Pin keep repo commit SHA with CI and Gradle verification

[wksantiago]

Summary by CodeRabbit

• Chores
  • Introduced a local composite GitHub Action to centralize and standardize dependency checkout logic across workflows.
  • CI/workflow steps updated to use the new composite action.
  • Build now validates a pinned SHA and requires a clean, matching checkout before building native bindings.
  • Added a file containing the pinned dependency SHA used by CI and build verification.

[coderabbitai]

Warning

Rate limit exceeded

@kwsantiago has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 58 minutes and 12 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 58 minutes and 12 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1bac3f90-c218-41c5-b116-80fa0f0190b9

📥 Commits

Reviewing files that changed from the base of the PR and between b0e735e and 7cca9ac.

📒 Files selected for processing (1)

• keep.version

Walkthrough

This PR centralizes and enforces a pinned privkeyio/keep commit SHA: adds keep.version, a composite GitHub Action that validates and checks out that SHA, a Gradle verifyKeepVersion task that asserts the checkout matches and is clean, and updates CI workflows to use the new action.

Changes

Cohort / File(s)	Summary
GitHub Actions Setup \.github/actions/setup-keep/action.yml	New composite action: reads keep.version, validates 40-char lowercase hex SHA, checks out privkeyio/keep into keep/ at that SHA, and verifies HEAD matches the pinned SHA.
CI Workflow Updates \.github/workflows/ci.yml, \.github/workflows/release.yml	Replaced inline actions/checkout of privkeyio/keep with a step invoking ./.github/actions/setup-keep.
Gradle Build System build.gradle.kts, app/build.gradle.kts	Added verifyKeepVersion task that validates keep.version against the keep checkout (HEAD and worktree cleanliness); made buildRust and app:preBuild depend on verification.
Version Pinning keep.version	New file with pinned SHA: 81a820f6b29b8d10025bf4c7e7bdd9f986b01378.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Workflow
participant SetupAction as SetupKeepAction
participant Git as GitRepo
participant Gradle as BuildSystem

Workflow->>SetupAction: invoke ./.github/actions/setup-keep
SetupAction->>Git: read keep.version -> validate SHA
SetupAction->>Git: actions/checkout privkeyio/keep at SHA into keep/
SetupAction->>Git: git -C keep rev-parse HEAD -> compare with pinned SHA
SetupAction-->>Workflow: return output sha / fail on mismatch
Workflow->>Gradle: run build (buildRust / preBuild)
Gradle->>Git: git -C keep rev-parse HEAD & git -C keep status --porcelain
Gradle-->>Workflow: fail if HEAD mismatch or worktree dirty

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Pin keep repo commit SHA in a single source of truth #223: Implements the same single-source-of-truth pinned Keep SHA and verification across CI/build as this PR.

Possibly related PRs

• Add basic CI workflow #1: Also modifies CI workflow handling of the privkeyio/keep checkout; related refactor of checkout steps.
• Wire build-rust.sh into Gradle preBuild #221: Related Gradle task wiring for buildRust and pre-build dependencies.
• Add nsec recovery screen #187: Prior updates to CI pinned refs; related to centralizing pin management.

Poem

🐰 I found a SHA pinned true and neat,
I hopped it in a single file to keep,
Workflows call my action bright and spry,
Gradle checks the hash and gives a sigh,
All tidy now — a carrot for the feat.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: pinning a keep repository commit SHA with verification in both CI and Gradle workflows.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch Pin-keep

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

build.gradle.kts (1)

87-89: Consider capturing stderr for debugging purposes.

Discarding stderr with redirectError(ProcessBuilder.Redirect.DISCARD) hides potentially useful error information when git fails. Consider capturing it to include in the error message.

Optional improvement to capture stderr

         val process = ProcessBuilder("git", "-C", keepPath, "rev-parse", "HEAD")
-            .redirectError(ProcessBuilder.Redirect.DISCARD)
+            .redirectErrorStream(true)
             .start()
         val actualSha = process.inputStream.bufferedReader().use { it.readText() }.trim()
         if (process.waitFor() != 0) {
             throw GradleException(
-                "Failed to read HEAD of $keepPath. " +
+                "Failed to read HEAD of $keepPath: $actualSha. " +
                 "Fix: git -C $keepPath checkout $pinnedSha"
             )
         }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@build.gradle.kts` around lines 87 - 89, The current ProcessBuilder that runs
git rev-parse ("git", "-C", keepPath, "rev-parse", "HEAD") calls
redirectError(ProcessBuilder.Redirect.DISCARD) which hides stderr; modify the
invocation so stderr is captured (e.g., remove the Redirect.DISCARD and use
redirectErrorStream(false) or pipe the error stream) and then read the process's
error stream after start() to include any error output in the failure
handling/logging for the rev-parse call; ensure you still handle process exit
codes and include the captured stderr in the error message so failures are
debuggable.

.github/actions/setup-keep/action.yml (1)

13-16: Add explicit check for missing keep.version file.

If keep.version doesn't exist, the tr command will succeed with empty output, producing an unclear "invalid keep.version: " error. Adding an explicit file existence check would provide a clearer error message.

Suggested improvement

      run: |
+       if [[ ! -f keep.version ]]; then
+         echo "keep.version file not found" >&2
+         exit 1
+       fi
        sha=$(tr -d '[:space:]' < keep.version)
        [[ "$sha" =~ ^[0-9a-f]{40}$ ]] || { echo "invalid keep.version: $sha" >&2; exit 1; }
        echo "sha=$sha" >> "$GITHUB_OUTPUT"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/actions/setup-keep/action.yml around lines 13 - 16, Add an explicit
existence (and optionally non-empty) check for the keep.version file before
running tr: in the run block, verify keep.version exists (e.g., [ -f
keep.version ] or [ -s keep.version ]) and fail with a clear error like "missing
keep.version" before computing sha; then proceed to set sha=$(tr -d '[:space:]'
< keep.version) and validate the SHA as currently done. This ensures the sha
variable and invalid message are only shown when the file is present.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/actions/setup-keep/action.yml:
- Around line 13-16: Add an explicit existence (and optionally non-empty) check
for the keep.version file before running tr: in the run block, verify
keep.version exists (e.g., [ -f keep.version ] or [ -s keep.version ]) and fail
with a clear error like "missing keep.version" before computing sha; then
proceed to set sha=$(tr -d '[:space:]' < keep.version) and validate the SHA as
currently done. This ensures the sha variable and invalid message are only shown
when the file is present.

In `@build.gradle.kts`:
- Around line 87-89: The current ProcessBuilder that runs git rev-parse ("git",
"-C", keepPath, "rev-parse", "HEAD") calls
redirectError(ProcessBuilder.Redirect.DISCARD) which hides stderr; modify the
invocation so stderr is captured (e.g., remove the Redirect.DISCARD and use
redirectErrorStream(false) or pipe the error stream) and then read the process's
error stream after start() to include any error output in the failure
handling/logging for the rev-parse call; ensure you still handle process exit
codes and include the captured stderr in the error message so failures are
debuggable.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5923d528-a89f-40e2-8db9-a04bdb9f218b

📥 Commits

Reviewing files that changed from the base of the PR and between 3c75c08 and 2f3bb55.

📒 Files selected for processing (6)

• .github/actions/setup-keep/action.yml
• .github/workflows/ci.yml
• .github/workflows/release.yml
• app/build.gradle.kts
• build.gradle.kts
• keep.version

[kwsantiago]

ACK b0e735e