Discussed in #44514
Originally posted by ericcornelissen July 12, 2026
Tell us more.
When bumping a SHA-pinned GitHub Action followed by a version annotation, Renovate will update the version annotation, for example:
jobs:
example:
steps:
- name: Example
- uses: ericcornelissen/tool-versions-update-action/pr@aa1815a7caf1aecd37208e34ad57bec973bcd507 # v2.2.1
+ uses: ericcornelissen/tool-versions-update-action/pr@e42ba48806082845f434a42b706bfe3f9a807806 # v2.2.2
However, when bumping a SHA-pinned job.container.image in a GitHub Actions workflow Renovate does not do this, for example:
jobs:
example:
container:
- image: semgrep/semgrep@sha256:9349edbadf90c3f3c0c3f55867625354e89680e6fa10d9034042af52fdb0e0d0 # 1.162.0
+ image: semgrep/semgrep@sha256:06938c1f365d3f67b8cedd8bc117607ae64253f88a0e768e9da9408548927dd6 # 1.162.0
Notice that the annotation is unchanged!
I think Renovate should keep these annotations in sync with the actual version too.
Discussed in #44514
Originally posted by ericcornelissen July 12, 2026
Tell us more.
When bumping a SHA-pinned GitHub Action followed by a version annotation, Renovate will update the version annotation, for example:
jobs: example: steps: - name: Example - uses: ericcornelissen/tool-versions-update-action/pr@aa1815a7caf1aecd37208e34ad57bec973bcd507 # v2.2.1 + uses: ericcornelissen/tool-versions-update-action/pr@e42ba48806082845f434a42b706bfe3f9a807806 # v2.2.2However, when bumping a SHA-pinned
job.container.imagein a GitHub Actions workflow Renovate does not do this, for example:jobs: example: container: - image: semgrep/semgrep@sha256:9349edbadf90c3f3c0c3f55867625354e89680e6fa10d9034042af52fdb0e0d0 # 1.162.0 + image: semgrep/semgrep@sha256:06938c1f365d3f67b8cedd8bc117607ae64253f88a0e768e9da9408548927dd6 # 1.162.0Notice that the annotation is unchanged!
I think Renovate should keep these annotations in sync with the actual version too.