Skip to content

fix: update pnpm/action-setup to v4 and enable dependabot#176

Merged
kpj2006 merged 2 commits into
AOSSIE-Org:mainfrom
Atharva0506:fix/pnpm-action-setup-sha
Jul 19, 2026
Merged

fix: update pnpm/action-setup to v4 and enable dependabot#176
kpj2006 merged 2 commits into
AOSSIE-Org:mainfrom
Atharva0506:fix/pnpm-action-setup-sha

Conversation

@Atharva0506

@Atharva0506 Atharva0506 commented Jul 16, 2026

Copy link
Copy Markdown
Member

Addressed Issues:

Fixes #(issue number)

Root Cause

The workflow was pinning pnpm/action-setup to commit SHA fe02f34f... which corresponded to v3. The pnpm/action-setup maintainers have since removed/force-pushed the v3 branch, making that commit SHA unreachable. This is a known risk when pinning actions to commit SHAs without an automated dependency updater.

Screenshots/Recordings:

Additional Notes:

  1. Updated SHA: Changed the pinned SHA to b906affcce14559ad1aafd4ab0e942779e9f58b1 which is the commit behind the current v4 tag. The v4 API is backward-compatible with v3 for our use case.
  2. Enabled Dependabot: Added .github/dependabot.yml to automatically monitor and create PRs for GitHub Actions and npm/pnpm dependency updates. This ensures our pinned SHAs are safely kept up-to-date in the future.

Changes

  • .github/workflows/version-release.yml: Updated pnpm/action-setup from @fe02f34f... (v3, deleted) → @b906affc... (v4, current)
  • .github/dependabot.yml: Added configuration for github-actions and npm package ecosystems.

Checklist

  • My code follows the project's code style and conventions
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings or errors
  • I have joined the Discord server and I will share a link to this PR with the project maintainers there
  • I have read the Contributing Guidelines

⚠️ AI Notice - Important!

We encourage contributors to use AI tools responsibly when creating Pull Requests. While AI can be a valuable aid, it is essential to ensure that your contributions meet the task requirements, build successfully, include relevant tests, and pass all linters. Submissions that do not meet these standards may be closed without warning to maintain the quality and integrity of the project. Please take the time to understand the changes you are proposing and their impact. AI slop is strongly discouraged and may lead to banning and blocking. Do not spam our repos with AI slop.

Summary by CodeRabbit

  • Chores
    • Added weekly automated update checks for GitHub Actions and npm dependencies (including the landing page).
    • Updated the release workflow to use a newer pnpm setup action version.

@github-actions github-actions Bot added no-issue-linked PR is not linked to any issue ci-cd CI/CD pipeline changes configuration Configuration file changes github-actions GitHub Actions workflow changes size/S Small PR (11-50 lines changed) repeat-contributor PR from an external contributor who already had PRs merged needs-review labels Jul 16, 2026
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 276ed74a-5721-4069-9a71-1f3e254f59be

📥 Commits

Reviewing files that changed from the base of the PR and between 11f9e3b and 90b7c2e.

📒 Files selected for processing (2)
  • .github/dependabot.yml
  • .github/workflows/version-release.yml

Walkthrough

Adds weekly Dependabot checks for GitHub Actions and npm dependencies, and updates the release workflow to use a newer pinned pnpm setup action revision.

Changes

Dependency maintenance

Layer / File(s) Summary
Dependency update automation
.github/dependabot.yml
Dependabot checks GitHub Actions and npm dependencies weekly for the repository root and landing page, using chore(deps) commit prefixes.
Release workflow setup pin
.github/workflows/version-release.yml
The publish workflow uses a newer pinned pnpm setup action revision.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Poem

A rabbit found a tidy trail,
Where weekly updates hop the rail.
Pnpm wears a newer pin,
Release steps gently spring ahead.
“Chore deps!” the bunny sings.

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the pnpm/action-setup update and the new Dependabot configuration.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@kpj2006 kpj2006 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed and lgtm

@kpj2006
kpj2006 merged commit d8badc9 into AOSSIE-Org:main Jul 19, 2026
6 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci-cd CI/CD pipeline changes configuration Configuration file changes github-actions GitHub Actions workflow changes needs-review no-issue-linked PR is not linked to any issue repeat-contributor PR from an external contributor who already had PRs merged size/S Small PR (11-50 lines changed)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants