fix(ci): update check-action-versions v2 caller to composite form#136
Closed
nerdalytics wants to merge 3 commits intotrunkfrom
Closed
fix(ci): update check-action-versions v2 caller to composite form#136nerdalytics wants to merge 3 commits intotrunkfrom
nerdalytics wants to merge 3 commits intotrunkfrom
Conversation
The upstream action at nerdalytics/check-action-versions@v1 was converted
from a reusable workflow to a composite action to fix an architectural
bug: reusable workflows cannot reference their own files because
${{ github.workflow_ref }} resolves to the caller's ref, not the
callee's. Composite actions have ${{ github.action_path }} which is the
canonical pattern for shipping scripts alongside an action.
Caller syntax change required:
- jobs.check.uses: <…workflow@v1> -> jobs.check.steps[] with own checkout
plus 'uses: nerdalytics/check-action-versions@v1'
- 'secrets:' block removed; GH_PAT/SIGNING_KEY/SIGNING_PASSPHRASE now ride
in via 'with:' as gh-pat/signing-key/signing-passphrase (still passed as
${{ secrets.X }} for masking).
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Beacon's supply-chain policy rejects tag-ref actions ('must be pinned to
a full-length commit SHA'). Pin to the v1 commit SHA with the tag as
comment, matching the convention across all other uses: in this repo.
Upstream v1 retagged to 3c702505 (fix PR #3 removing template syntax from input descriptions that blocked action-manifest loading).
Owner
Author
nerdalytics
added a commit
that referenced
this pull request
Apr 20, 2026
Squash-merges branch `update-github-actions-v2`, which contains: - 3 caller fixes from the now-closed PR #136 (composite-action conversion, SHA-pin, retag SHA bump to include v1 description fix) - 1 automation commit bumping `actions/setup-node` (v6.3.0 → v6.4.0) and `actions/cache` (v5.0.4 → v5.0.5) Closes #137.
nerdalytics
added a commit
that referenced
this pull request
Apr 20, 2026
…tion (#140) Deletes the in-repo workflow and 9 action-checker scripts (scan-actions, resolve-latest, compare-actions, generate-report, manage-issue, apply-updates, commit-changes, manage-pr, close-if-current), replaced by a call to the shared composite action at nerdalytics/check-action-versions@3c70250. Pilot verified in PR #135/#136/#139 — both outdated and up-to-date paths behave identically to the pre-cutover workflow. Preserves branch-name 'automation/update-github-actions' (override, not default) so the new workflow recognizes and replaces PR #134 instead of orphaning it. Default issue-title matches existing issue #133 for auto-inherit behavior. Preserves .github/scripts/check-version.sh and check-version-sync.sh (npm/jsr version-diffing scripts, unrelated).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The upstream action at
nerdalytics/check-action-versions@v1was converted from a reusable workflow to a composite action (see upstream PR #2). This updates beacon's caller to match.Previously, on the first manual dispatch after PR #135 merged, the v2 pilot workflow failed with
invalid refspecbecause the action tried to check out its own scripts using${{ github.workflow_ref }}, which inside a reusable workflow resolves to the caller's workflow ref rather than the callee's. Composite actions have${{ github.action_path }}and avoid the issue entirely.Caller API changes:
jobs.check.uses:removed; replaced withruns-on: ubuntu-latest+steps:with explicitactions/checkoutanduses: nerdalytics/check-action-versions@v1secrets:block removed; secrets now ride in viawith:asgh-pat,signing-key,signing-passphrase(still passed as${{ secrets.X }}for masking)After merge, manually dispatch to validate end-to-end (Phase 2 of the rollout plan).