Pin shared-actions SHA in CI to current#390
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
Pin shared-actions references to specific commit SHAThis PR pins all four instances of the
The change ensures workflow reproducibility by using fixed, immutable commit SHAs rather than allowing drift between CI runs. This aligns with the established practice documented in The codebase includes a verification test in WalkthroughThree action references in ChangesCI shared-actions pin update
🚥 Pre-merge checks | ✅ 19 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (19 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 44a1194e2d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | ||
| - name: Setup Rust | ||
| uses: leynos/shared-actions/.github/actions/setup-rust@718c4f2eadaf95d527814862fd7cb85d91c8a8fc | ||
| uses: leynos/shared-actions/.github/actions/setup-rust@4b35232 |
There was a problem hiding this comment.
Use full commit SHAs for shared actions
When this workflow runs on pull requests or workflow_dispatch, GitHub Actions no longer supports shortened commit SHAs for uses: action references; GitHub's changelog says these references must use the full commit SHA (https://github.blog/changelog/2021-01-21-github-actions-short-sha-deprecation/). The same 7-character ref is used for the other shared-action steps too, so CI can fail while resolving the action before any checks run. Pin this to the full 4b35232912c61d595b49f8a54bce3c201a95fd42 SHA instead.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Line 32: Replace all instances of the short 7-character commit SHA with the
full 40-character commit SHA in the leynos/shared-actions workflow references.
In the ci.yml file, locate all four occurrences where uses:
leynos/shared-actions/.github/actions/ references end with `@4b35232` (on lines
32, 51, 59, and 80). For each occurrence, expand the `@4b35232` reference to
include the complete 40-character commit SHA to enforce immutability and meet
the pinning standard used throughout the workflows.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: da6d34cb-0e99-4685-a143-1fb0ce99880e
📒 Files selected for processing (1)
.github/workflows/ci.yml
| - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | ||
| - name: Setup Rust | ||
| uses: leynos/shared-actions/.github/actions/setup-rust@718c4f2eadaf95d527814862fd7cb85d91c8a8fc | ||
| uses: leynos/shared-actions/.github/actions/setup-rust@4b35232 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check the current state of .github/workflows/ci.yml
echo "=== Content of lines 32, 51, 59, 80 in ci.yml ==="
cat -n .github/workflows/ci.yml | sed -n '32p;51p;59p;80p'
echo
echo "=== Full shared-actions uses entries ==="
rg -n 'uses:\s*leynos/shared-actions/.github/actions/.+@' .github/workflows
echo
echo "=== Check for short SHAs (not 40 chars) ==="
rg -nP 'uses:\s*leynos/shared-actions/.github/actions/.+@[0-9a-f]{1,39}\b' .github/workflowsRepository: leynos/netsuke
Length of output: 2283
Replace short SHAs with full 40-character commit SHAs in all uses: references.
Lines 32, 51, 59, and 80 use a 7-character prefix (@4b35232). Pin each action to the full commit SHA to enforce immutability and match the pinning standard used across other workflows.
Verification script
#!/bin/bash
# Verify shared-actions refs are pinned and use full 40-char SHAs.
# Expected: no output from the second check.
echo "Shared-actions uses entries:"
rg -n 'uses:\s*leynos/shared-actions/.github/actions/.+@' .github/workflows
echo
echo "Entries that are NOT pinned to a full 40-char SHA (should be empty):"
rg -nP 'uses:\s*leynos/shared-actions/.github/actions/.+@[0-9a-f]{1,39}\b' .github/workflowsAlso applies to: 51-51, 59-59, 80-80
🧰 Tools
🪛 zizmor (1.25.2)
[error] 32-32: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yml at line 32, Replace all instances of the short
7-character commit SHA with the full 40-character commit SHA in the
leynos/shared-actions workflow references. In the ci.yml file, locate all four
occurrences where uses: leynos/shared-actions/.github/actions/ references end
with `@4b35232` (on lines 32, 51, 59, and 80). For each occurrence, expand the
`@4b35232` reference to include the complete 40-character commit SHA to enforce
immutability and meet the pinning standard used throughout the workflows.
Source: Linters/SAST tools
Update the four leynos/shared-actions references in .github/workflows/ci.yml to pin to commit 4b35232.