ci: repin dead actions/checkout SHAs to @v4#60
Conversation
…action setup failures)
Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
codeant-ai
Bot
added
the
size:S
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: efb6ff5b77
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| version: ${{ steps.version.outputs.version }} | ||
| steps: | ||
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1 | ||
| - uses: actions/checkout@v4 # v4.1.1 |
There was a problem hiding this comment.
For the tag/workflow-dispatch release path, this switches actions/checkout from an immutable commit to the mutable v4 tag immediately before the job publishes with CARGO_REGISTRY_TOKEN. OpenSSF’s Pinned-Dependencies check treats mutable versions as unpinned (https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies), and this repo declares that check with warnings disallowed in .github/scorecard.yml; if the tag moves or is compromised, unreviewed checkout code runs in the privileged release job and the security gate is regressed. Please pin checkout to the current full v4 commit SHA instead of the tag, here and in the other changed workflows.
Useful? React with 👍 / 👎.
|
1 participant
User description
All workflows pinned actions/checkout to SHAs that no longer resolve (de0fac2e/7f4fc3e2/11bd7190 — same dead pins seen across the org), failing every job at setup with 'Unable to resolve action'. Repinned 15 occurrences across 7 workflows to durable @v4 (comments already said v4.1.1). Unblocks Tasken's CI + its open PRs (#58/#59). No logic changes.
CodeAnt-AI Description
Repin dead checkout references to the working v4 release
What Changed
actions/checkoutpins in CI, release, audit, CodeQL, and attestation workflows with the workingv4releaseImpact
✅ Fewer CI setup failures✅ Reliable release and audit jobs✅ Unblocked pull request and release checks💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.