-
Notifications
You must be signed in to change notification settings - Fork 0
feat: use full commit SHA hash for dependency #42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR enhances security by replacing version tags with full commit SHA hashes for all GitHub Actions dependencies across workflow files. This change prevents potential supply chain attacks by pinning to immutable commit references instead of mutable tags.
- Replaced version tags (e.g.,
@v5
,@v6
) with full 40-character SHA hashes - Added version tag comments (e.g.,
#v5
) for human readability - Applied changes consistently across all workflow files
Reviewed Changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.
Show a summary per file
File | Description |
---|---|
.github/workflows/stale.yml | Updated actions/stale to use commit SHA with v9 comment |
.github/workflows/sphinx.yml | Updated checkout, setup-uv, upload-artifact, and gh-pages actions to use commit SHAs |
.github/workflows/snyk-container.yml | Updated checkout, snyk docker action, and codeql upload-sarif to use commit SHAs |
.github/workflows/release-drafter.yml | Updated release-drafter action to use commit SHA |
.github/workflows/py-publish.yml | Updated checkout, setup-python, and attest-build-provenance actions to use commit SHAs |
.github/workflows/py-coverage.yml | Updated checkout, download-artifact, setup-python, upload-artifact, and codecov actions to use commit SHAs |
.github/workflows/pre-commit.yml | Updated checkout, setup-python, and cache actions to use commit SHAs |
.github/workflows/mkdocs.yml | Updated checkout, setup-uv, and upload-artifact actions to use commit SHAs |
.github/workflows/codeql.yml | Updated checkout and all codeql-action steps to use commit SHAs |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
WalkthroughPinned GitHub Actions in multiple workflows from version tags to specific commit SHAs across security scans, docs builds, Python CI/publish, and release automation. No changes to workflow logic, steps, inputs, or control flow. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related issues
✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
CodeRabbit Configuration File (
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
🧹 Nitpick comments (13)
.github/workflows/stale.yml (2)
9-16
: Add minimal required permissions so stale can label/close issues/PRs.Without explicit permissions, a reusable workflow may inherit insufficient rights from callers.
Apply:
jobs: stale: runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 #v9
9-16
: Verify SHA↔version mapping stays correct over time.Confirm 5bef64f… corresponds to the intended v9 release and add a periodic check (e.g., Dependabot
github-actions
updates + CI check) to alert on upstream updates..github/workflows/py-coverage.yml (3)
31-35
: Set retention for large HTML artifacts.Avoid indefinite storage growth for htmlcov.
- - name: Upload comprehensive coverage HTML report - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4 + - name: Upload comprehensive coverage HTML report + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4 with: name: coverage-report - path: htmlcov/ + path: htmlcov/ + retention-days: 14
38-45
: Ensure Codecov uploads even when earlier steps fail.Make uploads best-effort for debugging failed jobs.
- - uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 #v5 + - if: always() + uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 #v5 env: CODECOV_TOKEN: ${{secrets.CODECOV_TOKEN}} with: files: ./coverage.xml fail_ci_if_error: true # optional (default = false) verbose: true # optional (default = false)
7-9
: Harden GITHUB_TOKEN scope (least privilege).Explicitly set minimal permissions for this workflow.
jobs: publish-coverage-reports: runs-on: ubuntu-latest + permissions: + contents: read.github/workflows/py-publish.yml (2)
21-24
: LGTM on setup-python pinning; consider enabling pip cache.Minor speed-up if you install deps beyond twine.
- name: Set up Python uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #v5 with: - python-version: '3.x' + python-version: '3.x' + cache: 'pip'
28-33
: Build sdist in addition to wheel for fuller distribution.Twine checks both and some users/installers prefer sdists.
- - name: Build wheel - run: python -m pip wheel -w dist --no-deps . + - name: Build distributions (wheel + sdist) + run: | + python -m pip install build + python -m build --outdir dist.github/workflows/release-drafter.yml (1)
12-21
: Avoid overlapping release-drafter runs.Add a concurrency group to prevent racey updates when called rapidly.
update_release_draft: + concurrency: + group: release-drafter-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true permissions:.github/workflows/pre-commit.yml (2)
25-29
: Prefer $HOME over ~ for cache path expansion.This avoids ambiguity and reads clearer.
- - name: Cache pre-commit environments - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 #v4 - with: - path: '~/.cache/pre-commit' + - name: Cache pre-commit environments + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 #v4 + with: + path: $HOME/.cache/pre-commit key: pre-commit-${{ steps.python-setup.outputs.python-version }}-${{ hashFiles('.pre-commit-config.yaml') }}
13-15
: Set least-privilege permissions for this workflow.Explicit read-only GITHUB_TOKEN.
jobs: run-pre-commit: runs-on: ubuntu-latest + permissions: + contents: read.github/workflows/snyk-container.yml (1)
24-24
: Add minimal permissions to the snyk jobjobs: snyk: runs-on: ubuntu-latest + permissions: + security-events: write + contents: read.github/workflows/sphinx.yml (2)
16-17
: Good: pinned checkout/setup-uv SHAs.Optionally add minimal token scope since this workflow publishes to Pages via gh-pages action.
jobs: sphinx-deploy: runs-on: ubuntu-latest + permissions: + contents: write
26-26
: Artifact upload pinned — LGTM.Optional: set retention-days to control storage.
- name: Upload docs build as artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4 with: name: ${{ github.event.repository.name }}_docs path: ${{ github.workspace }}/${{ inputs.path-to-doc }} + retention-days: 7
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (9)
.github/workflows/codeql.yml
(3 hunks).github/workflows/mkdocs.yml
(1 hunks).github/workflows/pre-commit.yml
(1 hunks).github/workflows/py-coverage.yml
(2 hunks).github/workflows/py-publish.yml
(2 hunks).github/workflows/release-drafter.yml
(1 hunks).github/workflows/snyk-container.yml
(2 hunks).github/workflows/sphinx.yml
(2 hunks).github/workflows/stale.yml
(1 hunks)
🔇 Additional comments (14)
.github/workflows/stale.yml (1)
9-9
: Good pinning to a full SHA.Using a commit SHA with an inline version comment improves supply-chain safety and traceability.
.github/workflows/py-coverage.yml (1)
11-11
: LGTM on pinning core actions.checkout is correctly pinned to a v5 commit SHA.
.github/workflows/py-publish.yml (2)
16-16
: LGTM on pinning checkout to a v5 SHA.
35-37
: Good: provenance attestation pinned to a commit and required permissions present..github/workflows/release-drafter.yml (1)
23-23
: Good pin to a specific commit for release-drafter..github/workflows/pre-commit.yml (1)
16-18
: LGTM on pinning checkout/setup-python to SHAs..github/workflows/mkdocs.yml (1)
10-11
: astral-sh/setup-uv SHA is invalid
The pinned commit4959332f0f014c5280e7eac8b70c90cb574c9f9b
isn’t found upstream, so this step will always fail. Update it to a valid tag or commit SHA.Optional: scope GITHUB_TOKEN permissions for the
mkdocs-deploy
job to least privilege:jobs: mkdocs-deploy: runs-on: ubuntu-latest + permissions: + contents: writeLikely an incorrect or invalid review comment.
.github/workflows/snyk-container.yml (2)
10-10
: Checkout pinned — LGTM.
13-13
: Pinning Snyk action to commit — LGTM..github/workflows/codeql.yml (4)
46-46
: Checkout pinned — LGTM.
50-50
: CodeQL init pinned — LGTM.
63-63
: CodeQL autobuild pinned — LGTM.
77-77
: Analyze step pinned — LGTM.Permissions already least-privilege for CodeQL. Nothing else to change.
.github/workflows/sphinx.yml (1)
34-34
: gh-pages action pinned — LGTM.No further changes needed.
|
Indeed. I'd choose zero trust not for us but also for the users, like other orgs like Apache, who rely on our tools.
I think so. I assume
Good point. I feel like there might be fewer updates. maybe we could merge this PR and see what happens. |
I highly doubt that. Dependabot will surely start submitting PRs for every patch release about all actions we use.
Yes. If you didn't notice yet, I'm a fan of breaking things and then fixing them promptly. 😜 In embedded software development, there's a common saying among beginner tutorials:
The "fun" part is suppose to imply fixing what you broke. 🤣 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm curious to see what dependabot will do with the trailing comments.
You fix things absolutely very fast 😜 |
closes #40
Summary by CodeRabbit