Skip to content

ci: pin third-party actions (wretry.action, jest-coverage-comment) to full commit SHAs#14026

Open
kobihikri wants to merge 1 commit into
langflow-ai:mainfrom
kobihikri:harden/pin-thirdparty-actions
Open

ci: pin third-party actions (wretry.action, jest-coverage-comment) to full commit SHAs#14026
kobihikri wants to merge 1 commit into
langflow-ai:mainfrom
kobihikri:harden/pin-thirdparty-actions

Conversation

@kobihikri

@kobihikri kobihikri commented Jul 13, 2026

Copy link
Copy Markdown

What

Pin the third-party actions currently referenced by mutable tags to their current commit SHA (tag kept
in a trailing comment):

Action Pinned to Where
Wandalen/wretry.action@master e94c43b… docker-build.yml (×3)
MishaKav/jest-coverage-comment@main 58072a2… jest_test.yml

Why

@master/@main are moving references — whatever they point to at run time runs in the job. The
docker-build.yml uses of wretry.action run in a job that has just logged in to DockerHub and
GHCR
(lines 253-282) and does push: true:

- uses: docker/login-action@...      # DOCKERHUB_TOKEN
- uses: Wandalen/wretry.action@master
  with: { action: docker/build-push-action@..., with: "push: true ..." }

If that action's master were moved (compromise or an accidental change), the new code would run with
Langflow's registry push credentials — the class of issue behind the 2025 tj-actions/changed-files
incident, here with image-push access.

Scope / safety

  • Behaviour unchanged — each SHA is the current tip of that action's default branch.
  • Only third-party actions are touched; actions/* and first-party refs are left as-is.
    Renovate/Dependabot can still bump a SHA pin (the tag comment keeps it readable). Signed-off.

Per GitHub's guidance to pin actions to a full-length commit SHA.

AI-assisted; I verified the workflows, the credential exposure, and the pinned SHAs myself.

Summary by CodeRabbit

  • Chores
    • Improved the reliability and security of automated Docker image builds and test coverage reporting by pinning workflow actions to specific versions.

Pin the third-party actions referenced by mutable tags to their current commit
SHA (tag kept in a trailing comment):

- Wandalen/wretry.action@master (docker-build.yml, x3) — runs in jobs logged in
  to DockerHub and GHCR with push credentials
- MishaKav/jest-coverage-comment@main (jest_test.yml)

A moved tag would run unreviewed code in those jobs; for docker-build that job
holds registry push tokens. Behaviour unchanged. Per GitHub's guidance to pin
actions to a full-length commit SHA.

Signed-off-by: Kobi Hikri <kobi.hikri@gmail.com>
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8e7d672e-72f1-40fc-bece-8613b5f9d609

📥 Commits

Reviewing files that changed from the base of the PR and between def832f and d57c00d.

📒 Files selected for processing (2)
  • .github/workflows/docker-build.yml
  • .github/workflows/jest_test.yml

Walkthrough

GitHub Actions in the Docker build and Jest coverage workflows now reference fixed commit SHAs instead of floating branch refs. Build, push, authentication, conditions, and surrounding workflow configuration remain unchanged.

Changes

CI Action Pinning

Layer / File(s) Summary
Docker build action pinning
.github/workflows/docker-build.yml
The Docker Hub, GitHub Container Registry, and component build steps pin Wandalen/wretry.action to a specific commit.
Jest coverage action pinning
.github/workflows/jest_test.yml
The Jest coverage comment step pins MishaKav/jest-coverage-comment to a specific commit.

Estimated code review effort: 1 (Trivial) | ~2 minutes

🚥 Pre-merge checks | ✅ 5 | ❌ 4

❌ Failed checks (4 inconclusive)

Check name Status Explanation Resolution
Test Coverage For New Implementations ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Test Quality And Coverage ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Test File Naming And Structure ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Excessive Mock Usage Warning ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: pinning third-party GitHub Actions to commit SHAs.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant