Skip to content

chore(deps): consolidate 12 Dependabot dependency updates #171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
justin808 merged 12 commits into from
Jun 24, 2026
Merged

chore(deps): consolidate 12 Dependabot dependency updates #171

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
e4fb780
chore(deps): bump actions/checkout from 6 to 7
dependabot[bot] Jun 20, 2026
e6aca9b
chore(deps): bump shakacode/control-plane-flow/.github/workflows/cpfl…
dependabot[bot] Jun 6, 2026
e46850e
chore(deps): bump shakacode/control-plane-flow/.github/workflows/cpfl…
dependabot[bot] Jun 6, 2026
6b0c007
chore(deps): bump shakacode/control-plane-flow/.github/workflows/cpfl…
dependabot[bot] Jun 6, 2026
d937825
chore(deps): bump shakacode/control-plane-flow/.github/workflows/cpfl…
dependabot[bot] Jun 6, 2026
0d2d6b3
chore(deps): bump shakacode/control-plane-flow/.github/workflows/cpfl…
dependabot[bot] Jun 6, 2026
87d9b1c
chore(deps): bump shakacode/control-plane-flow/.github/workflows/cpfl…
dependabot[bot] Jun 6, 2026
781b194
chore(deps): bump shakacode/control-plane-flow/.github/workflows/cpfl…
dependabot[bot] Jun 6, 2026
171386b
chore(deps): bump bootsnap from 1.24.5 to 1.24.6
dependabot[bot] Jun 23, 2026
4d4a359
chore(deps): bump image_processing from 2.0.1 to 2.0.2
dependabot[bot] Jun 23, 2026
631a076
chore(deps): bump kamal from 2.11.0 to 2.12.0
dependabot[bot] Jun 23, 2026
21d09f6
chore(deps-dev): bump selenium-webdriver from 4.44.0 to 4.45.0
dependabot[bot] Jun 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:
DATABASE_URL: postgres://postgres:postgres@localhost:5432/react_on_rails_starter_tanstack_test

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7

@coderabbitai coderabbitai Bot Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the relevant workflow file around the cited lines.
git ls-files .github/workflows/ci.yml
wc -l .github/workflows/ci.yml
sed -n '1,260p' .github/workflows/ci.yml

Repository: shakacode/react-on-rails-starter-tanstack

Length of output: 6605

Pin the three actions/checkout refs in .github/workflows/ci.yml.
The core, playwright-full, and production-boot-smoke jobs still use actions/checkout@v7 (lines 34, 84, 140), while the other checkout steps are already SHA-pinned. Replace these tags with commit SHAs so the workflow stays reproducible.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 34-34: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 34, The checkout steps in the core,
playwright-full, and production-boot-smoke jobs still use the mutable
actions/checkout@v7 tag, unlike the other pinned workflow steps. Update the
actions/checkout reference in each of those jobs to a commit SHA so the ci
workflow is reproducible; use the existing checkout step locations in the jobs
defined in .github/workflows/ci.yml to find them.

Source: Linters/SAST tools

with:
persist-credentials: false

Expand Down Expand Up @@ -81,7 +81,7 @@ jobs:
PORT: 3100

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
with:
persist-credentials: false

Expand Down Expand Up @@ -137,7 +137,7 @@ jobs:
CABLE_DATABASE_URL: "postgres://postgres:postgres@localhost:5432/react_on_rails_starter_tanstack_production_cable"

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7
with:
persist-credentials: false

Expand Down Expand Up @@ -166,7 +166,7 @@ jobs:
contents: read

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
with:
persist-credentials: false

Expand Down Expand Up @@ -215,7 +215,7 @@ jobs:
PGPASSWORD: postgres

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0
with:
persist-credentials: false

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/claude-code-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@v7

@coderabbitai coderabbitai Bot Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files .github/workflows/claude-code-review.yml
echo '---'
cat -n .github/workflows/claude-code-review.yml | sed -n '1,120p'

Repository: shakacode/react-on-rails-starter-tanstack

Length of output: 1965

🌐 Web query:

actions/checkout v7 release tag immutable ref commit SHA GitHub Actions

💡 Result:

As of June 24, 2026, the latest release of the official GitHub actions/checkout action is v7.0.0, published on June 18, 2026 [1][2][3]. Regarding the immutability of release tags and the use of commit SHAs: 1. Tag Mutability: GitHub release tags (such as v7 or v7.0.0) are technically mutable, meaning they can be moved or deleted by users with appropriate repository permissions [4][5]. While GitHub has introduced a feature for "Immutable Releases" to protect against unauthorized tag updates [4][5], it is not currently enabled for the actions/checkout repository [4][5]. 2. Best Practice: Because tags can be moved, they are susceptible to supply chain security risks if an attacker gains access to the repository [5]. To ensure complete immutability and security, it is best practice to pin your actions to a specific commit SHA rather than a tag or branch name [5]. 3. Implementation: You can use a commit SHA in your workflow configuration like this [5]: yaml - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v7.0.0 By pinning to a full-length commit SHA, you ensure that the exact code you tested is executed, regardless of any future changes to tags in the repository [5]. Using the tag as a comment (as shown above) is a common pattern to keep the configuration readable while maintaining the security benefits of SHA pinning [5].

Citations:

Pin actions/checkout to a commit SHA.

actions/checkout@v7 is a moving tag; pin it to the v7.0.0 commit instead.

Suggested fix 
-        uses: actions/checkout@v7
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v7.0.0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/checkout@v7
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v7.0.0
🧰 Tools
🪛 zizmor (1.26.1)

[error] 30-30: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/claude-code-review.yml at line 30, The workflow step using
actions/checkout is pinned to a moving tag, so update the checkout reference in
claude-code-review.yml to use the v7.0.0 commit SHA instead of
actions/checkout@v7. Keep the existing step structure intact and only replace
the actions/checkout version reference so the workflow stays on the same action
while using the fixed commit-based pin.

Source: Linters/SAST tools

with:
fetch-depth: 1

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/claude.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
actions: read # Required for Claude to read CI results on PRs
steps:
- name: Checkout repository
uses: actions/checkout@v6
uses: actions/checkout@v7
with:
fetch-depth: 1

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/cpflow-cleanup-stale-review-apps.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,6 @@ jobs:
cleanup:
# Cleanup targets the current inferred review-app prefix. If you changed
# naming conventions, manually delete review apps under the old prefix.
uses: shakacode/control-plane-flow/.github/workflows/cpflow-cleanup-stale-review-apps.yml@v5.0.4
uses: shakacode/control-plane-flow/.github/workflows/cpflow-cleanup-stale-review-apps.yml@v5.1.1
secrets:
CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
2 changes: 1 addition & 1 deletion .github/workflows/cpflow-delete-review-app.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,6 @@ jobs:
github.event_name == 'workflow_dispatch'
# This `if:` mirrors the upstream job guard to avoid a billable workflow_call
# when the event does not match. Keep both conditions in sync.
uses: shakacode/control-plane-flow/.github/workflows/cpflow-delete-review-app.yml@v5.0.4
uses: shakacode/control-plane-flow/.github/workflows/cpflow-delete-review-app.yml@v5.1.1
secrets:
CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
2 changes: 1 addition & 1 deletion .github/workflows/cpflow-deploy-review-app.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ jobs:
github.event.issue.pull_request &&
contains(fromJson('["+review-app-deploy","+review-app-deploy\n","+review-app-deploy\r\n"]'), github.event.comment.body) &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association))
uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-review-app.yml@v5.0.4
uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-review-app.yml@v5.1.1
secrets:
CPLN_TOKEN_STAGING: ${{ secrets.CPLN_TOKEN_STAGING }}
DOCKER_BUILD_SSH_KEY: ${{ secrets.DOCKER_BUILD_SSH_KEY }}
2 changes: 1 addition & 1 deletion .github/workflows/cpflow-deploy-staging.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ permissions:

jobs:
deploy-staging:
uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-staging.yml@v5.0.4
uses: shakacode/control-plane-flow/.github/workflows/cpflow-deploy-staging.yml@v5.1.1
with:
staging_app_branch_default: "main"
secrets:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/cpflow-help-command.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,4 @@ jobs:
contains(fromJson('["+review-app-help","+review-app-help\n","+review-app-help\r\n"]'), github.event.comment.body) &&
contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)) ||
github.event_name == 'workflow_dispatch'
uses: shakacode/control-plane-flow/.github/workflows/cpflow-help-command.yml@v5.0.4
uses: shakacode/control-plane-flow/.github/workflows/cpflow-help-command.yml@v5.1.1
2 changes: 1 addition & 1 deletion .github/workflows/cpflow-promote-staging-to-production.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
# upgrades are auditable and easy to roll forward. If your security policy
# requires immutable refs, run bin/pin-cpflow-github-ref with the full
# 40-character commit SHA behind the release tag and update the docs too.
uses: shakacode/control-plane-flow/.github/workflows/cpflow-promote-staging-to-production.yml@v5.0.4
uses: shakacode/control-plane-flow/.github/workflows/cpflow-promote-staging-to-production.yml@v5.1.1
with:
# Keep CPLN_TOKEN_PRODUCTION as a secret on this protected GitHub
# Environment. The caller passes the environment name, the upstream
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/cpflow-review-app-help.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,4 @@ jobs:
# to PR-open help. Remove it, or uncomment and adapt this guard, if forks or
# clones should stay quiet until Control Plane is configured:
# if: vars.REVIEW_APP_PREFIX != '' || vars.CPLN_ORG_STAGING != ''
uses: shakacode/control-plane-flow/.github/workflows/cpflow-review-app-help.yml@v5.0.4
uses: shakacode/control-plane-flow/.github/workflows/cpflow-review-app-help.yml@v5.1.1
14 changes: 7 additions & 7 deletions Gemfile.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ GEM
bcrypt_pbkdf (1.1.2)
bigdecimal (4.1.2)
bindex (0.8.1)
bootsnap (1.24.5)
bootsnap (1.24.6)
msgpack (~> 1.2)
brakeman (8.0.5)
racc
Expand Down Expand Up @@ -155,9 +155,9 @@ GEM
raabro (~> 1.4)
globalid (1.3.0)
activesupport (>= 6.1)
i18n (1.14.8)
i18n (1.15.2)
concurrent-ruby (~> 1.0)
image_processing (2.0.1)
image_processing (2.0.2)
io-console (0.8.2)
io-endpoint (0.17.2)
io-event (1.16.1)
Expand All @@ -173,7 +173,7 @@ GEM
json (2.19.9)
jwt (3.2.0)
base64
kamal (2.11.0)
kamal (2.12.0)
activesupport (>= 7.0)
base64 (~> 0.2)
bcrypt_pbkdf (~> 1.0)
Expand Down Expand Up @@ -214,7 +214,7 @@ GEM
minitest (6.0.6)
drb (~> 2.0)
prism (~> 1.5)
msgpack (1.8.0)
msgpack (1.8.3)
net-imap (0.6.4.1)
date
net-protocol
Expand Down Expand Up @@ -394,9 +394,9 @@ GEM
rubocop-performance (>= 1.24)
rubocop-rails (>= 2.30)
ruby-progressbar (1.13.0)
rubyzip (3.3.0)
rubyzip (3.4.0)
securerandom (0.4.1)
selenium-webdriver (4.44.0)
selenium-webdriver (4.45.0)
base64 (~> 0.2)
logger (~> 1.4)
rexml (~> 3.2, >= 3.2.5)
Expand Down
Loading