Skip to content

Update GitHub workflows dependencies#154

Merged
rongxin-liu merged 3 commits intomainfrom
chore/update-gh-workflows-dependencies
May 4, 2026
Merged

Update GitHub workflows dependencies#154
rongxin-liu merged 3 commits intomainfrom
chore/update-gh-workflows-dependencies

Conversation

@rongxin-liu
Copy link
Copy Markdown
Contributor

@rongxin-liu rongxin-liu commented May 2, 2026
edited
Loading

Summary

  • Bumps the pinned GitHub Actions dependencies used by dependency review and Codex security review workflows.
  • Replaces the unpinned dtolnay/rust-toolchain@nightly usage in the AsicRS plugin checks with runner-provided rustup commands.

What Changed

  • .github/workflows/dependency-review.yml: bumps actions/dependency-review-action from v4.8.2 to v4.9.0 by pinned commit SHA.
  • .github/workflows/codex-security-review.yml: bumps openai/codex-action from v1.6 to v1.8 by pinned commit SHA.
  • .github/workflows/asicrs-plugin-checks.yml: removes the dtolnay/rust-toolchain action from both Rust jobs.
  • .github/workflows/asicrs-plugin-checks.yml: the lint/format job now runs rustup toolchain install nightly --profile minimal --component rustfmt --component clippy --allow-downgrade and sets a nightly rustup override.
  • .github/workflows/asicrs-plugin-checks.yml: the build/test job now runs rustup toolchain install nightly --profile minimal and sets a nightly rustup override.

Reviewer Notes

  • Workflow-only change; no product code, proto files, generated code, or migrations are touched.
  • The AsicRS workflow still uses the floating nightly Rust toolchain; this branch changes the installation mechanism and removes the third-party Rust toolchain action.
  • The rustup override set nightly commands run under the jobs' plugin/asicrs working directory, so the override applies to the subsequent AsicRS cargo commands.

Validation

  • git diff --check
  • ruby -e 'require "yaml"; YAML.load_file(".github/workflows/asicrs-plugin-checks.yml")'
  • GitHub Actions should validate the workflow behavior on the PR.

@github-actions github-actions Bot added the github_actions Pull requests that update GitHub Actions code label May 2, 2026
github-advanced-security[bot]
github-advanced-security AI found potential problems May 2, 2026
View reviewed changes
Comment thread .github/workflows/asicrs-plugin-checks.yml Fixed
Comment thread .github/workflows/asicrs-plugin-checks.yml Fixed
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 2, 2026
edited
Loading

🔐 Codex Security Review

Note: This is an automated security-focused code review generated by Codex.
It should be used as a supplementary check alongside human review.
False positives are possible - use your judgment.

Scope summary

  • Reviewed pull request diff only (a57c322c6ff0e760531e8160f554fbcb3c7d8dd2...740aaaa6d6d6bb1c1015040c99debe9e7daf5056, exact PR three-dot diff)
  • Model: gpt-5.4

💡 Click "edited" above to see previous reviews for this PR.

Review Summary

Overall Risk: LOW

Findings

[LOW] ASIC Rust CI can validate different nightly toolchains in lint vs build/test

  • Category: Reliability
  • Location: .github/workflows/asicrs-plugin-checks.yml:34, .github/workflows/asicrs-plugin-checks.yml:72
  • Description: The new rust-lint job installs nightly with --allow-downgrade, while rust-build-test installs plain nightly. If the newest nightly is missing rustfmt or clippy, rustup can silently pick an older compiler for linting while build/test still use the newer one.
  • Impact: The required CI gates can end up validating different compiler releases, making failures depend on Rust nightly publication timing. That weakens the reliability of the ASIC plugin checks and can either block merges unpredictably or let newer-toolchain lint regressions go unnoticed.
  • Recommendation: Resolve one exact nightly version and reuse it in both jobs, or pin both jobs to the same dated nightly. If downgrade behavior is necessary, apply the same resolved toolchain to build/test as well.

Notes

The reviewed diff is limited to GitHub workflow changes. I did not find in-scope changes affecting runtime auth, database access, RPC handling, plugin boundaries, pool configuration, or frontend code. The openai/codex-action and actions/dependency-review-action bumps are supply-chain trust updates, but their implementations are outside the checked-out diff and would need separate upstream audit if you want assurance beyond the pinned SHAs.

Generated by Codex Security Review |
Triggered by: @rongxin-liu |
Review workflow run

@rongxin-liu rongxin-liu marked this pull request as ready for review May 2, 2026 04:00
@rongxin-liu rongxin-liu requested a review from a team as a code owner May 2, 2026 04:00
Copilot AI review requested due to automatic review settings May 2, 2026 04:00
Copilot AI reviewed May 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates GitHub Actions workflow dependencies to newer pinned revisions, aiming to improve CI reliability and supply-chain security for dependency review, Codex security review, and Rust plugin checks.

Changes:

  • Bump actions/dependency-review-action to a newer pinned commit (v4.9.0).
  • Bump openai/codex-action to a newer pinned commit (v1.8).
  • Modify Rust nightly toolchain setup in asicrs-plugin-checks.yml (replacing the previous action-based install with rustup commands).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/dependency-review.yml Updates dependency review action to pinned v4.9.0.
.github/workflows/codex-security-review.yml Updates Codex action to pinned v1.8.
.github/workflows/asicrs-plugin-checks.yml Changes Rust nightly toolchain installation approach for ASIC RS plugin CI jobs.

Comment thread .github/workflows/asicrs-plugin-checks.yml Outdated
Comment thread .github/workflows/asicrs-plugin-checks.yml Outdated
@rongxin-liu rongxin-liu force-pushed the chore/update-gh-workflows-dependencies branch from 7985d75 to c39bcad Compare May 2, 2026 04:53
github-advanced-security[bot]
github-advanced-security AI found potential problems May 2, 2026
View reviewed changes
Comment thread .github/workflows/asicrs-plugin-checks.yml Fixed
Comment thread .github/workflows/asicrs-plugin-checks.yml Fixed
github-advanced-security[bot]
github-advanced-security AI found potential problems May 2, 2026
View reviewed changes
Comment thread .github/workflows/asicrs-plugin-checks.yml Fixed
@rongxin-liu rongxin-liu merged commit 89ad2f9 into main May 4, 2026
135 of 137 checks passed
@rongxin-liu rongxin-liu deleted the chore/update-gh-workflows-dependencies branch May 4, 2026 15:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mcharles-square mcharles-square mcharles-square approved these changes

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@rongxin-liu rongxin-liu

Labels

github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rongxin-liu @github-advanced-security @mcharles-square