chore(deps): consolidate SHA-pinned dependency updates (#93, #92, #85, #84, #82, #70)#94
Merged
Merged
Conversation
Bumps across all .github/workflows and workflow-templates: - step-security/harden-runner: v2.19.1 -> v2.19.2 (a5ad31d6 -> 9ca718d3, 44 files) - github/codeql-action: v4.35.3 -> v4.35.4 (e46ed2cb -> 68bde559) - google/osv-scanner-action: v2.3.5 -> v2.3.8 (c5185470 -> 9a498708) - sigstore/cosign-installer: v4.1.1 -> v4.1.2 (cad07c2e -> 6f9f1778, workflow-templates only) Reusable workflow self-references updated to HEAD of main: - scorecard.yml: f05c26a -> e5d5926 - security-analysis.yml: cd0f5c2 -> e5d5926 workflow-templates: pin 9 @v1 self-references to ea8e190 (the v1 tag SHA). Closes #93, #92, #85, #84, #82, #70 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (44)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This was referenced May 14, 2026
|
There was a problem hiding this comment.
Pull request overview
Consolidates SHA-pinned GitHub Actions dependency updates across reusable workflows and workflow templates, keeping shared CI/security automation aligned with current pinned action versions.
Changes:
- Updates
step-security/harden-runner,github/codeql-action,google/osv-scanner-action, andsigstore/cosign-installerpinned SHAs and version comments. - Updates local caller workflows for scorecard/security analysis reusable workflow SHAs.
- Pins workflow-template reusable workflow self-references from
@v1to the resolvedv1tag SHA.
Reviewed changes
Copilot reviewed 44 out of 44 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| workflow-templates/python-slsa.yml | Updates harden-runner and pins SLSA reusable workflow reference. |
| workflow-templates/python-security-analysis.yml | Updates harden-runner, CodeQL, and OSV Scanner pins. |
| workflow-templates/python-scorecard.yml | Pins scorecard reusable workflow reference. |
| workflow-templates/python-sbom.yml | Pins SBOM reusable workflow reference. |
| workflow-templates/python-reuse.yml | Pins REUSE reusable workflow reference. |
| workflow-templates/python-release.yml | Updates harden-runner and cosign installer pins. |
| workflow-templates/python-publish-pypi.yml | Updates harden-runner pins. |
| workflow-templates/python-pr-validation.yml | Pins PR validation reusable workflow reference. |
| workflow-templates/python-mutation.yml | Pins mutation reusable workflow reference. |
| workflow-templates/python-fips-compatibility.yml | Pins FIPS reusable workflow reference. |
| workflow-templates/python-docs.yml | Updates harden-runner pins. |
| workflow-templates/python-container-security.yml | Pins container security reusable workflow reference. |
| workflow-templates/python-compatibility.yml | Pins compatibility reusable workflow reference. |
| workflow-templates/python-codecov.yml | Updates harden-runner pin. |
| workflow-templates/python-cifuzzy.yml | Updates harden-runner pin. |
| workflow-templates/python-ci.yml | Updates harden-runner pins. |
| .github/workflows/sonarcloud.yml | Updates harden-runner pin. |
| .github/workflows/shell-tests.yml | Updates harden-runner pin. |
| .github/workflows/self-test.yml | Updates harden-runner pins. |
| .github/workflows/security-analysis.yml | Updates reusable workflow and harden-runner pins. |
| .github/workflows/scorecard.yml | Updates scorecard reusable workflow pin. |
| .github/workflows/reuse.yml | Updates harden-runner pins. |
| .github/workflows/python-supplemental-checks.yml | Updates harden-runner pins. |
| .github/workflows/python-sonarcloud.yml | Updates harden-runner pins. |
| .github/workflows/python-security-analysis.yml | Updates harden-runner, CodeQL, and OSV Scanner pins. |
| .github/workflows/python-scorecard.yml | Updates harden-runner and CodeQL SARIF upload pins. |
| .github/workflows/python-sbom.yml | Updates harden-runner and CodeQL SARIF upload pins. |
| .github/workflows/python-reuse.yml | Updates harden-runner pin. |
| .github/workflows/python-release.yml | Updates harden-runner pins. |
| .github/workflows/python-qlty-coverage.yml | Updates harden-runner pins. |
| .github/workflows/python-publish-pypi.yml | Updates harden-runner pins. |
| .github/workflows/python-precommit.yml | Updates harden-runner pin. |
| .github/workflows/python-performance-regression.yml | Updates harden-runner pin. |
| .github/workflows/python-mutation.yml | Updates harden-runner pin. |
| .github/workflows/python-fuzzing.yml | Updates harden-runner and CodeQL SARIF upload pins. |
| .github/workflows/python-fips-compatibility.yml | Updates harden-runner pins. |
| .github/workflows/python-docs.yml | Updates harden-runner pins. |
| .github/workflows/python-docker.yml | Updates harden-runner and CodeQL SARIF upload pins. |
| .github/workflows/python-container-security.yml | Updates harden-runner and CodeQL SARIF upload pins. |
| .github/workflows/python-compatibility.yml | Updates harden-runner pin. |
| .github/workflows/python-codecov.yml | Updates harden-runner pin. |
| .github/workflows/python-ci.yml | Updates harden-runner pins. |
| .github/workflows/pr-validation.yml | Updates harden-runner pins. |
| .github/workflows/codeql.yml | Updates harden-runner and CodeQL pins. |
| fips-check: | ||
| name: FIPS Compliance Check | ||
| uses: ByronWilliamsCPA/.github/workflows/python-fips-compatibility.yml@v1 | ||
| uses: ByronWilliamsCPA/.github/workflows/python-fips-compatibility.yml@ea8e19054eac195e6ab7bc93e9c2319632560b77 # v1 |
williaby
pushed a commit
that referenced
this pull request
May 16, 2026
… cifuzzy SHA tag - python-fips-compatibility.yml: add missing .github/ path segment so the starter template resolves the reusable workflow at the actual location (ByronWilliamsCPA/.github/.github/workflows/python-fips-compatibility.yml); the previous path pointed to a non-existent file at repo root and would fail to load (PR #70, #94 review). - python-cifuzzy.yml: change the SHA comment for github/codeql-action/upload-sarif from '# v4' to '# v4.35.4' to match every other usage of the same SHA in this repo (PR #103 review).
williaby
pushed a commit
that referenced
this pull request
May 16, 2026
… cifuzzy SHA tag - python-fips-compatibility.yml: add missing .github/ path segment so the starter template resolves the reusable workflow at the actual location (ByronWilliamsCPA/.github/.github/workflows/python-fips-compatibility.yml); the previous path pointed to a non-existent file at repo root and would fail to load (PR #70, #94 review). - python-cifuzzy.yml: change the SHA comment for github/codeql-action/upload-sarif from '# v4' to '# v4.35.4' to match every other usage of the same SHA in this repo (PR #103 review).
williaby
pushed a commit
that referenced
this pull request
May 16, 2026
… cifuzzy SHA tag - python-fips-compatibility.yml: add missing .github/ path segment so the starter template resolves the reusable workflow at the actual location (ByronWilliamsCPA/.github/.github/workflows/python-fips-compatibility.yml); the previous path pointed to a non-existent file at repo root and would fail to load (PR #70, #94 review). - python-cifuzzy.yml: change the SHA comment for github/codeql-action/upload-sarif from '# v4' to '# v4.35.4' to match every other usage of the same SHA in this repo (PR #103 review).
williaby
added a commit
that referenced
this pull request
May 16, 2026
* fix(workflow-templates): correct fips-compatibility reusable path and cifuzzy SHA tag - python-fips-compatibility.yml: add missing .github/ path segment so the starter template resolves the reusable workflow at the actual location (ByronWilliamsCPA/.github/.github/workflows/python-fips-compatibility.yml); the previous path pointed to a non-existent file at repo root and would fail to load (PR #70, #94 review). - python-cifuzzy.yml: change the SHA comment for github/codeql-action/upload-sarif from '# v4' to '# v4.35.4' to match every other usage of the same SHA in this repo (PR #103 review). * docs(workflows): add system-deps inputs to python-compatibility table Adds system-deps-ubuntu, system-deps-macos, and system-deps-windows rows to the inputs table so the caller-facing documentation matches the actual workflow_call interface (PR #105 review). * docs(community): route vulnerability reports to private channels - profile/README.md: link to the GitHub Security Advisory creation form (/security/advisories/new) instead of the advisories list page, so reporters land directly on the private submission UI (PR #104 review). - SUPPORT.md: split the Contact section into general inquiries (Issues or Discussions) and security vulnerabilities (private reporting via Security Advisories), so the broad 'all inquiries' wording no longer routes vulnerability reports to public channels (PR #104 review). * docs(agents): clarify that the Bats test suite under tests/ exists CLAUDE.md and GEMINI.md previously stated 'no test suite' in the Repository Purpose / Repository Context sections. The repo does have a Bats test suite under tests/ (covered by .github/workflows/shell-tests.yml), so the statement was misleading agents about validation steps. Narrows the statement to 'no Python package' and points to the Bats suite (PR #98 review). * docs(changelog): record fips path and cifuzzy SHA tag fixes Adds two entries under [Unreleased] Fixed to surface the workflow-templates fixes already on this branch so downstream consumers know to re-copy the starter templates after the fips path correction. * docs(agents): scope Bats coverage claim to update-pinned-actions.sh The previous wording 'covers the shell scripts in scripts/' implied broader validation than exists; only update-pinned-actions.bats runs, covering one of the six shell scripts in scripts/. Names the specific covered script and notes that the others are not yet tested. * docs(workflows): fill default cells for system-deps inputs The three system-deps-{ubuntu,macos,windows} rows had empty Default cells, while every other row in the table specifies an explicit backtick-quoted default. The workflow YAML has no default: key for these inputs, so the actual default is the empty string; '' makes the table uniform and removes ambiguity between 'no documented default' and 'unset'. * docs(workflows): add no-build input row to python-compatibility table The docs table did not list the public no-build boolean input (default true) added by PR #112; consumers had no way to discover how to opt out of --no-build for projects with a build backend like hatchling. Inserted in canonical YAML order after the system-deps-windows row. --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consolidates all open dependency-update PRs (#93, #92, #85, #84, #82, #70) into a single change set across
.github/workflows/andworkflow-templates/.SHA bumps applied
step-security/harden-runnera5ad31d6)9ca718d3)github/codeql-actione46ed2cb)68bde559)google/osv-scanner-actionc5185470)9a498708)sigstore/cosign-installercad07c2e)6f9f1778)Reusable workflow self-references
Both
scorecard.ymlandsecurity-analysis.ymlcaller files updated to point to the current HEAD of main (e5d5926), superseding the stale SHA from PR #85.workflow-templates pinning (PR #70)
Nine
@v1self-references inworkflow-templates/pinned to thev1tag SHA (ea8e1905), meeting the Dependabot SHA-pinning requirement.Closes
Closes #93, Closes #92, Closes #85, Closes #84, Closes #82, Closes #70
Test plan
review_on_push: true)@v1unpinned references remain inworkflow-templates/Generated with Claude Code