chore(ci): bump dorny/paths-filter from 3 to 4 #64

coderabbitai · 2026-05-25T08:43:05Z

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash set -euo pipefail # Confirm exact uses line in the workflow and surrounding context echo "== ci.yml around Line 23 ==" nl -ba .github/workflows/ci.yml | sed -n '15,40p' echo echo "== All references to dorny/paths-filter in repo ==" rg -n "dorny/paths-filter" -S . || true echo echo "== Check for any uses: ...@<40+ hex> patterns (pinned by SHA) in ci.yml ==" rg -n "uses:\s*.+@([0-9a-f]{40,64})" .github/workflows/ci.yml || true

Repository: AIX-Format/PiWorker-OS

Length of output: 155

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "== ci.yml around Line 23 ==" awk 'NR>=15 && NR<=40 {printf "%d:%s\n", NR, $0}' .github/workflows/ci.yml echo echo "== All references to dorny/paths-filter in repo ==" rg -n "dorny/paths-filter" -S . || true echo echo "== Check for any uses: ...@<40+ hex> patterns in workflow(s) ==" rg -n "uses:\s*[^@]+@[0-9a-f]{40,64}" .github/workflows/ci.yml .github/workflows || true

Repository: AIX-Format/PiWorker-OS

Length of output: 930

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "== All references to dorny/paths-filter (including hidden dirs) ==" rg --hidden -n "dorny/paths-filter" . || true echo echo "== Any SHA-pinned dorny/paths-filter usages? ==" rg --hidden -n "dorny/paths-filter@([0-9a-f]{40,64})" .github/workflows . || true echo echo "== Any uses: ...@<40+ hex> patterns in workflows? ==" rg --hidden -n "uses:\s*[^@]+@[0-9a-f]{40,64}" .github/workflows . || true

Repository: AIX-Format/PiWorker-OS

Length of output: 302

🏁 Script executed:

#!/bin/bash set -euo pipefail echo "== uses: entries in .github/workflows/ci.yml ==" rg --hidden -n "^\s*uses:" .github/workflows/ci.yml

Repository: AIX-Format/PiWorker-OS

Length of output: 515

Pin dorny/paths-filter to a commit SHA, not the mutable @v4 tag.

Line 23 uses dorny/paths-filter@v4, which is retargetable; pin to an exact commit SHA for supply-chain hardening.

Suggested hardening change

- uses: dorny/paths-filter@v4 + uses: dorny/paths-filter@<full_length_commit_sha_for_v4>

🧰 Tools

🪛 zizmor (1.25.2)

[error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml at line 23, Replace the mutable action reference dorny/paths-filter@v4 with a pinned commit SHA: locate the uses: dorny/paths-filter@v4 line in the GitHub Actions workflow and update it to uses: dorny/paths-filter@<full-commit-sha> (obtain the exact SHA from the action's GitHub repo commit history or the specific release commit) so the workflow references an immutable commit instead of the retargetable `@v4` tag.

-Original file line number
+Diff line change
@@ Expand Up / @@ -20,7 +20,7 @@ jobs: @@
             uses: actions/checkout@v4
           - name: Filter paths
             id: filter
-            uses: dorny/paths-filter@v3
+            uses: dorny/paths-filter@v4
             with:
               filters: |
                 api_or_proto:
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(ci): bump dorny/paths-filter from 3 to 4 #64

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai Bot May 25, 2026

Uh oh!

Uh oh!

chore(ci): bump dorny/paths-filter from 3 to 4 #64

Are you sure you want to change the base?

Uh oh!

chore(ci): bump dorny/paths-filter from 3 to 4 #64

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai Bot May 25, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!