Conversation
WalkthroughAdds PEP 740 attestation generation steps to the merge and verify GitHub Actions workflows using astral-sh/attest-action@v1, restricts the pytest matrix and package requirement to Python 3.14, bumps the package version to 0.6.10a0, and documents the change in the changelog. ChangesCI Attestation and Version Updates
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (1)
CHANGELOG.md (1)
5-10: 🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick winVersion mismatch with pyproject.toml.
This section is titled
[0.6.10], but pyproject.toml setsversion = "0.6.10a0"(a PEP 440 pre-release). Align the changelog title with the actual package version, or drop the alpha suffix in pyproject.toml if this is meant to be a final release.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@CHANGELOG.md` around lines 5 - 10, The changelog header and package version are mismatched: the release note in CHANGELOG.md is labeled as a final 0.6.10 release while pyproject.toml still uses the 0.6.10a0 pre-release version. Update the version identifiers so they match, either by changing the changelog entry to the alpha version or by removing the alpha suffix in pyproject.toml if this is intended to be a final release; use the version fields in pyproject.toml and the top-level changelog release heading as the symbols to align.
🧹 Nitpick comments (2)
.github/workflows/verify.yml (1)
228-228: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winPin the action to a full commit SHA.
Same supply-chain concern flagged by SonarCloud as in merge.yml —
astral-sh/attest-action@v1should be pinned to a commit SHA.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/verify.yml at line 228, The workflow step using astral-sh/attest-action@v1 is not pinned tightly enough; replace the version tag with a full commit SHA in the verify workflow. Update the attestation step to reference the exact commit for astral-sh/attest-action, matching the pinning approach used elsewhere in the repo for security consistency.Source: Linters/SAST tools
.github/workflows/merge.yml (1)
75-75: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winPin the action to a full commit SHA.
astral-sh/attest-action@v1is a floating tag; SonarCloud flags this as a supply-chain risk. Pin to the commit SHA (with a version comment) for reproducibility and to guard against tag re-pointing.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/merge.yml at line 75, The workflow currently uses astral-sh/attest-action@v1, which is a floating tag and should be replaced with a full commit SHA for supply-chain safety. Update the action reference in merge.yml to pin it to an exact commit, and keep the version comment alongside it so the intended release remains clear. Use the astral-sh/attest-action step as the location to make this change.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/merge.yml:
- Around line 73-77: The Generate PEP 740 Attestations step is using an invalid
step output reference, so it will always be skipped. Update the publishing job’s
attestation step to remove the redundant condition or reference the correct
output source from the job context, since `check_package` is not defined in this
job; use the existing `determine_version`/job-level publish gate and the
`Generate PEP 740 Attestations` step to locate the change.
In `@pyproject.toml`:
- Line 7: Version metadata is inconsistent between the release config and
changelog: pyproject.toml uses the pre-release version 0.6.10a0 while the
release entry is labeled as 0.6.10. Update the version fields to match the
intended release type by either removing the alpha suffix in the pyproject.toml
version if this is a stable release, or changing the changelog title to 0.6.10a0
if this is intentionally a pre-release; check the version string in
pyproject.toml and the release heading in CHANGELOG.md so they align.
---
Duplicate comments:
In `@CHANGELOG.md`:
- Around line 5-10: The changelog header and package version are mismatched: the
release note in CHANGELOG.md is labeled as a final 0.6.10 release while
pyproject.toml still uses the 0.6.10a0 pre-release version. Update the version
identifiers so they match, either by changing the changelog entry to the alpha
version or by removing the alpha suffix in pyproject.toml if this is intended to
be a final release; use the version fields in pyproject.toml and the top-level
changelog release heading as the symbols to align.
---
Nitpick comments:
In @.github/workflows/merge.yml:
- Line 75: The workflow currently uses astral-sh/attest-action@v1, which is a
floating tag and should be replaced with a full commit SHA for supply-chain
safety. Update the action reference in merge.yml to pin it to an exact commit,
and keep the version comment alongside it so the intended release remains clear.
Use the astral-sh/attest-action step as the location to make this change.
In @.github/workflows/verify.yml:
- Line 228: The workflow step using astral-sh/attest-action@v1 is not pinned
tightly enough; replace the version tag with a full commit SHA in the verify
workflow. Update the attestation step to reference the exact commit for
astral-sh/attest-action, matching the pinning approach used elsewhere in the
repo for security consistency.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: f256da0c-4846-448a-b017-ffcb6856b073
📒 Files selected for processing (4)
.github/workflows/merge.yml.github/workflows/verify.ymlCHANGELOG.mdpyproject.toml
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #235 +/- ##
=======================================
Coverage 85.29% 85.29%
=======================================
Files 8 8
Lines 775 775
=======================================
Hits 661 661
Misses 114 114 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|



Summary by CodeRabbit
New Features
Changes