Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
with:
persist-credentials: false
- name: Install uv and set Python version
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
version: "0.11.2"
python-version: "3.13"
Expand All @@ -41,12 +41,12 @@
with:
persist-credentials: false
- name: Install uv and set Python version
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
version: "0.11.2"
python-version: "3.13"
enable-cache: true # zizmor: ignore[cache-poisoning] CI-only, no artifacts published
- uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 # zizmor: ignore[cache-poisoning]
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.4 # zizmor: ignore[cache-poisoning]

Check warning on line 49 in .github/workflows/ci.yml

View check run for this annotation

Claude / Claude Code Review

Stale v5.0.4 pin comment for actions/cache

The actions/cache SHA on line 49 of `.github/workflows/ci.yml` was bumped to `27d5ce7f107fe9357f9df03efb73ab90386fccae` (which is v5.0.5 per the PR description and upstream compare link), but the trailing pin comment still reads `# v5.0.4`. This is purely cosmetic (the SHA is authoritative, so CI still runs v5.0.5), but it leaves the pin comment out-of-sync with the actual commit and contradicts the convention established in commit d5ce2d2 ("chore(ci): pin action version comments to immutable pa

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 The actions/cache SHA on line 49 of .github/workflows/ci.yml was bumped to 27d5ce7f107fe9357f9df03efb73ab90386fccae (which is v5.0.5 per the PR description and upstream compare link), but the trailing pin comment still reads # v5.0.4. This is purely cosmetic (the SHA is authoritative, so CI still runs v5.0.5), but it leaves the pin comment out-of-sync with the actual commit and contradicts the convention established in commit d5ce2d2 ("chore(ci): pin action version comments to immutable patch tags"). Fix by changing the comment to # v5.0.5.

Extended reasoning...

What's wrong

On line 49 of .github/workflows/ci.yml, this diff updates the pinned SHA for actions/cache but leaves the human-readable version comment stale:

-      - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 # zizmor: ignore[cache-poisoning]
+      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.4 # zizmor: ignore[cache-poisoning]

The new SHA 27d5ce7f107fe9357f9df03efb73ab90386fccae is the head of the v5.0.5 tag, not v5.0.4.

Proof / step-by-step

  1. The PR description explicitly states "Updates actions/cache from 5.0.4 to 5.0.5".
  2. The commit list embedded in the PR description links to the upstream compare view actions/cache/compare/668228422ae6a00e4ad889ee87cd7109ec5666a7...27d5ce7f107fe9357f9df03efb73ab90386fccae — i.e., the diff between v5.0.4 (old SHA) and the new SHA is the v5.0.4→v5.0.5 release.
  3. The top commit on that list is 27d5ce7 "Merge pull request #1747 from actions/yacaovsnc/update-dependency", which matches the single item in the v5.0.5 release notes ("Update ts-http-runtime dependency ... Update ts-http-runtime dependency actions/cache#1747").
  4. Therefore the new pin is v5.0.5, but the trailing # v5.0.4 comment still refers to the old version.

Why it matters

The repo recently landed commit d5ce2d2 ("chore(ci): pin action version comments to immutable patch tags") specifically to make these pin comments accurate — the explicit convention is that the # vX.Y.Z annotation must match the SHA so that anyone auditing supply-chain pins can verify without resolving the SHA manually. Leaving the comment as # v5.0.4 while the SHA points at v5.0.5 erodes that guarantee.

Why existing process didn't catch it

This is a known rough edge of dependabot's group-update diff generation: when the previous pin's comment matches the previous tag, dependabot rewrites the SHA but does not always refresh the neighboring comment. The other five uses: lines in this PR (four astral-sh/setup-uv bumps and two github/codeql-action bumps) did get their comments updated correctly, so this appears to be an isolated dependabot oversight on this single line.

Impact

No functional impact — GitHub Actions resolves the SHA, so the workflow still runs actions/cache v5.0.5 as intended. This is cosmetic / documentation only, hence nit severity. Still worth fixing before merge to keep supply-chain pin comments trustworthy.

Fix

Change line 49 from:

      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.4 # zizmor: ignore[cache-poisoning]

to:

      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 # zizmor: ignore[cache-poisoning]

name: Cache mypy cache
with:
path: ./.mypy_cache
Expand Down Expand Up @@ -82,7 +82,7 @@
with:
persist-credentials: false
- name: Install uv and set Python version
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
version: "0.11.2"
python-version: ${{ matrix.python-version }}
Expand Down Expand Up @@ -145,7 +145,7 @@
with:
persist-credentials: false
- name: Install uv and set Python version
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
version: "0.11.2"
python-version: "3.13"
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ jobs:

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
Expand Down Expand Up @@ -89,6 +89,6 @@ jobs:
exit 1

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
with:
category: "/language:${{matrix.language}}"
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ jobs:
persist-credentials: false

- name: Install uv and set Python version
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
version: "0.11.2"
python-version: "3.12"
Expand Down
Loading