Skip to content

feat: add opt-in README SHA update to release workflow#87

Merged
felickz merged 1 commit into
mainfrom
feat/release-readme-sha
May 18, 2026
Merged

feat: add opt-in README SHA update to release workflow#87
felickz merged 1 commit into
mainfrom
feat/release-readme-sha

Conversation

@felickz

@felickz felickz commented May 18, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds a new update-readme-sha boolean input to the reusable release workflow. When enabled, it opens a PR to update SHA-pinned action references in README.md after the release is created.

New input

Input Type Default Description
update-readme-sha boolean false Open a PR to update SHA-pinned action refs in README.md

Behavior

  • Only runs for non-prerelease releases
  • Finds owner/repo@<sha> # v<version> patterns in README.md and updates them
  • Opens a PR via create-pull-request with the documentation label
  • No-ops if no SHA references found in README

Usage

jobs:
  release:
    uses: advanced-security/reusable-workflows/.github/workflows/release.yml@main
    with:
      bump: patch
      update-readme-sha: true

Motivation

Replaces the need for a separate update-readme-sha.yml workflow in each action repo (like secret-scanning-review-action#83). Consolidates the release + README update into a single reusable workflow call.

@felickz
feat: add opt-in README SHA update to release workflow
86df89d 
Add update-readme-sha boolean input (default: false). When enabled
and not a prerelease, opens a PR to update SHA-pinned action refs
in README.md after the release is created.

Callers can enable with:
  with:
    version: "2.3.0"
    update-readme-sha: true

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 18, 2026 17:26
@felickz felickz requested a review from a team as a code owner May 18, 2026 17:26
@felickz felickz requested a review from adrienpessu May 18, 2026 17:26
@github-actions

github-actions Bot commented May 18, 2026
edited
Loading

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/peter-evans/create-pull-request 8.1.1 🟢 4.7
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 3Found 5/13 approved changesets -- score normalized to 3
Maintained🟢 1012 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy⚠️ 0security policy file not detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
actions/peter-evans/create-pull-request 5f6978faf089d4d20b00c7766989d076bb2fc7f1 🟢 4.7
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 3Found 5/13 approved changesets -- score normalized to 3
Maintained🟢 1012 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy⚠️ 0security policy file not detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0

Scanned Files

  • .github/workflows/release.yml

@felickz felickz enabled auto-merge (squash) May 18, 2026 17:28
@felickz felickz disabled auto-merge May 18, 2026 17:28
@felickz felickz merged commit e241cb6 into main May 18, 2026
6 of 7 checks passed
@felickz felickz deleted the feat/release-readme-sha branch May 18, 2026 17:28
@felickz felickz removed the request for review from Copilot May 18, 2026 17:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adrienpessu adrienpessu Awaiting requested review from adrienpessu adrienpessu is a code owner automatically assigned from advanced-security/oss-maintainers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@felickz