deps: bump step-security/harden-runner from 2.16.0 to 2.17.0#19
Closed
dependabot[bot] wants to merge 41 commits intomainfrom
Closed
deps: bump step-security/harden-runner from 2.16.0 to 2.17.0#19dependabot[bot] wants to merge 41 commits intomainfrom
dependabot[bot] wants to merge 41 commits intomainfrom
Conversation
…d cooldown timeline
- Remove renovate[bot] from actor checks in gate and scan workflows - Remove renovate/* branch parsing from package detection - Add dependabot.yml for GitHub Actions updates
fix: use github_actions label to match Dependabot convention
fix: skip Scorecard badge when project is not scored
feat: add release workflow for automated floating version tags
- Add dependabot/uv/* branch pattern alongside dependabot/pip/* - Parse individual packages from grouped PR body for security links - Add python label for uv ecosystem PRs - Rewrite README with full usage instructions, prerequisites, and how-it-works guide
Fixes zizmor/ref-version-mismatch — version comments like `# v4` now show the exact tag `# v4.2.2` that the pinned SHA corresponds to. Updated across all workflow files: - actions/checkout: # v4 → # v4.2.2 - step-security/harden-runner: # v2 → # v2.16.0
feat: uv ecosystem, grouped PRs, Zizmor security analysis, and README
Reusable workflows can access the caller's token via github.token without needing secrets: inherit. This allows callers to drop secrets: inherit, resolving zizmor/secrets-inherit warnings.
fix: replace secrets.GITHUB_TOKEN with github.token
github.actor changes to the re-runner on workflow re-runs, causing: - Cooldown status incorrectly set to success (bypasses cooling period) - Tracking issue job skipped (Fixes link not added to PR body) github.event.pull_request.user.login is stable — always the PR author regardless of who triggers or re-runs the workflow. Also resolves zizmor/bot-conditions warning about spoofable actor context.
fix: use PR author instead of github.actor for bot detection
The Fixes link logic was only reachable via the create-tracking-issue job (gated on action == 'opened'). If that job failed on first run, the link was never added and couldn't be recovered. Adds a new step in set-pending-status that runs on both opened and synchronize events. It checks if a tracking issue exists and adds the Fixes link if missing. No-op if the link is already present.
fix: ensure Fixes link on every PR event, not just opened
…n3 heredoc The previous `echo "$PR_DATA" | python3 << 'PYEOF'` pattern fought over stdin: with no script argument, python3 reads its script from stdin, and the heredoc wins — the piped JSON is silently discarded. `json.load(sys.stdin)` then saw empty input and raised JSONDecodeError, killing every scheduled run before any PRs could be scanned. Fix by exporting PR_DATA inline for the python3 invocation and reading it via os.environ inside the script, matching the pattern already used for COOLING_DAYS and for the second Python block later in the workflow. Also add .gitignore for .worktrees/ to keep local development workspaces out of git status.
fix(cooldown-scan): pass PR_DATA via env instead of piping into python3 heredoc
release.yml already fires on v*.*.* tag push to update the floating v1/v1.2 pointers; extend it to also publish a GitHub Release via `gh release create --generate-notes --verify-tag`, with an idempotent pre-check so re-runs (or manual tag re-pushes) don't error. Rename the workflow from "Update Floating Version Tags" to "Publish Release" — the file stays release.yml to preserve any external references, only the display name and job id change to reflect the broader responsibility. Also commit the design spec under docs/superpowers/specs/ documenting the rationale, failure modes, and the GitHub API limitation that prevents retroactive `published_at` timestamps on backfilled Releases.
…ump suggestion Two orthogonal-but-related changes landing together: 1. Replace merge-triggered tagging with operator-initiated dispatch. `auto-tag.yml` → `tag-release.yml`, trigger switches from `pull_request.closed` → `workflow_dispatch` with a `bump` choice input (auto/patch/minor/major, default auto). Merged PRs accumulate on main and ship in one coherent release when the operator decides, rather than one release per merge. The conventional-commit heuristic (feat → minor, BREAKING → major, else patch) is preserved — it now powers the `auto` default. Explicit picks override the heuristic; the step summary flags the override so mismatches are visible. Safety gates: `if: github.ref == 'refs/heads/main'` at job level, `concurrency.group: tag-release` with `cancel-in-progress: false`, explicit error + step summary when no commits exist since the last tag (no ghost releases). 2. Publish GitHub Release on every `v*.*.*` tag push. `release.yml` (display name renamed to "Publish Release") gains a final `gh release create --title --generate-notes --verify-tag` step, idempotent via a `gh release view` pre-check. Fires regardless of how the tag got there (tag-release.yml dispatch, manual push, backfill loop, future migrations). Backfill of the 7 pre-existing semver tags (v1.0.0 → v1.2.4) was executed out-of-band via a local `gh` loop — not committed as a workflow, since it's a one-time operation and a dedicated file would sit unused afterward. Design spec added at docs/superpowers/specs/2026-04-11-release-process-overhaul-design.md.
feat(release): overhaul release process — manual dispatch with auto-bump suggestion
Dependabot's documented ecosystem label is `github-actions` (hyphen), not `github_actions` (underscore). The underscore form was derived from Dependabot's internal branch path and caused duplicate labels in consumer repos that already had the canonical hyphenated label. The case pattern (dependabot/github_actions/*) matches the branch path and remains unchanged. Fixes #9
The prerequisite list instructed consumers to create a `github_actions` (underscore) label, which conflicted with Dependabot's documented `github-actions` (hyphen) label. Consumers following setup ended up with duplicate labels. Refs #9
fix: use github-actions (hyphen) label to match Dependabot convention
Addresses zizmor secrets-outside-env advisory (rule zizmor/secrets-outside-env). Binding the tag-release job to a named environment means RELEASE_BOT_PRIVATE_KEY is only attached after the environment's branch-policy check (main only) passes, adding a GitHub-side enforcement on top of the existing if: guard. Refs: #14
fix(tag-release): use GitHub App token to restore release.yml trigger
Move the auto-merge decision block before the commit status API call so STATUS_DESC reflects the actual gh-pr-merge result. When auto-merge is unavailable the status now reads "Auto-merge unavailable — merge manually." instead of the misleading "Auto-merge enabled."
fix(cooldown): add auto_merge input for clean Dependabot PRs
* fix(cooldown): add gate caller for shared-workflows dogfooding * fix(cooldown): add scan caller and offset Dependabot schedule * fix(cooldown): add missing permission, trigger type, and concurrency group
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.16.0 to 2.17.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@fa2e9d6...f808768) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.17.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Owner
Dependency Security Scan (Manual)PR age: 0 days Results5 advisories found for
Project Health (OpenSSF Scorecard)
Scanned: 2026-04-12 (manual trigger) |
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
dependabot
Bot
deleted the
dependabot/github_actions/step-security/harden-runner-2.17.0
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps step-security/harden-runner from 2.16.0 to 2.17.0.
Release notes
Sourced from step-security/harden-runner's releases.
Commits
f808768Feature/policy store (#656)fe10465v2.16.1 (#654)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)