Skip to content

fix: use main branch for changesets/bot action#363

Open
guesung wants to merge 2 commits intotoss:mainfrom
guesung:fix/changeset-bot-action-tag
Open

fix: use main branch for changesets/bot action#363
guesung wants to merge 2 commits intotoss:mainfrom
guesung:fix/changeset-bot-action-tag

Conversation

@guesung
Copy link
Copy Markdown
Contributor

@guesung guesung commented Apr 2, 2026

Summary

  • Fix changesets/bot@v1 action resolution failure — the changesets/bot repo has no v1 tag/release
  • Change to changesets/bot@main so the workflow can resolve the action

Test plan

  • Verify the Changeset Bot workflow passes on new PRs

Copilot AI review requested due to automatic review settings April 2, 2026 05:26
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Changeset Bot GitHub Actions workflow to resolve an action reference that cannot be fetched as changesets/bot@v1 by switching to the repository’s default branch.

Changes:

  • Update workflow action reference from changesets/bot@v1 to changesets/bot@main.

.github/workflows/changeset-bot.yml Outdated
runs-on: ubuntu-latest
steps:
- uses: changesets/bot@v1
- uses: changesets/bot@main
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using a floating ref (changesets/bot@main) makes this workflow non-deterministic and increases supply-chain risk, especially with pull_request_target and pull-requests: write permissions (the action code can change without review). Prefer pinning the action to an immutable commit SHA (or a trusted, signed tag/release if one becomes available) and update it intentionally when needed.

Suggested change
- uses: changesets/bot@main
- uses: changesets/bot@3b4cf1f2c9a6c1891d3dbed1d5d295df1b548d64 # pinned from @main

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Collaborator

@kimyouknow kimyouknow Apr 7, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@guesung Thanks for fixing the bot failure from #350!

All our other actions are SHA-pinned for supply-chain security
(see #325). Could you pin this one too?

Copy link
Copy Markdown
Contributor Author

@guesung guesung Apr 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kimyouknow Thanks for the review! I've pinned it to a full commit SHA in bcf5104.

I pinned to e755cedfffdc49f54ce5daa69d960a143941b787(current master HEAD).

@guesung
ci: pin changesets/bot action to commit SHA for supply-chain security
bcf5104 
Pin to master HEAD SHA as changesets/bot has no release tags.
Aligns with the repo's SHA-pinning policy (toss#325).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kimyouknow kimyouknow Awaiting requested review from kimyouknow kimyouknow is a code owner

@zztnrudzz13 zztnrudzz13 Awaiting requested review from zztnrudzz13 zztnrudzz13 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@guesung @kimyouknow