chore(core): update GitHub Actions to latest versions#139
Merged
nerdalytics merged 4 commits intotrunkfrom Apr 20, 2026
Merged
Conversation
The upstream action at nerdalytics/check-action-versions@v1 was converted
from a reusable workflow to a composite action to fix an architectural
bug: reusable workflows cannot reference their own files because
${{ github.workflow_ref }} resolves to the caller's ref, not the
callee's. Composite actions have ${{ github.action_path }} which is the
canonical pattern for shipping scripts alongside an action.
Caller syntax change required:
- jobs.check.uses: <…workflow@v1> -> jobs.check.steps[] with own checkout
plus 'uses: nerdalytics/check-action-versions@v1'
- 'secrets:' block removed; GH_PAT/SIGNING_KEY/SIGNING_PASSPHRASE now ride
in via 'with:' as gh-pat/signing-key/signing-passphrase (still passed as
${{ secrets.X }} for masking).
Beacon's supply-chain policy rejects tag-ref actions ('must be pinned to
a full-length commit SHA'). Pin to the v1 commit SHA with the tag as
comment, matching the convention across all other uses: in this repo.
Upstream v1 retagged to 3c702505 (fix PR #3 removing template syntax from input descriptions that blocked action-manifest loading).
Updates actions to SHA-pinned versions for security. See workflow file changes for details.
nerdalytics
added
security
nerdalytics
added a commit
that referenced
this pull request
Apr 20, 2026
…tion (#140) Deletes the in-repo workflow and 9 action-checker scripts (scan-actions, resolve-latest, compare-actions, generate-report, manage-issue, apply-updates, commit-changes, manage-pr, close-if-current), replaced by a call to the shared composite action at nerdalytics/check-action-versions@3c70250. Pilot verified in PR #135/#136/#139 — both outdated and up-to-date paths behave identically to the pre-cutover workflow. Preserves branch-name 'automation/update-github-actions' (override, not default) so the new workflow recognizes and replaces PR #134 instead of orphaning it. Default issue-title matches existing issue #133 for auto-inherit behavior. Preserves .github/scripts/check-version.sh and check-version-sync.sh (npm/jsr version-diffing scripts, unrelated).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates GitHub Actions to their latest SHA-pinned versions.
actions/setup-nodeactions/cacheCloses #137
This PR was automatically generated by the Check Action Versions workflow.