chore(ci): pin all GitHub Actions to commit SHAs#133
Conversation
Supply-chain hardening — pin every third-party action to a specific
commit SHA so that a compromised tag (force-pushed by an attacker who
gains repo write to the action) can't silently substitute malicious
code into our CI runners.
Each pin keeps the previous version as a comment so humans (and
Dependabot, when configured) can still see what version is in use and
update purposefully:
uses: actions/checkout@de0fac2... # v6
Files changed:
- .github/workflows/release.yml — checkout, setup-uv (x3), codecov-action,
test-results-action, upload-artifact, download-artifact (x2),
ncipollo/release-action, docker/{setup-buildx,login,metadata,build-push}-action
- .github/workflows/semgrep.yml — checkout (also bumped from v4 → v6
to align with every other workflow in this repo, then pinned)
- .github/workflows/dependabot-auto-merge.yml — fetch-metadata
Mirrors the matching change shipping on ontokit-web in PR #196.
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Summary
Supply-chain hardening: every third-party action is now pinned to a specific commit SHA so that a compromised tag (e.g., force-pushed by an attacker with write access to the action's repo) cannot silently substitute malicious code into our CI runners.
Pattern used:
```yaml
uses: actions/checkout@de0fac2 # v6
```
The trailing comment preserves the human-readable version and is the format Dependabot recognizes for tracking.
Actions pinned
Drive-by version bump
`semgrep.yml` was using `actions/checkout@v4` — bumped to v6 to match every other workflow in this repo, then pinned.
Mirrors the matching change shipping on ontokit-web in PR #196.
Test plan
🤖 Generated with Claude Code