You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Two supply-chain hardening changes with no functional impact:
1. Pin actions/checkout to commit SHA in copilot-setup-steps.yml
.github/workflows/copilot-setup-steps.yml referenced actions/checkout@v6 — a mutable tag that can silently point to a different commit after a repository force-push. Every other workflow in this repo already pins to an immutable commit SHA.
This matches the SHA used across agentics-maintenance.yml, daily-plan.lock.yml, and all other lock files.
2. Add .github/dependabot.yml
No Dependabot configuration existed. Without it, GitHub Actions version drift accumulates silently — the only way to detect it is a manual audit.
The new config enables weekly automated PRs (Monday) for outdated Actions, labelled dependencies. This catches version bumps automatically and surfaces them as PRs for maintainer review.
Why now
Audit of workflow files revealed the single unpinned action — a straightforward fix.
The absence of Dependabot meant the next drift discovery would require another manual audit pass.
Test Status
No code logic changed — only workflow YAML and a new config file. Both changes are structural; they do not affect runtime behaviour of any workflow.
Markdown linter: will pass (no prose changes)
CI: no test suite in this repo; changes are infrastructure-only
Warning
Protected Files — Push Permission Denied
This was originally intended as a pull request, but the patch modifies protected files. A human must create the pull request manually.
The push was rejected because GitHub Actions does not have workflows permission to push these changes, and is never allowed to make such changes, or other authorization being used does not have this permission.
Create the pull request manually
# Download the patch from the workflow run
gh run download 24629953388 -n agent -D /tmp/agent-24629953388
# Create a new branch
git checkout -b repo-assist/eng-pin-and-dependabot-2026-04-19-7fec23cccdc7f2c7 main
# Apply the patch (--3way handles cross-repo patches)
git am --3way /tmp/agent-24629953388/aw-repo-assist-eng-pin-and-dependabot-2026-04-19.patch
# Push the branch and create the pull request
git push origin repo-assist/eng-pin-and-dependabot-2026-04-19-7fec23cccdc7f2c7
gh pr create --title '[Repo Assist] eng: pin actions/checkout to SHA and add Dependabot config' --base main --head repo-assist/eng-pin-and-dependabot-2026-04-19-7fec23cccdc7f2c7 --repo verkyyi/github-agent-runner
🤖 This is a [Repo Assist] automated PR.
What
Two supply-chain hardening changes with no functional impact:
1. Pin
actions/checkoutto commit SHA incopilot-setup-steps.yml.github/workflows/copilot-setup-steps.ymlreferencedactions/checkout@v6— a mutable tag that can silently point to a different commit after a repository force-push. Every other workflow in this repo already pins to an immutable commit SHA.Change:
actions/checkout@v6→actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2This matches the SHA used across
agentics-maintenance.yml,daily-plan.lock.yml, and all other lock files.2. Add
.github/dependabot.ymlNo Dependabot configuration existed. Without it, GitHub Actions version drift accumulates silently — the only way to detect it is a manual audit.
The new config enables weekly automated PRs (Monday) for outdated Actions, labelled
dependencies. This catches version bumps automatically and surfaces them as PRs for maintainer review.Why now
Test Status
No code logic changed — only workflow YAML and a new config file. Both changes are structural; they do not affect runtime behaviour of any workflow.
Warning
Protected Files — Push Permission Denied
This was originally intended as a pull request, but the patch modifies protected files. A human must create the pull request manually.
Protected files
Create the pull request manually