Skip to content

fix: Use shared contract-tests action to avoid GitHub API rate limiting #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
devin-ai-integration wants to merge 7 commits into from
Closed

fix: Use shared contract-tests action to avoid GitHub API rate limiting #94

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a756ba0
fix: Use full version string for contract test downloader
devin-ai-integration[bot] Mar 6, 2026
ab98f4c
fix: Authenticate GitHub API call in contract test version resolution
devin-ai-integration[bot] Mar 6, 2026
e745945
fix: Use shared contract-tests action for authenticated test harness …
devin-ai-integration[bot] Mar 6, 2026
b63cae1
fix: Set branch to main for sse-contract-tests downloader
devin-ai-integration[bot] Mar 6, 2026
9240504
Apply suggestion from @keelerm84
keelerm84 Mar 6, 2026
6896354
fix: Reorder action inputs to resolve merge commit duplication
devin-ai-integration[bot] Mar 6, 2026
54233ab
fix: Resolve merge conflict and remove duplicate branch key
devin-ai-integration[bot] Mar 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 16 additions & 2 deletions .github/actions/ci/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,20 @@ runs:
shell: bash
run: swift test -v 2>&1 | xcpretty

- name: Run contract tests
- name: Build contract test service
shell: bash
run: make build-contract-tests

- name: Start contract test service
shell: bash
run: make contract-tests
run: make start-contract-test-service-bg

- name: Run contract tests
uses: launchdarkly/gh-actions/actions/contract-tests@contract-tests-v1.3.0
Copy link
Copy Markdown

@semgrep-code-launchdarkly semgrep-code-launchdarkly Bot Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

To resolve this comment:

✨ Commit Assistant fix suggestion

Suggested change
uses: launchdarkly/gh-actions/actions/contract-tests@contract-tests-v1.3.0
uses: launchdarkly/gh-actions/actions/contract-tests@31bfa9142fd9d497eac1b1b9e179b2b1fda0d8d9 # contract-tests-v1.3.0
View step-by-step instructions
  1. Change the value after @ in uses: launchdarkly/gh-actions/actions/contract-tests@contract-tests-v1.3.0 to the full commit SHA for the contract-tests-v1.3.0 release, such as @a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0 (use the actual 40-character SHA from the release/tag).
  2. Optionally, add a comment after the SHA indicating which version it corresponds to, for example: # contract-tests-v1.3.0.

Pinning to a commit SHA ensures that your workflow uses exactly the same code every time and protects against malicious changes in third-party GitHub actions.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by third-party-action-not-pinned-to-commit-sha.

You can view more details about this finding in the Semgrep AppSec Platform.

Copy link
Copy Markdown
Member

@keelerm84 keelerm84 Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We own these github actions so I don't think this is a big concern.

Copy link
Copy Markdown
Contributor Author

@devin-ai-integration devin-ai-integration Bot Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed — since it's an internal action, pinning to the tag should be fine. I'll leave it as-is.

with:
repo: sse-contract-tests
Comment thread
keelerm84 marked this conversation as resolved.
branch: main
test_service_port: 8000
debug_logging: true
token: ${{ inputs.token }}
extra_params: "-skip 'basic parsing/large message in one chunk' -skip 'basic parsing/large message in two chunks'"
Loading