz --no-same-owner --no-same-permissions -C zizmor-bin -f zizmor.tar.gz
echo "${RUNNER_TEMP}/zizmor-bin" >> "$GITHUB_PATH"

Comment thread
jeremy marked this conversation as resolved.
- name: Apply safe fixes (e.g. ref-version-mismatch)
run: zizmor --fix=safe .github/workflows

- name: Commit, push, and re-trigger CI
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git add .github/workflows
if ! git diff --cached --quiet; then
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git commit -m "Sync version comments after Dependabot Actions bump"
git push
Comment thread
jeremy marked this conversation as resolved.

# GITHUB_TOKEN-authored pushes don't trigger workflow runs, except
# for workflow_dispatch / repository_dispatch. Re-dispatch test.yml
# on the new HEAD so the audit check appears on the PR.
gh workflow run test.yml --ref "$GITHUB_REF_NAME"
fi
Loading