fix: pin GitHub Actions to commit SHAs (#9108)#9393
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThe deployment and pull-request build workflows replace floating GitHub Actions version tags with specific commit SHA references for checkout, Tailscale, and Python setup actions. ChangesGitHub Actions pinning
Estimated code review effort: 2 (Simple) | ~5 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/feature-deployment.yml:
- Line 125: Remove the leading “v” from the pinned `tailscale/github-action`
reference in the workflow, changing it to the exact immutable commit SHA
`306e68a486fd2350f2bfc3b19fcd143891a4a2d8`.
In @.github/workflows/pull-request-build-lint-api.yml:
- Around line 30-32: Update the actions/setup-python reference in the workflow
to the commit SHA corresponding to the intended v6 release, replacing the
current v6.2.0 SHA while leaving the checkout action unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 10ccab84-b9a9-4d8c-b32e-a2edd611bcd3
📒 Files selected for processing (2)
.github/workflows/feature-deployment.yml.github/workflows/pull-request-build-lint-api.yml
Description
Pinned GitHub Actions dependencies to immutable commit SHAs instead of mutable version tags.
Updated
actions/checkout,actions/setup-python, andtailscale/github-actionreferences in GitHub workflow files to prevent supply-chain security risks caused by mutable action tags.Type of Change
Screenshots and Media (if applicable)
Test Scenarios
actions/checkout@v6,actions/setup-python@v6, ortailscale/github-action@v4references exist in the updated workflows.References
Fixes #9108
Summary by CodeRabbit