Skip to content

ci: update github workflows #6952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lachlancollins merged 1 commit into from
Mar 17, 2026
Merged

ci: update github workflows #6952

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 0 additions & 8 deletions .changeset/README.md
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion .changeset/config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"$schema": "https://unpkg.com/@changesets/config@3.1.1/schema.json",
"$schema": "https://unpkg.com/@changesets/config@3.1.2/schema.json",
"changelog": [
"@svitejs/changesets-changelog-github-compact",
{ "repo": "TanStack/router" }
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/autofix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,9 @@ jobs:
if: ${{ github.event_name == 'push' || !github.event.pull_request.draft }}
steps:
- name: Checkout
uses: actions/checkout@v6.0.1
uses: actions/checkout@v6.0.2
- name: Setup Tools
uses: tanstack/config/.github/setup@main
uses: TanStack/config/.github/setup@main
- name: Fix formatting
run: pnpm format
- name: Generate labeler config
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/bundle-size.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,14 +33,14 @@ jobs:
current_json_b64: ${{ steps.capture.outputs.current_json_b64 }}
steps:
- name: Checkout
uses: actions/checkout@v6.0.1
uses: actions/checkout@v6.0.2
with:
ref: refs/pull/${{ github.event.pull_request.number }}/merge
fetch-depth: 0
persist-credentials: false

- name: Setup Tools
uses: tanstack/config/.github/setup@main
uses: TanStack/config/.github/setup@main

- name: Measure Bundle Size
run: pnpm nx run @benchmarks/bundle-size:build --outputStyle=stream --skipRemoteCache
Expand All @@ -62,7 +62,7 @@ jobs:
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@v6.0.1
uses: actions/checkout@v6.0.2
with:
fetch-depth: 0
persist-credentials: false
Expand Down Expand Up @@ -111,12 +111,12 @@ jobs:
contents: write
steps:
- name: Checkout
uses: actions/checkout@v6.0.1
uses: actions/checkout@v6.0.2
with:
fetch-depth: 0

- name: Setup Tools
uses: tanstack/config/.github/setup@main
uses: TanStack/config/.github/setup@main

- name: Measure Bundle Size
run: pnpm nx run @benchmarks/bundle-size:build --outputStyle=stream --skipRemoteCache
Expand Down
24 changes: 0 additions & 24 deletions .github/workflows/changeset-preview.yml
View file
Open in desktop

This file was deleted.

4 changes: 2 additions & 2 deletions .github/workflows/client-nav-benchmarks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6.0.1
uses: actions/checkout@v6.0.2

- name: Setup Tools
uses: tanstack/config/.github/setup@main
uses: TanStack/config/.github/setup@main

- name: Run ${{ matrix.benchmark }}:${{ matrix.framework }} CodSpeed benchmark
continue-on-error: true
Expand Down
8 changes: 3 additions & 5 deletions .github/workflows/labeler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Labeler

on:
- pull_request_target
pull_request_target:

permissions:
contents: read
Expand All @@ -10,11 +10,9 @@ permissions:
jobs:
labeler:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/labeler@v5.0.0
- name: Labeller
uses: actions/labeler@v6.0.1
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
configuration-path: labeler-config.yml
18 changes: 14 additions & 4 deletions .github/workflows/pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,13 @@ jobs:
TSR_TMP_DIR: ./tmp
steps:
- name: Checkout
uses: actions/checkout@v6.0.1
uses: actions/checkout@v6.0.2
with:
Comment on lines +26 to 27
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify which workflow action refs are still mutable (not pinned to full SHA)
rg -nP --type=yaml '^\s*uses:\s*[^@\s]+@(?!(?:[0-9a-f]{40})\b)\S+' .github/workflows

Repository: TanStack/router

Length of output: 2145

🏁 Script executed:

cat -n .github/workflows/pr.yml | head -70

Repository: TanStack/router

Length of output: 2255

Pin action refs to immutable commit SHAs.

The workflow uses mutable version tags (@v6.0.2, @v4.4.0) and branch refs (@main), which can change unexpectedly and break CI or introduce security risks. Pin all external actions to full 40-character commit SHAs.

Suggested refactor pattern 
-        uses: TanStack/config/.github/setup@main
+        uses: TanStack/config/.github/setup@<40-char-commit-sha>

-        uses: TanStack/config/.github/changeset-preview@main
+        uses: TanStack/config/.github/changeset-preview@<40-char-commit-sha>

Also applies to lines 26, 34, 47, 61 (version tags) and other workflows.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr.yml around lines 26 - 27, Replace all mutable action
refs (e.g., actions/checkout@v6.0.2 and any other `@vX.Y.Z` or `@main` refs) with
their corresponding immutable 40-character commit SHAs; locate every "uses:"
entry in the workflow (notably the entries referenced in the review around the
lines for actions/checkout and other external actions such as
actions/setup-node) and update each tag to the full commit SHA from the action’s
repository to ensure reproducible, pinned dependencies.

fetch-depth: 0
- name: Start Nx Agents
run: npx nx-cloud start-ci-run --distribute-on=".nx/workflows/dynamic-changesets.yaml"
- name: Setup Tools
uses: tanstack/config/.github/setup@main
uses: TanStack/config/.github/setup@main
- name: Get base and head commits for `nx affected`
uses: nrwl/nx-set-shas@v4.4.0
with:
Expand All @@ -44,12 +44,22 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6.0.1
uses: actions/checkout@v6.0.2
with:
fetch-depth: 0
- name: Setup Tools
uses: tanstack/config/.github/setup@main
uses: TanStack/config/.github/setup@main
- name: Build Packages
run: pnpm run build:all
- name: Publish Previews
run: pnpx pkg-pr-new publish --pnpm './packages/*' --template './examples/*/*'
version-preview:
name: Version Preview
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6.0.2
- name: Setup Tools
uses: TanStack/config/.github/setup@main
- name: Changeset Preview
uses: TanStack/config/.github/changeset-preview@main
4 changes: 2 additions & 2 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6.0.1
uses: actions/checkout@v6.0.2
with:
fetch-depth: 0
- name: Check for changesets
Expand All @@ -40,7 +40,7 @@ jobs:
if: steps.changesets.outputs.has_changesets == 'true'
run: npx nx-cloud start-ci-run --distribute-on=".nx/workflows/dynamic-changesets.yaml"
- name: Setup Tools
uses: tanstack/config/.github/setup@main
uses: TanStack/config/.github/setup@main
- name: Run Tests
if: steps.changesets.outputs.has_changesets == 'true'
run: pnpm run test:ci --parallel=3
Expand Down
Loading