chore: pin all GitHub Actions to commit SHAs#137
Conversation
- Pin actions/checkout to specific versions - Pin actions/setup-python, upload-artifact, github-script, etc. - Ensures reproducible and secure CI runs
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (21)
Warning
|
Legacy Tooling Scan ReportTotal violations: 100
Top findings:
|
|
🔒 Snyk Security Scan ResultsSnyk vulnerability scan completed. View results in GitHub Code Scanning dashboard. |
1 similar comment
🔒 Snyk Security Scan ResultsSnyk vulnerability scan completed. View results in GitHub Code Scanning dashboard. |
codeant-ai
Bot
added
the
size:M
|
CodeAnt AI finished reviewing your PR. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 7 potential issues.
Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.
Reviewed by Cursor Bugbot for commit 4eca096. Configure here.
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v4 | ||
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e |
There was a problem hiding this comment.
SHA pins setup-node to v6 instead of v4
High Severity
The SHA 48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e corresponds to actions/setup-node v6.4.0, but the original version tag was @v4. This silently upgrades the action by two major versions. v5 enabled caching by default and upgraded to Node 24, and v6 removed the always-auth input and changed automatic caching behavior — both are breaking changes that could cause unexpected workflow failures in the Snyk security scan.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 4eca096. Configure here.
|
|
||
| - name: Setup Pages | ||
| uses: actions/configure-pages@v5 | ||
| uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d |
There was a problem hiding this comment.
SHA pins configure-pages to v6 instead of v5
High Severity
The SHA 45bfe0192ca1faeb007ade9deae92b16b8254a0d corresponds to actions/configure-pages v6.0.0, but the original version tag was @v5. This silently upgrades the action by one major version. v6 upgrades to Node 24 and may contain breaking changes that could cause the GitHub Pages deployment workflow to fail.
Reviewed by Cursor Bugbot for commit 4eca096. Configure here.
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||
| - name: Set up JDK 17 | ||
| uses: actions/setup-java@v4 | ||
| uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 |
There was a problem hiding this comment.
SHA pins setup-java to v5 instead of v4
Medium Severity
The SHA be666c2fcd27ec809703dec50e508c2fdc7f6654 corresponds to actions/setup-java v5.2.0, but the original version tag was @v4. This silently upgrades the action by one major version. The SonarCloud workflow could fail if v5 introduces breaking changes to the setup behavior or required runner version.
Reviewed by Cursor Bugbot for commit 4eca096. Configure here.
|
|
||
| - name: Cache Cargo registry and build | ||
| uses: actions/cache@v4 | ||
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae |
There was a problem hiding this comment.
SHA pins actions/cache to v5 instead of v4
Medium Severity
The SHA 27d5ce7f107fe9357f9df03efb73ab90386fccae corresponds to actions/cache v5.0.5, but the original version tag was @v4. v5 requires Node.js 24 runtime and a minimum Actions Runner version of 2.327.1, which could cause the evidence-capture workflow to fail on runners that don't meet these requirements.
Reviewed by Cursor Bugbot for commit 4eca096. Configure here.
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v4 | ||
| uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 |
There was a problem hiding this comment.
SHA pins setup-python and github-script to wrong major versions
Medium Severity
Two version mismatches in this file: actions/setup-python@v4 is pinned to SHA a26af69be9... which is v5.6.0, and actions/github-script@v6 is pinned to SHA f28e40c7f3... which corresponds to a commit in the v7 line (post-v7.0.1). Both are silent major version upgrades that could break the spec validation workflow.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 4eca096. Configure here.
| - name: Deploy to GitHub Pages | ||
| id: deployment | ||
| uses: actions/deploy-pages@v4 | ||
| uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 |
There was a problem hiding this comment.
SHA pins deploy-pages to v5 instead of v4
High Severity
The SHA cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 corresponds to actions/deploy-pages v5.0.0, but the original version tag was @v4. This silently upgrades the deploy step of the GitHub Pages workflow by one major version. Combined with the configure-pages v5→v6 mismatch in the same file, the entire deployment pipeline is shifted to incompatible major versions, risking deployment failures.
Reviewed by Cursor Bugbot for commit 4eca096. Configure here.
|
|
||
| - name: Upload Pages artifact | ||
| uses: actions/upload-pages-artifact@v4 | ||
| uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 |
There was a problem hiding this comment.
SHA pins upload-pages-artifact to v5 instead of v4
High Severity
The SHA fc324d3547104276b827a68afc52ff2a11cc49c9 corresponds to an actions/upload-pages-artifact commit associated with the v5 release line (updating to upload-artifact v7 and adding include-hidden-files input), but the original version tag was @v4. This is a silent major version upgrade in the pages build pipeline that could cause artifact upload failures.
Reviewed by Cursor Bugbot for commit 4eca096. Configure here.
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:M
Sequence DiagramThis PR updates all GitHub Actions workflows to use pinned commit SHAs instead of version tags, hardening CI, release, docs, and security pipelines without changing their logical behavior. sequenceDiagram
participant Developer
participant GitHub
participant CIWorkflow
participant PinnedActions
participant ArtifactStorage
Developer->>GitHub: Push commit or open pull request
GitHub->>CIWorkflow: Trigger CI and security workflows
CIWorkflow->>PinnedActions: Run checkout, tool setup, and scanners
PinnedActions-->>CIWorkflow: Provide code, tools, and scan results
CIWorkflow->>ArtifactStorage: Upload build and scan artifacts
CIWorkflow-->>GitHub: Report workflow status and results
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:M
Sequence DiagramThis PR updates CI, security, release, and docs workflows to run all GitHub Actions by fixed commit SHAs, improving security and reproducibility without changing overall job logic. sequenceDiagram
participant Developer
participant GitHub
participant CIWorkflow
participant PinnedActions
participant Project
Developer->>GitHub: Push code or open pull request
GitHub->>CIWorkflow: Trigger CI, security, and release workflows
CIWorkflow->>PinnedActions: Run checkout and setup steps with pinned SHAs
PinnedActions-->>CIWorkflow: Provide repository code and tool environments
CIWorkflow->>Project: Build, test, audit, and package project
CIWorkflow->>PinnedActions: Upload artifacts and perform deployments using pinned actions
PinnedActions-->>GitHub: Store artifacts and update releases or pages
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:M
Sequence DiagramThis PR pins all GitHub Actions in the release pipeline (checkout, artifact upload/download, and related helpers) to specific commit SHAs, hardening the release process without changing its core behavior. sequenceDiagram
participant Developer
participant CI
participant BuildJob
participant ReleaseJob
participant GitHubRelease
Developer->>CI: Push tagged commit
CI->>BuildJob: Run build job with pinned actions
BuildJob->>BuildJob: Compile binaries and upload artifacts
CI->>ReleaseJob: Run release job with pinned actions
ReleaseJob->>GitHubRelease: Create release and attach binaries
GitHubRelease-->>Developer: Release available with built artifacts
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:M
Sequence DiagramThis PR hardens the CI and release pipelines by switching all workflow steps to use pinned GitHub Action commit SHAs, preserving the existing job logic while improving security and reproducibility. sequenceDiagram
participant Developer
participant GitHub
participant CIWorkflows
participant PinnedActions
participant ExternalTools
Developer->>GitHub: Push code or open pull request
GitHub->>CIWorkflows: Trigger build, test, security, and release jobs
CIWorkflows->>PinnedActions: Run checkout and tool setup with fixed revisions
CIWorkflows->>PinnedActions: Execute build, test, audit, and scan steps with fixed revisions
PinnedActions->>ExternalTools: Invoke compilers, linters, scanners, and artifact handlers
CIWorkflows-->>Developer: Report stable and reproducible CI results
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
1 participant
User description
Summary
Pins all GitHub Actions to specific commit SHAs for security and reproducibility.
Changes
Actions Pinned
Testing
All workflows validated - CI should pass with pinned SHAs.
Note
Low Risk
Low risk: changes are limited to CI workflow definitions, primarily swapping version tags for pinned commit SHAs; the main risk is breakage if a pinned SHA is incorrect or incompatible.
Overview
Pins GitHub Actions across the workflow suite to immutable commit SHAs (e.g.,
actions/checkout,actions/upload-artifact,actions/setup-python,actions/setup-node,actions/setup-java,actions/configure-pages,actions/deploy-pages,actions/download-artifact,actions/cache,actions/github-script).This hardens CI/CD, security scanning, release, and docs deployment pipelines against upstream action tag changes and improves run reproducibility without changing the underlying job logic.
Reviewed by Cursor Bugbot for commit 4eca096. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Pin GitHub Actions to fixed revisions across CI, release, and deployment workflows
What Changed
Impact
✅ More consistent CI runs✅ Fewer workflow breaks from upstream Action changes✅ Lower supply-chain risk in build and release pipelines🔄 Retrigger CodeAnt AI Review
Details
💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.