P-2208: Harden github actions#19
Conversation
- Created dependabot.yml (matching sibling SDK repos) with 7-day cooldown on github-actions + npm ecosystems - ci.yml: persist-credentials: false on all 3 checkouts - release.yml: persist-credentials: false; drop pnpm cache from setup-node (cache-poisoning mitigation); quote variable to fix SC2086 - Verified pnpm/action-setup explicit version: 11 Refs P-2208. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a .github/dependabot.yml configuration file to automate dependency updates for GitHub Actions and npm. Review feedback identifies that the cooldown property used in both update configurations is not a supported key in the official Dependabot schema, which may lead to an invalid configuration. It is recommended to remove these keys or use supported features like update grouping to manage the frequency of pull requests.
| cooldown: | ||
| default-days: 7 |
There was a problem hiding this comment.
The cooldown property is not a supported configuration option for GitHub Dependabot. Including unknown keys in dependabot.yml may cause the configuration to be flagged as invalid or ignored in the repository's 'Dependency graph' settings. If the intention is to throttle updates or reduce noise, consider using the groups feature to bundle updates or adjusting the schedule.interval.
| cooldown: | ||
| default-days: 7 |
There was a problem hiding this comment.
The cooldown property is not recognized by GitHub Dependabot. While pnpm 11 supports minimumReleaseAge in pnpm-workspace.yaml (which is correctly configured in this repository), Dependabot does not have a corresponding configuration key. This block should be removed to ensure the configuration adheres to the official schema and functions as expected.
2 participants
Refs P-2208.
Need help on this PR? Tag
@codesmithwith what you need.