Don't SHA-pin internal trufflesecurity actions/reusable workflows#17
Merged
Merged
Conversation
helpers:pinGitHubActionDigests pins every github-actions ref, including internal trufflesecurity reusable workflows that are intentionally kept on floating refs (e.g. @main). This produced unwanted pin PRs such as trufflesecurity/truffle-release-bot#25. Add a packageRule that disables digest pinning for internal actions. It is scoped by regex (/^trufflesecurity\//) rather than a glob because Renovate names a reusable-workflow dependency after its repo (e.g. "trufflesecurity/.github"), and the leading dot in ".github" defeats glob "*" matching. This mirrors the file-scoped opt-out lesson from slack-integration-service#568 (SCAN-914), where a non-matching opt-out let the bot silently re-pin a ref that had to stay on @main. Co-authored-by: Cursor <cursoragent@cursor.com>
mikewalters-truffle
approved these changes
Jun 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
packageRuleto the shared base preset (renovate-config.json) that disables digest pinning (pinDigests: false) for internaltrufflesecurity/*actions and reusable workflows.helpers:pinGitHubActionDigestsfrom pinning internal refs that are intentionally kept on floating refs (e.g.@main).Motivation
helpers:pinGitHubActionDigests(in this preset) pins every github-actions ref, including internaltrufflesecurityreusable workflows. Per the Dependency Strategy Unification plan's Design Decision #1, internal actions are intentionally not SHA-pinned: they're org-controlled (internal supply chain), and pinning them just adds Renovate noise on every internal release. Step 2's manualpin-github-actionrun honored this via--allow "trufflesecurity/*", but the Renovate preset had no equivalent carve-out.This surfaced as trufflesecurity/truffle-release-bot#25 ("Pin dependencies"), where Renovate tried to pin three
trufflesecurity/.githubreusable-workflow refs from@mainto a SHA.Why a regex, not a glob
Renovate names a reusable-workflow dependency after its repo, not the full workflow path. The Dependency Dashboard for truffle-release-bot confirms the depName is
trufflesecurity/.github(nottrufflesecurity/.github/.github/workflows/pr-labeler-reusable.yml). The leading dot in.githubdefeats glob*matching (minimatch doesn't match a leading dot by default), so atrufflesecurity/*glob would silently skip it.This is the same silent-failure mode fixed in slack-integration-service#568 (SCAN-914), where a non-matching
matchDepNamesopt-out let the bot re-pin a ref that had to stay on@main. Using a regex (/^trufflesecurity\//) sidesteps the dot semantics entirely.Change
{ "matchManagers": ["github-actions"], "matchDepNames": ["/^trufflesecurity\\//"], "pinDigests": false }Test plan
trufflesecurity/*reusable-workflow refs are no longer proposed for digest pinning, while third-party actions still are.Made with Cursor