fix: update pnpm/action-setup to v4 and enable dependabot#176
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
WalkthroughAdds weekly Dependabot checks for GitHub Actions and npm dependencies, and updates the release workflow to use a newer pinned pnpm setup action revision. ChangesDependency maintenance
Estimated code review effort: 1 (Trivial) | ~5 minutes Poem
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Addressed Issues:
Fixes #(issue number)
Root Cause
The workflow was pinning
pnpm/action-setupto commit SHAfe02f34f...which corresponded to v3. Thepnpm/action-setupmaintainers have since removed/force-pushed the v3 branch, making that commit SHA unreachable. This is a known risk when pinning actions to commit SHAs without an automated dependency updater.Screenshots/Recordings:
Additional Notes:
b906affcce14559ad1aafd4ab0e942779e9f58b1which is the commit behind the current v4 tag. The v4 API is backward-compatible with v3 for our use case..github/dependabot.ymlto automatically monitor and create PRs for GitHub Actions andnpm/pnpmdependency updates. This ensures our pinned SHAs are safely kept up-to-date in the future.Changes
.github/workflows/version-release.yml: Updatedpnpm/action-setupfrom@fe02f34f...(v3, deleted) →@b906affc...(v4, current).github/dependabot.yml: Added configuration forgithub-actionsandnpmpackage ecosystems.Checklist
We encourage contributors to use AI tools responsibly when creating Pull Requests. While AI can be a valuable aid, it is essential to ensure that your contributions meet the task requirements, build successfully, include relevant tests, and pass all linters. Submissions that do not meet these standards may be closed without warning to maintain the quality and integrity of the project. Please take the time to understand the changes you are proposing and their impact. AI slop is strongly discouraged and may lead to banning and blocking. Do not spam our repos with AI slop.
Summary by CodeRabbit