Skip to content

fix: update matchPackageNames to exclude 'github' actions #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aladdin-add wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: update matchPackageNames to exclude 'github' actions #43

aladdin-add wants to merge 2 commits into from

Conversation

@aladdin-add
Copy link
Member

@aladdin-add aladdin-add commented Dec 16, 2025

refs: eslint/eslint#20397 (comment)
This pull request makes a small update to the Renovate configuration for GitHub Actions dependencies. The change expands the exclusion pattern in the matchPackageNames field to also exclude github/** packages, not just actions/**.

  • .github/renovate/base.json5: Updated the matchPackageNames pattern to exclude both actions/** and github/** when applying the deps:actions label for GitHub Actions dependencies.

Prerequisites checklist

What is the purpose of this pull request?

What changes did you make? (Give an overview)

Related Issues

Is there anything you'd like reviewers to focus on?

@eslint-github-bot eslint-github-bot bot added the bug Something isn't working label Dec 16, 2025
@eslintbot eslintbot added this to Triage Dec 16, 2025
@github-project-automation github-project-automation bot moved this to Needs Triage in Triage Dec 16, 2025
@aladdin-add
Copy link
Member Author

aladdin-add commented Dec 16, 2025

should we also exclude "googleapis/*" - i think it's well-trusted too.

@aladdin-add aladdin-add moved this from Needs Triage to Implementing in Triage Dec 16, 2025
@aladdin-add aladdin-add marked this pull request as ready for review December 16, 2025 08:22
Copilot AI review requested due to automatic review settings December 16, 2025 08:22
Copilot AI reviewed Dec 16, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Renovate configuration to exclude both actions/** and github/** packages from having their GitHub Actions pinned to commit digests. This ensures that first-party GitHub Actions (from both the actions and github namespaces) remain unpinned, while third-party actions continue to be pinned for security purposes.

Key Changes

  • Expanded the exclusion pattern in the "Pin 3rd-party actions" rule to include both actions/** and github/** namespaces

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@lumirlumir
Copy link
Member

lumirlumir commented Dec 16, 2025
edited
Loading

should we also exclude "googleapis/*" - i think it's well-trusted too.

Personally, I'm also +1 on excluding it. They're Google-owned actions, so I think that's fine.

But, if the TSC has a moment to review it, another confirmation would be helpful. @eslint/eslint-tsc

@lumirlumir lumirlumir moved this from Implementing to Feedback Needed in Triage Dec 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lumirlumir lumirlumir Awaiting requested review from lumirlumir

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

bug Something isn't working

Projects

Triage
Status: Feedback Needed

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aladdin-add @lumirlumir