chore(ci): drop version comments from SHA-pinned actions (no more Dependabot drift)#3867
Conversation
…e convention Dependabot bumps a SHA-pinned action's commit SHA but does not reliably keep the trailing `# vX` version comment in sync (it bumped actions/cache to the v6.1.0 SHA while leaving `# v5` — see #3864). The stale comments mislead, and fixing them by hand on every major bump is recurring toil. Drop the trailing version comments from all SHA-pinned `uses:` lines across the workflows (SHA-only pinning is unchanged — same security guarantee). The version is available from Dependabot's PR title and the action repo. Document the convention in dependabot.yml so contributors don't re-add comments. No functional change — pins, paths, and keys are identical; only comments removed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
Thanks for tackling this recurring toil, @ten9876.
I diffed every changed uses: line and confirmed the substance: each of the 42 lines has only the trailing # vX comment removed — the 40-char commit SHAs, action names, with: blocks, paths, and cache keys are all byte-identical. SHA pinning is fully intact, so the supply-chain guarantee is unchanged. I also grepped scripts/ and the rest of the repo and found no tooling that parses those version comments, so nothing downstream breaks. The dependabot.yml convention note is a nice touch to keep contributors from re-adding them. No bugs, scope creep, or boundary concerns — this is CI-config only.
One trade-off worth flagging (non-blocking, your call): the # vX comment is also what lets a human reviewer (and tools like ratchet / pin-github-action / OpenSSF Scorecard tooling) see at a glance which version a SHA pins, which matters when judging whether a pin is current during review. The drift problem in #3864 is real, but it's worth noting the standard alternative is keeping the comment with a full semver (# v5.0.5), which Dependabot does generally keep in sync — the major-only # v5 form is the format it's flakiest about. Dropping the comments entirely is a perfectly reasonable way to sidestep that; just calling out that you're trading a bit of inline readability for zero drift.
Looks good to merge as-is. 👍
🤖 aethersdr-agent · cost: $1.4716 · model: claude-opus-4-8
Summary
Drops the trailing
# vXversion comments from all SHA-pinned GitHub Actions and documents the SHA-only convention independabot.yml.Why
Dependabot bumps a SHA-pinned action's commit SHA but doesn't reliably keep the
# vXcomment in sync. In #3864 it bumpedactions/cacheto the v6.1.0 SHA while leaving the comment reading# v5— stale and misleading. Correcting these by hand on every major bump is recurring toil, and the comment is purely cosmetic (Dependabot resolves the version from the SHA, not the comment).What
uses:line across 11 workflows (42 lines). SHA pinning is unchanged — same supply-chain guarantee; only the comment is gone..github/dependabot.ymlso contributors don't re-add comments.The version is still discoverable from Dependabot's PR title and the action repo.
Non-functional
Pins,
paths, andkeys are byte-identical — only comments removed. All workflow YAML re-validated as parsing.🤖 Generated with Claude Code