Skip to content

chore: upgrade safe-settings to 2.1.19, harden workflow#13

Closed
nbrieussel wants to merge 1 commit intofix/workflow-permissionsfrom
chore/workflow-hardening-and-upgrade
Closed

chore: upgrade safe-settings to 2.1.19, harden workflow#13
nbrieussel wants to merge 1 commit intofix/workflow-permissionsfrom
chore/workflow-hardening-and-upgrade

Conversation

@nbrieussel
Copy link
Copy Markdown

@nbrieussel nbrieussel commented Apr 13, 2026

Summary

Bundles three related workflow improvements to avoid merge conflicts (all touch the same file):

  • #4 — Harden sync workflow: ubuntu-latestubuntu-24.04, npm installnpm ci, add timeout-minutes: 30
  • #5 — Upgrade safe-settings 2.1.17 → 2.1.19: bumps SAFE_SETTINGS_VERSION; picks up the probot v14 full-sync fix from upstream PR #949
  • #8 — SHA-pin the checkout ref: adds # pin: 6a8b6ae084987025f6c5de85e3cc6df140f64502 comment on the ref: line; the variable stays so Renovate can bump it automatically

Also updates CLAUDE.md bug #4 note to reflect that 2.1.19 is now running.

Dependency

This PR is based on #10 (fix/workflow-permissions) and must be merged after #10. Both touch .github/workflows/safe-settings-sync.yml; stacking here avoids conflicts.

Dry-run checklist (to run manually before merge)

  • Trigger dry-run: gh workflow run safe-settings-sync.yml --repo IntegratedDynamic/admin --ref chore/workflow-hardening-and-upgrade -f nop=true
  • Check run succeeded: gh run list --repo IntegratedDynamic/admin --limit 3
  • Confirm no unexpected diffs: gh run view <run-id> --repo IntegratedDynamic/admin --log | grep "There are changes"
  • Merge fix: restrict GITHUB_TOKEN to contents: read in sync workflow #10 first, then merge this PR

Closes #4
Closes #5
Closes #8

@claude
chore: upgrade safe-settings to 2.1.19, harden workflow
eed755d 
- ubuntu-latest → ubuntu-24.04, add timeout-minutes: 30 (closes #4)
- SAFE_SETTINGS_VERSION 2.1.17 → 2.1.19 (closes #5)
- SHA-pin checkout ref comment for 2.1.19, npm install → npm ci (closes #8)
- Update CLAUDE.md bug #4 note to reflect 2.1.19 is now running

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@nbrieussel nbrieussel mentioned this pull request Apr 13, 2026
Merged
@nbrieussel nbrieussel deleted the branch fix/workflow-permissions April 14, 2026 11:38
@nbrieussel nbrieussel closed this Apr 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nbrieussel