chore(ci): Fix pre-commit/action, as v2.x not work anymore

[MaxymVlasov]

Description of your changes

Deal with

Error: getCacheEntry failed: This legacy service is shutting down, effective April 15, 2025. Migrate to the new service ASAP. For more information: https://gh.io/gha-cache-sunset

https://github.com/antonbabenko/pre-commit-terraform/actions/runs/14755939444/job/41424052063?pr=589

How can we test changes

@antonbabenko please,

1. run ssh-keygen -t ed25519 locally
2. Add private key as repo secret with name exactly GHA_AUTOFIX_COMMIT_KEY at https://github.com/antonbabenko/pre-commit-terraform/settings/secrets/actions
3. Add public key as Deploy key with name like GHA_AUTOFIX at https://github.com/antonbabenko/pre-commit-terraform/settings/keys

And then we will be able to test it this PR

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Improved the pre-commit workflow to automatically apply and commit autofix changes to pull requests if issues are detected.
  • Upgraded the pre-commit action for better performance and reliability.
  • Streamlined workflow steps for more efficient automated code checks.

Summary by CodeRabbit

• Chores
  • Improved automation for pre-commit checks on pull requests, including automatic committing of autofixes directly to PR branches.
  • Upgraded pre-commit action for enhanced reliability.
  • Streamlined workflow steps for better efficiency and maintainability.

Walkthrough

The GitHub Actions workflow for pre-commit checks was updated to streamline the process of handling autofix commits on pull requests. The workflow now includes a second checkout step with full history and SSH authentication to allow pushing autofix commits back to the PR branch. The pre-commit action was upgraded, and redundant steps were removed. If pre-commit detects issues, the workflow now automatically commits and pushes fixes using a dedicated action, triggering the workflow to re-run on the updated commit.

Changes

File(s)	Change Summary
.github/workflows/pre-commit.yaml	Refactored workflow: added second checkout with SSH, upgraded pre-commit action, removed redundant steps, added push of autofix commits using EndBug/add-and-commit, and adjusted environment/configuration variables.

Sequence Diagram(s)

Loading

sequenceDiagram
    participant GitHub Actions
    participant Repo (PR Branch)
    participant Pre-commit
    participant EndBug/add-and-commit

    GitHub Actions->>Repo (PR Branch): Checkout PR branch (full history, SSH)
    GitHub Actions->>Pre-commit: Run pre-commit with autofix enabled
    alt Pre-commit passes
        Pre-commit-->>GitHub Actions: Success
    else Pre-commit fails (autofixes made)
        Pre-commit-->>GitHub Actions: Failure (autofixes staged)
        GitHub Actions->>EndBug/add-and-commit: Commit and push autofixes to PR branch
        EndBug/add-and-commit->>Repo (PR Branch): Push autofix commit
        Note right of Repo (PR Branch): Workflow re-triggers on new commit
    end

Suggested reviewers

• antonbabenko
• webknjaz

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9589a4e and 0756a9d.

📒 Files selected for processing (1)

• .github/workflows/pre-commit.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/pre-commit.yaml

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[Copilot]

Pull Request Overview

This PR updates the GitHub Actions workflow to fix issues with the legacy pre-commit action and migrate to the supported version, ensuring that automated fixes are pushed correctly.

• Update pre-commit/action from v2.0.3 to v3.0.1
• Add a checkout step with full history and SSH key support for autofix commits
• Introduce a push fixes step using EndBug/add-and-commit to apply autofix changes

Comments suppressed due to low confidence (1)

.github/workflows/pre-commit.yaml:81

• Using 'if: failure()' for the 'Push fixes' step will only trigger the push on failure; verify that this condition meets the intended workflow behavior.

if: failure()

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (5)

.github/workflows/pre-commit.yaml (5)

69-78: Guard pre-commit execution and pin to a version tag.

• Pin the action to a clear tag (e.g., pre-commit/action@v3.0.1) rather than a raw commit SHA for readability.
• Protect against an empty file list (when steps.file_changes.outputs.files is blank) to avoid invocation errors. For example:

- name: Execute pre-commit
  if: steps.file_changes.outputs.files != ''
  uses: pre-commit/action@v3.0.1
  env:
    SKIP: no-commit-to-branch
  with:
    extra_args: >-
      --color=always
      --show-diff-on-failure
      --files ${{ steps.file_changes.outputs.files }}

Or fall back to --all when no files are detected.

---

80-94: Enhance Add-and-Commit configuration.

• Pin the action to a tag (e.g., EndBug/add-and-commit@v9.1.4) instead of a SHA for easier upgrades.
• Explicitly set the branch input to ensure fixes land on the PR branch:

-      uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5
+      uses: EndBug/add-and-commit@v9.1.4
      with:
+       branch: ${{ github.event.pull_request.head.ref }}
        default_author: github_actor
        message: '[pre-commit] Autofix violations'

This prevents accidental pushes to unintended refs and makes the intent explicit.

---

55-55: Remove outdated comment about Terraform.

The comment # Skip terraform_tflint which interferes to commit pre-commit auto-fixes no longer reflects any logic here. Please delete or update it to match the current workflow.

---

51-58: Reorder checkout and setup steps for clarity.

Having an actions/setup-python step placed between two checkouts can be confusing. Consider this sequence:

1. Checkout repo (with fetch-depth and SSH or HTTP configured).
2. Setup Python environment.
3. Run pre-commit and push fixes.

Grouping related actions improves readability and reduces cognitive load.

---

1-9: Consider concurrency and forked PR handling.

• Add a concurrency group keyed by the PR number to cancel stale runs when new commits arrive.
• If you need to commit autofixes on PRs from forks, secrets (SSH key, GITHUB_TOKEN) won’t be available under a pull_request trigger. You may need to switch to pull_request_target and lock down paths to mitigate security risks.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 521ada5 and afcbc76.

📒 Files selected for processing (1)

• .github/workflows/pre-commit.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (8)

• GitHub Check: 🧪 Tests / pytest@🐍3.9@windows-2025
• GitHub Check: 🧪 Tests / pytest@🐍3.13@windows-2025
• GitHub Check: 🧪 Tests / pytest@🐍3.13@macos-14
• GitHub Check: 🧪 Tests / pytest@🐍3.12@windows-2025
• GitHub Check: 🧪 Tests / pytest@🐍3.11@windows-2025
• GitHub Check: 🧪 Tests / pytest@🐍3.10@windows-2025
• GitHub Check: 🧪 Tests / pytest@🐍3.10@macos-13
• GitHub Check: 🧹 Linters / pre-commit@🐍3.13@ubuntu-latest

🔇 Additional comments (1)

.github/workflows/pre-commit.yaml (1)

72-73: Review the SKIP environment variable scope.

Currently SKIP is set to only no-commit-to-branch. Confirm that all desired hooks (e.g., hadolint) remain enabled or explicitly skipped as intended. Adjust the comma-separated list if more hooks need to be bypassed during the autofix run.

[yermulnik]

Thoughts aloud: a bit odd to link discussion that doesn't exist anymore (was there a reason to remove it from public access? 🤔)

[yermulnik]

The other guy on the thread explicitly discourages against this approach 🤔

You really really don’t want to do this.

I guess I'll take my approval back and leave this to @antonbabenko as a repo owner.

[yermulnik]

On the other hand it shouldn't be dangerous as default Deploy Key permission is readonly, but in the same time GitHub and the EndBug/add-and-commit recommend to use PAT instead: https://github.com/EndBug/add-and-commit#the-commit-from-the-action-is-not-triggering-ci
@MaxymVlasov Why did you choose to use Deploy Key rather than PAT? 🤔

[MaxymVlasov]

Because PAT is Personal Access Token, which can expire, rotate or removed during usual routine of key management by user.

When ssh key is fully incapsulated inside repo.
Whatever, we can swith to pre-commit light GHA, I just don't want spend time to setup and support stuff that I will not be able to use anywhere except public repos

[yermulnik]

I got your point. Thanks for details.
We anyways need an action from @antonbabenko to proceed with this, right?

[antonbabenko]

I have just added the required keys to the GH repository secrets. Let me know if there is anything else you need from me.

[yermulnik]

It is not essential, but just a bit that made me re-read the message twice: the "Autofix violations" can be taken as "violations related to autofix", so I'd suggest to eliminate this confusion by rewording it a tiny bit:

Suggested change

	message: '[pre-commit] Autofix violations'
	message: '[pre-commit] Autofix rule violations'

Maybe replace "rule" with "policy". Or something similar.
Up to you though

[MaxymVlasov]

Suggested change

	message: '[pre-commit] Autofix violations'
	message: '[pre-commit] Fix violations'

[yermulnik]

It's still "Порушення виправлень" або "Виправлення порушень".
I'm going to approve this PR as a whole, though the "Autofix violations" is better for clarity. <ITEM> can be "coding style", "coding standards", "coding rules", whatever matches best with what kind of fixes this is applied to.
I also think "Auto" prefix is good enough to designate the commit is done by automation rather than by a human.

Let @antonbabenko decide on this solution.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

.github/workflows/pre-commit.yaml (4)

56-59: Use a semantic version tag for actions/setup-python
Pinning to a specific commit hash can make upgrades and audits harder. Consider using the official version tag (e.g. @v5.4.0) instead of a SHA to benefit from patch fixes within the same major/minor release.

Proposed diff:

-    - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38  # v5.4.0
+    - uses: actions/setup-python@v5.4.0
      with:
        python-version: '3.13'

---

75-78: Guard against empty file list in --files argument
If steps.file_changes.outputs.files is empty (e.g., no diffable files), --files will error. Consider adding a safeguard or conditional skip:

      extra_args: >-
-        --color=always \
-        --show-diff-on-failure \
-        --files ${{ steps.file_changes.outputs.files }}
+        --color=always \
+        --show-diff-on-failure \
+        ${{ steps.file_changes.outputs.files && format('--files {0}', steps.file_changes.outputs.files) }}

Or add a preceding step to bail out when no files have changed.

---

79-79: Refine comment wording for clarity
The comment reads # Needed to trigger pre-commit workflow on autofix commit but could be misinterpreted. For example:

# Enable this checkout for the Add-and-Commit step to re-trigger CI on autofix commits

---

93-93: Clarify commit message template
The message '[pre-commit] Fix violations' is concise but might blend into other fixes. Consider something like:

[pre-commit] Autofix lint violations in changed files

to distinguish automated fixes in your history.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between afcbc76 and 9589a4e.

📒 Files selected for processing (1)

• .github/workflows/pre-commit.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: 🧪 Tests / pytest@🐍3.9@macos-14
• GitHub Check: 🧪 Tests / pytest@🐍3.13@windows-2025
• GitHub Check: 🧪 Tests / pytest@🐍3.10@windows-2025

🔇 Additional comments (2)

.github/workflows/pre-commit.yaml (2)

61-68: Ensure correct credential persistence when using SSH checkout
When using the ssh-key input, it’s generally recommended to disable persisted HTTP credentials (persist-credentials: false) to avoid mixing auth methods. If you rely solely on SSH for pushes, explicitly set:

    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
      with:
-       fetch-depth: 0
+       fetch-depth: 0
+       persist-credentials: false
        ref: ${{ github.event.pull_request.head.ref }}
        # Needed to trigger pre-commit workflow on autofix commit. Guide:
        # https://web.archive.org/web/20210731173012/https://github.community/t/required-check-is-expected-after-automated-push/187545/
        ssh-key: ${{ secrets.GHA_AUTOFIX_COMMIT_KEY }}

If you need HTTP credentials for subsequent steps, please confirm that this checkout step still behaves as expected.

---

72-73: Validate the SKIP environment variable usage
The SKIP: no-commit-to-branch setting skips the no-commit-to-branch hook, but confirm that:

1. The hook ID matches your .pre-commit-config.yaml.
2. The correct env var name is used (SKIP vs PRE_COMMIT_SKIP) according to the pre-commit action docs.

[antonbabenko]

This PR is included in version 1.99.1 🎉