From 5488ccc695fd78bd9bf420948bcb0e87e6c8c0ad Mon Sep 17 00:00:00 2001 From: Huy Pham Date: Mon, 20 Apr 2026 11:43:52 -0700 Subject: [PATCH] fix: use commit SHA instead of tags for actions (#1066) * fix: use commit SHA instead of tags for actions I think k8s repos started to enforce using commit SHA (which makes sense from security perspective) because the workflow is currently failing with `The action actions/checkout@v4 is not allowed in kubernetes/cloud-provider-gcp because all actions must be pinned to a full-length commit SHA.` Also update dependabot to handle github actions. * fix: use commit SHA for actions/setup-go --- .github/dependabot.yml | 9 +++++++++ .github/workflows/auto-tag.yml | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b1c1ce62b..e622dcaf9 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,6 +16,15 @@ updates: - 'area/dependency' - 'release-note-none' - 'ok-to-test' +- package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "sunday" + labels: + - "ok-to-test" + - 'area/dependency' + - 'release-note-none' - package-ecosystem: gomod directory: /providers schedule: diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml index d127e7685..e4d2e2fe5 100644 --- a/.github/workflows/auto-tag.yml +++ b/.github/workflows/auto-tag.yml @@ -12,7 +12,7 @@ jobs: contents: write steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: fetch-depth: 0 # Fetch all history and tags