Skip to content

Pin shared-actions SHA in CI to current#390

Open
leynos wants to merge 1 commit into
mainfrom
update-sha-pin-4b35232
Open

Pin shared-actions SHA in CI to current#390
leynos wants to merge 1 commit into
mainfrom
update-sha-pin-4b35232

Conversation

@leynos

@leynos leynos commented Jun 17, 2026

Copy link
Copy Markdown
Owner

Update the four leynos/shared-actions references in .github/workflows/ci.yml to pin to commit 4b35232.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @leynos, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Pin shared-actions references to specific commit SHA

This PR pins all four instances of the leynos/shared-actions GitHub Actions references in .github/workflows/ci.yml to commit SHA 4b35232. The pinned actions are:

  • setup-rust in the build-test job (line 32)
  • generate-coverage in the build-test job (line 51)
  • upload-codescene-coverage in the build-test job (line 59)
  • setup-rust in the kani-smoke job (line 80)

The change ensures workflow reproducibility by using fixed, immutable commit SHAs rather than allowing drift between CI runs. This aligns with the established practice documented in netsuke-design.md, which states that all shared composites from the leynos/shared-actions toolchain are pinned to explicit SHAs for reproducible release automation.

The codebase includes a verification test in tests/workflow_shared_actions_pins.rs that validates shared-actions pinning consistency across workflows.

Walkthrough

Three action references in .github/workflows/ci.yml are re-pinned to commit 4b35232, replacing the previous commit hash. The affected steps are setup-rust in the build-test matrix job, the coverage report and CodeScene upload steps in the stable-only coverage pipeline, and setup-rust in the kani-smoke job.

Changes

CI shared-actions pin update

Layer / File(s) Summary
Shared-actions commit pin bump across all CI jobs
.github/workflows/ci.yml
Re-pins setup-rust (lines 32 and 80) and the coverage/CodeScene upload steps (lines 51–59) from the previous commit hash to 4b35232. No job structure, conditions, or parameters are altered.

🔧 A hash swapped out with care,
Three steps now point to fresh air.
4b35232 leads the way,
CI marches on today—
Same jobs, same flow, new SHA to bear!

🚥 Pre-merge checks | ✅ 19 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Testing (Unit And Behavioural) ⚠️ Warning Test added but will fail: behavioural test requires all workflows to use identical shared-actions pins, but ci.yml uses @4b35232 whilst build-and-package.yml, netsukefile-test.yml, and release.yml... Update all shared-actions references in build-and-package.yml, netsukefile-test.yml, and release.yml to match ci.yml's pin (preferably using full 40-character SHAs per review comments).
✅ Passed checks (19 passed)
Check name Status Explanation
Title check ✅ Passed The title 'Pin shared-actions SHA in CI to current' directly describes the main change in the changeset, which updates four leynos/shared-actions references to commit 4b35232.
Description check ✅ Passed The description accurately relates to the changeset, specifying that it updates four leynos/shared-actions references in .github/workflows/ci.yml to pin to commit 4b35232.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Testing (Overall) ✅ Passed PR updates CI configuration only (workflow references), not application code or behaviour; custom check for "new functionality or behavioural changes" does not apply to infrastructure-only updates....
User-Facing Documentation ✅ Passed PR updates CI workflow configuration by pinning GitHub Actions references to specific commits; no user-facing functionality or behaviour changed, making documentation update inapplicable.
Developer Documentation ✅ Passed PR updates CI workflow to pin GitHub Actions commits; this is operational maintenance that does not change internal APIs, architectural boundaries, abstractions, or build requirements requiring doc...
Module-Level Documentation ✅ Passed The PR modifies only .github/workflows/ci.yml, a GitHub Actions configuration file, not a code module. Module-level documentation requirements apply to code modules (Rust, Python, etc.), not CI/inf...
Testing (Property / Proof) ✅ Passed This PR updates GitHub Actions workflow configuration only (pinning references to commit 4b35232); no algorithmic invariants, lemmas, proof assumptions, or formal properties are introduced, so prop...
Testing (Compile-Time / Ui) ✅ Passed Custom check for compile-time and UI testing is not applicable. PR modifies only GitHub Actions workflow configuration, not application code with behavioural output.
Unit Architecture ✅ Passed The Unit Architecture check addresses code-level architectural concerns (queries vs commands, dependency injection, fallibility, single responsibility). The PR updates only GitHub Actions reference...
Domain Architecture ✅ Passed Custom check for domain architecture is inapplicable; PR modifies only CI workflow configuration files, not domain logic or application code.
Observability ✅ Passed CI workflow configuration change updating action references; does not introduce operational behaviour changes requiring observability features (logging, metrics, tracing, or alerts).
Security And Privacy ✅ Passed Changes update GitHub Actions commit references only, introducing no secrets, hardcoded credentials, authentication bypasses, injection risks, overly-broad permissions, or privacy-sensitive data ex...
Performance And Resource Use ✅ Passed PR modifies only workflow configuration (.github/workflows/ci.yml), pinning GitHub Actions versions. No source code, algorithms, resource allocation, loops, I/O, or performance-sensitive code are c...
Concurrency And State ✅ Passed The PR only updates GitHub Actions version pins in ci.yml workflow configuration. It introduces no shared mutable state, concurrency primitives, async logic, or synchronisation code—the custom chec...
Architectural Complexity And Maintainability ✅ Passed PR introduces no new abstractions, architectural layers, dependencies, or maintenance burden—merely updates existing workflow action references to pinned commits.
Rust Compiler Lint Integrity ✅ Passed The custom check "Rust Compiler Lint Integrity" concerns Rust compiler lints, dead code detection, clone usage, and ownership patterns. This PR modifies only .github/workflows/ci.yml (GitHub Action...

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch update-sha-pin-4b35232

Comment @coderabbitai help to get the list of available commands and usage tips.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 44a1194e2d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/ci.yml
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Setup Rust
uses: leynos/shared-actions/.github/actions/setup-rust@718c4f2eadaf95d527814862fd7cb85d91c8a8fc
uses: leynos/shared-actions/.github/actions/setup-rust@4b35232

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Use full commit SHAs for shared actions

When this workflow runs on pull requests or workflow_dispatch, GitHub Actions no longer supports shortened commit SHAs for uses: action references; GitHub's changelog says these references must use the full commit SHA (https://github.blog/changelog/2021-01-21-github-actions-short-sha-deprecation/). The same 7-character ref is used for the other shared-action steps too, so CI can fail while resolving the action before any checks run. Pin this to the full 4b35232912c61d595b49f8a54bce3c201a95fd42 SHA instead.

Useful? React with 👍 / 👎.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 32: Replace all instances of the short 7-character commit SHA with the
full 40-character commit SHA in the leynos/shared-actions workflow references.
In the ci.yml file, locate all four occurrences where uses:
leynos/shared-actions/.github/actions/ references end with `@4b35232` (on lines
32, 51, 59, and 80). For each occurrence, expand the `@4b35232` reference to
include the complete 40-character commit SHA to enforce immutability and meet
the pinning standard used throughout the workflows.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: da6d34cb-0e99-4685-a143-1fb0ce99880e

📥 Commits

Reviewing files that changed from the base of the PR and between 2ec7231 and 44a1194.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml

Comment thread .github/workflows/ci.yml
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Setup Rust
uses: leynos/shared-actions/.github/actions/setup-rust@718c4f2eadaf95d527814862fd7cb85d91c8a8fc
uses: leynos/shared-actions/.github/actions/setup-rust@4b35232

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the current state of .github/workflows/ci.yml
echo "=== Content of lines 32, 51, 59, 80 in ci.yml ==="
cat -n .github/workflows/ci.yml | sed -n '32p;51p;59p;80p'

echo
echo "=== Full shared-actions uses entries ==="
rg -n 'uses:\s*leynos/shared-actions/.github/actions/.+@' .github/workflows

echo
echo "=== Check for short SHAs (not 40 chars) ==="
rg -nP 'uses:\s*leynos/shared-actions/.github/actions/.+@[0-9a-f]{1,39}\b' .github/workflows

Repository: leynos/netsuke

Length of output: 2283


Replace short SHAs with full 40-character commit SHAs in all uses: references.

Lines 32, 51, 59, and 80 use a 7-character prefix (@4b35232). Pin each action to the full commit SHA to enforce immutability and match the pinning standard used across other workflows.

Verification script
#!/bin/bash
# Verify shared-actions refs are pinned and use full 40-char SHAs.
# Expected: no output from the second check.

echo "Shared-actions uses entries:"
rg -n 'uses:\s*leynos/shared-actions/.github/actions/.+@' .github/workflows

echo
echo "Entries that are NOT pinned to a full 40-char SHA (should be empty):"
rg -nP 'uses:\s*leynos/shared-actions/.github/actions/.+@[0-9a-f]{1,39}\b' .github/workflows

Also applies to: 51-51, 59-59, 80-80

🧰 Tools
🪛 zizmor (1.25.2)

[error] 32-32: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 32, Replace all instances of the short
7-character commit SHA with the full 40-character commit SHA in the
leynos/shared-actions workflow references. In the ci.yml file, locate all four
occurrences where uses: leynos/shared-actions/.github/actions/ references end
with `@4b35232` (on lines 32, 51, 59, and 80). For each occurrence, expand the
`@4b35232` reference to include the complete 40-character commit SHA to enforce
immutability and meet the pinning standard used throughout the workflows.

Source: Linters/SAST tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant