Skip to content

chore(ci): correct setup-python pin version comment to v6.2.0#41383

Merged
rusackas merged 1 commit into
masterfrom
chore/ci-fix-setup-python-ref-pin
Jun 26, 2026
Merged

chore(ci): correct setup-python pin version comment to v6.2.0#41383
rusackas merged 1 commit into
masterfrom
chore/ci-fix-setup-python-ref-pin

Conversation

@rusackas

Copy link
Copy Markdown
Member

SUMMARY

The actions/setup-python step in our composite backend setup action (and the bump-python-package workflow) is pinned to commit a309ff8b426b58ec0e2a45f0f869d46889d02405, but the inline version comment read # v6.

That commit actually corresponds to release tag v6.2.0. The floating # v6 tag points at a different commit (ece7cb06…, currently v6.3.0). zizmor's ref-version-mismatch rule flags this because the human-readable comment misrepresents the exact pinned version, which makes audits and Dependabot bumps harder to reason about.

This PR updates both occurrences of the comment to the truthful # v6.2.0. The pinned SHA is unchanged, so runtime behavior is identical — this is purely a documentation/accuracy fix to satisfy the supply-chain pin convention.

Resolves code-scanning alert #2549.

BEFORE/AFTER

Before:

uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6

After:

uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0

TESTING INSTRUCTIONS

pre-commit run --files .github/actions/setup-backend/action.yml .github/workflows/bump-python-package.yml passes, including the zizmor (GHA security audit) hook.

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

🤖 Generated with Claude Code

The pinned commit a309ff8 for actions/setup-python resolves to release
tag v6.2.0, but the inline comment claimed `# v6` (the floating major
tag, which points at a different commit). zizmor's ref-version-mismatch
rule flags this mismatch because the comment misrepresents the exact
pinned version. Updated both occurrences to `# v6.2.0` so the comment
matches the pinned SHA.

Resolves code-scanning alert #2549

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@dosubot dosubot Bot added the github_actions Pull requests that update GitHub Actions code label Jun 24, 2026
@bito-code-review

bito-code-review Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Bito Automatic Review Skipped - Files Excluded

Bito didn't auto-review this change because all changed files are in the exclusion list for automatic reviews. No action is needed if you didn't intend for the agent to review it. Otherwise, to manually trigger a review, type /review in a comment and save.
You can change the excluded files settings here, or contact your Bito workspace admin at evan@preset.io.

@codecov

codecov Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.35%. Comparing base (6bc77fe) to head (45d0cad).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master   #41383      +/-   ##
==========================================
+ Coverage   63.80%   64.35%   +0.55%     
==========================================
  Files        2653     2653              
  Lines      145281   145162     -119     
  Branches    33523    33490      -33     
==========================================
+ Hits        92692    93418     +726     
+ Misses      50891    50049     -842     
+ Partials     1698     1695       -3     
Flag Coverage Δ
hive ?
mysql 57.97% <ø> (?)
postgres 58.04% <ø> (ø)
presto 40.81% <ø> (ø)
python 59.44% <ø> (+1.21%) ⬆️
sqlite 57.70% <ø> (ø)
unit 100.00% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@rusackas rusackas merged commit eaaab61 into master Jun 26, 2026
63 checks passed
@rusackas rusackas deleted the chore/ci-fix-setup-python-ref-pin branch June 26, 2026 19:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

github_actions Pull requests that update GitHub Actions code size/XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants