ci: pin third-party actions (wretry.action, jest-coverage-comment) to full commit SHAs#14026
Open
kobihikri wants to merge 1 commit into
Open
ci: pin third-party actions (wretry.action, jest-coverage-comment) to full commit SHAs#14026kobihikri wants to merge 1 commit into
kobihikri wants to merge 1 commit into
Conversation
Pin the third-party actions referenced by mutable tags to their current commit SHA (tag kept in a trailing comment): - Wandalen/wretry.action@master (docker-build.yml, x3) — runs in jobs logged in to DockerHub and GHCR with push credentials - MishaKav/jest-coverage-comment@main (jest_test.yml) A moved tag would run unreviewed code in those jobs; for docker-build that job holds registry push tokens. Behaviour unchanged. Per GitHub's guidance to pin actions to a full-length commit SHA. Signed-off-by: Kobi Hikri <kobi.hikri@gmail.com>
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
WalkthroughGitHub Actions in the Docker build and Jest coverage workflows now reference fixed commit SHAs instead of floating branch refs. Build, push, authentication, conditions, and surrounding workflow configuration remain unchanged. ChangesCI Action Pinning
Estimated code review effort: 1 (Trivial) | ~2 minutes 🚥 Pre-merge checks | ✅ 5 | ❌ 4❌ Failed checks (4 inconclusive)
✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Pin the third-party actions currently referenced by mutable tags to their current commit SHA (tag kept
in a trailing comment):
Wandalen/wretry.action@mastere94c43b…docker-build.yml(×3)MishaKav/jest-coverage-comment@main58072a2…jest_test.ymlWhy
@master/@mainare moving references — whatever they point to at run time runs in the job. Thedocker-build.ymluses ofwretry.actionrun in a job that has just logged in to DockerHub andGHCR (lines 253-282) and does
push: true:If that action's
masterwere moved (compromise or an accidental change), the new code would run withLangflow's registry push credentials — the class of issue behind the 2025
tj-actions/changed-filesincident, here with image-push access.
Scope / safety
actions/*and first-party refs are left as-is.Renovate/Dependabot can still bump a SHA pin (the tag comment keeps it readable). Signed-off.
Per GitHub's guidance to pin actions to a full-length commit SHA.
AI-assisted; I verified the workflows, the credential exposure, and the pinned SHAs myself.
Summary by CodeRabbit