Skip to content

Conversation

shenxianpeng
Copy link
Contributor

@shenxianpeng shenxianpeng commented Aug 31, 2025

closes #40

Summary by CodeRabbit

  • Chores
    • Pinned GitHub Actions to specific commit SHAs across CI workflows for reproducibility and supply-chain hardening; no behavior changes.
    • Updated workflows: codeql, mkdocs, pre-commit, py-coverage, py-publish, release-drafter, snyk-container, sphinx, stale.
    • Locked common actions (checkout, setup-python, setup-uv, cache, upload/download-artifact, CodeQL init/autobuild/analyze/upload-sarif, Release Drafter, Snyk Docker, gh-pages, codecov, stale) to fixed revisions while preserving existing inputs and flow.

@shenxianpeng shenxianpeng added the enhancement New feature or request label Aug 31, 2025
@shenxianpeng shenxianpeng requested a review from Copilot August 31, 2025 13:44
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances security by replacing version tags with full commit SHA hashes for all GitHub Actions dependencies across workflow files. This change prevents potential supply chain attacks by pinning to immutable commit references instead of mutable tags.

  • Replaced version tags (e.g., @v5, @v6) with full 40-character SHA hashes
  • Added version tag comments (e.g., #v5) for human readability
  • Applied changes consistently across all workflow files

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/stale.yml Updated actions/stale to use commit SHA with v9 comment
.github/workflows/sphinx.yml Updated checkout, setup-uv, upload-artifact, and gh-pages actions to use commit SHAs
.github/workflows/snyk-container.yml Updated checkout, snyk docker action, and codeql upload-sarif to use commit SHAs
.github/workflows/release-drafter.yml Updated release-drafter action to use commit SHA
.github/workflows/py-publish.yml Updated checkout, setup-python, and attest-build-provenance actions to use commit SHAs
.github/workflows/py-coverage.yml Updated checkout, download-artifact, setup-python, upload-artifact, and codecov actions to use commit SHAs
.github/workflows/pre-commit.yml Updated checkout, setup-python, and cache actions to use commit SHAs
.github/workflows/mkdocs.yml Updated checkout, setup-uv, and upload-artifact actions to use commit SHAs
.github/workflows/codeql.yml Updated checkout and all codeql-action steps to use commit SHAs

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@shenxianpeng shenxianpeng requested a review from 2bndy5 August 31, 2025 13:46
Copy link

coderabbitai bot commented Aug 31, 2025

Walkthrough

Pinned GitHub Actions in multiple workflows from version tags to specific commit SHAs across security scans, docs builds, Python CI/publish, and release automation. No changes to workflow logic, steps, inputs, or control flow.

Changes

Cohort / File(s) Summary of Changes
Security and analysis workflows
.github/workflows/codeql.yml, .github/workflows/snyk-container.yml
Replaced action tags with commit SHAs: checkout, CodeQL (init/autobuild/analyze/upload-sarif), and Snyk docker action; retained existing step order and inputs.
Documentation build and publish
.github/workflows/mkdocs.yml, .github/workflows/sphinx.yml
Pinned checkout, astral-sh/setup-uv, upload-artifact, and gh-pages actions to exact SHAs; no other edits.
Python CI and publishing
.github/workflows/pre-commit.yml, .github/workflows/py-coverage.yml, .github/workflows/py-publish.yml
Switched checkout, setup-python, cache, download/upload-artifact, and codecov/attest actions to SHAs; preserved configuration and flow.
Release automation
.github/workflows/release-drafter.yml, .github/workflows/stale.yml
Pinned release-drafter and actions/stale to specific commits; other settings unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

✨ Finishing Touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feature/use-full-commit-hash

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

  • Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

  • Visit our Status Page to check the current availability of CodeRabbit.
  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (13)
.github/workflows/stale.yml (2)

9-16: Add minimal required permissions so stale can label/close issues/PRs.

Without explicit permissions, a reusable workflow may inherit insufficient rights from callers.

Apply:

 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 #v9

9-16: Verify SHA↔version mapping stays correct over time.

Confirm 5bef64f… corresponds to the intended v9 release and add a periodic check (e.g., Dependabot github-actions updates + CI check) to alert on upstream updates.

.github/workflows/py-coverage.yml (3)

31-35: Set retention for large HTML artifacts.

Avoid indefinite storage growth for htmlcov.

-      - name: Upload comprehensive coverage HTML report
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4
+      - name: Upload comprehensive coverage HTML report
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4
         with:
           name: coverage-report
-          path: htmlcov/
+          path: htmlcov/
+          retention-days: 14

38-45: Ensure Codecov uploads even when earlier steps fail.

Make uploads best-effort for debugging failed jobs.

-      - uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 #v5
+      - if: always()
+        uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 #v5
         env:
           CODECOV_TOKEN: ${{secrets.CODECOV_TOKEN}}
         with:
           files: ./coverage.xml
           fail_ci_if_error: true # optional (default = false)
           verbose: true # optional (default = false)

7-9: Harden GITHUB_TOKEN scope (least privilege).

Explicitly set minimal permissions for this workflow.

 jobs:
   publish-coverage-reports:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
.github/workflows/py-publish.yml (2)

21-24: LGTM on setup-python pinning; consider enabling pip cache.

Minor speed-up if you install deps beyond twine.

     - name: Set up Python
       uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #v5
       with:
-        python-version: '3.x'
+        python-version: '3.x'
+        cache: 'pip'

28-33: Build sdist in addition to wheel for fuller distribution.

Twine checks both and some users/installers prefer sdists.

-    - name: Build wheel
-      run: python -m pip wheel -w dist --no-deps .
+    - name: Build distributions (wheel + sdist)
+      run: |
+        python -m pip install build
+        python -m build --outdir dist
.github/workflows/release-drafter.yml (1)

12-21: Avoid overlapping release-drafter runs.

Add a concurrency group to prevent racey updates when called rapidly.

   update_release_draft:
+    concurrency:
+      group: release-drafter-${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
     permissions:
.github/workflows/pre-commit.yml (2)

25-29: Prefer $HOME over ~ for cache path expansion.

This avoids ambiguity and reads clearer.

-      - name: Cache pre-commit environments
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 #v4
-        with:
-          path: '~/.cache/pre-commit'
+      - name: Cache pre-commit environments
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 #v4
+        with:
+          path: $HOME/.cache/pre-commit
           key: pre-commit-${{ steps.python-setup.outputs.python-version }}-${{ hashFiles('.pre-commit-config.yaml') }}

13-15: Set least-privilege permissions for this workflow.

Explicit read-only GITHUB_TOKEN.

 jobs:
   run-pre-commit:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
.github/workflows/snyk-container.yml (1)

24-24: Add minimal permissions to the snyk job

 jobs:
   snyk:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
.github/workflows/sphinx.yml (2)

16-17: Good: pinned checkout/setup-uv SHAs.

Optionally add minimal token scope since this workflow publishes to Pages via gh-pages action.

 jobs:
   sphinx-deploy:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write

26-26: Artifact upload pinned — LGTM.

Optional: set retention-days to control storage.

       - name: Upload docs build as artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4
         with:
           name: ${{ github.event.repository.name }}_docs
           path: ${{ github.workspace }}/${{ inputs.path-to-doc }}
+          retention-days: 7
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

  • MCP integration is disabled by default for public repositories
  • Jira integration is disabled by default for public repositories
  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5c95bd1 and 1c39120.

📒 Files selected for processing (9)
  • .github/workflows/codeql.yml (3 hunks)
  • .github/workflows/mkdocs.yml (1 hunks)
  • .github/workflows/pre-commit.yml (1 hunks)
  • .github/workflows/py-coverage.yml (2 hunks)
  • .github/workflows/py-publish.yml (2 hunks)
  • .github/workflows/release-drafter.yml (1 hunks)
  • .github/workflows/snyk-container.yml (2 hunks)
  • .github/workflows/sphinx.yml (2 hunks)
  • .github/workflows/stale.yml (1 hunks)
🔇 Additional comments (14)
.github/workflows/stale.yml (1)

9-9: Good pinning to a full SHA.

Using a commit SHA with an inline version comment improves supply-chain safety and traceability.

.github/workflows/py-coverage.yml (1)

11-11: LGTM on pinning core actions.

checkout is correctly pinned to a v5 commit SHA.

.github/workflows/py-publish.yml (2)

16-16: LGTM on pinning checkout to a v5 SHA.


35-37: Good: provenance attestation pinned to a commit and required permissions present.

.github/workflows/release-drafter.yml (1)

23-23: Good pin to a specific commit for release-drafter.

.github/workflows/pre-commit.yml (1)

16-18: LGTM on pinning checkout/setup-python to SHAs.

.github/workflows/mkdocs.yml (1)

10-11: astral-sh/setup-uv SHA is invalid
The pinned commit 4959332f0f014c5280e7eac8b70c90cb574c9f9b isn’t found upstream, so this step will always fail. Update it to a valid tag or commit SHA.

Optional: scope GITHUB_TOKEN permissions for the mkdocs-deploy job to least privilege:

 jobs:
   mkdocs-deploy:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write

Likely an incorrect or invalid review comment.

.github/workflows/snyk-container.yml (2)

10-10: Checkout pinned — LGTM.


13-13: Pinning Snyk action to commit — LGTM.

.github/workflows/codeql.yml (4)

46-46: Checkout pinned — LGTM.


50-50: CodeQL init pinned — LGTM.


63-63: CodeQL autobuild pinned — LGTM.


77-77: Analyze step pinned — LGTM.

Permissions already least-privilege for CodeQL. Nothing else to change.

.github/workflows/sphinx.yml (1)

34-34: gh-pages action pinned — LGTM.

No further changes needed.

@2bndy5
Copy link
Contributor

2bndy5 commented Aug 31, 2025

  1. Actions developed by under the GitHub org actions are considered official because they are maintained by GitHub employees. This means that they are generally trusted, but I understand if you want to pin these actions to their SHA.
  2. An SHA does not always point to the rolling major tag. Meaning v1 will not always describe the commit that was tagged with v1.2.3.
    # good
    - uses: user/repo@SHA # v1.2.3
    # imprecise
    - uses: user/repo@SHA # v1
    In my experience, dependant will update the comment after the SHA. I don't know if this is true when the comment only points to the rolling tag of the major version.
  3. Using SHA to pin actions can cause a lot more dependabot PRs. We might consider limiting updates to only minor or major bumps instead of all patch bumps.

@shenxianpeng
Copy link
Contributor Author

  1. This means that they are generally trusted

Indeed. I'd choose zero trust not for us but also for the users, like other orgs like Apache, who rely on our tools.

  1. An SHA does not always point to the rolling major tag. Meaning v1 will not always describe the commit that was tagged with v1.2.3.

I think so. I assume v1 will not be updated until there is a v2 version rollout. v1.x.x might be better, but also more frequent. That should be ok since we don't need to upgrade when the functionality is ok. I think using v1.x.x is a good choice.

  1. Using SHA to pin actions can cause a lot more dependabot PRs.

Good point. I feel like there might be fewer updates. maybe we could merge this PR and see what happens.

@2bndy5
Copy link
Contributor

2bndy5 commented Sep 1, 2025

I feel like there might be fewer updates.

I highly doubt that. Dependabot will surely start submitting PRs for every patch release about all actions we use.

maybe we could merge this PR and see what happens.

Yes. If you didn't notice yet, I'm a fan of breaking things and then fixing them promptly. 😜

In embedded software development, there's a common saying among beginner tutorials:

Break things and have fun

The "fun" part is suppose to imply fixing what you broke. 🤣

Copy link
Contributor

@2bndy5 2bndy5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious to see what dependabot will do with the trailing comments.

@shenxianpeng shenxianpeng merged commit 988f4aa into main Sep 1, 2025
3 checks passed
@shenxianpeng shenxianpeng deleted the feature/use-full-commit-hash branch September 1, 2025 11:26
@shenxianpeng
Copy link
Contributor Author

You fix things absolutely very fast 😜

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Use full commit SHA hash for dependency

2 participants