ci: update reusable action pins#3
Conversation
|
Warning Review limit reached
Next review available in: 53 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (13)
📝 WalkthroughWalkthroughThis PR updates pinned commit SHAs for third-party GitHub Actions across all workflow files in ChangesCI Action Version Pinning Updates
Estimated code review effort: 2 (Simple) | ~10 minutes Suggested labels: dependencies, github_actions, ci Suggested reviewers: samuelho-dev Related issues: None found Related PRs: None found 🐰 Hop, hop, through workflows bright, 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/docker-build-push.yml (1)
106-234: 🩺 Stability & Availability | 🔵 TrivialConfirm self-hosted runners support Node 24 before this rollout.
runs-onis parameterized (${{ inputs.runs-on }}), so this reusable workflow can be invoked with self-hosted runners.actions/checkoutv7,github/codeql-actionv4, andsigstore/cosign-installerv4 all require newer runner versions to execute Node 24-based actions. If any consumer pins an older self-hosted runner, these steps will fail at runtime.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/docker-build-push.yml around lines 106 - 234, The reusable workflow’s build job now relies on Node 24-based actions, so verify every supported value of inputs.runs-on includes self-hosted runners that meet the required runner version before merging. Review the build steps using actions/checkout, github/codeql-action/upload-sarif, and sigstore/cosign-installer, and either document the minimum runner version in the workflow contract or restrict inputs.runs-on to compatible runners so older self-hosted agents do not break at runtime.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/test.yaml:
- Line 20: The checkout step in the test workflow is persisting git credentials
unnecessarily, which triggers the artipacked warning. Update the
actions/checkout usage in the test job to explicitly disable credential
persistence by setting persist-credentials to false, since the job only runs
local tests and does not need authenticated git access.
---
Nitpick comments:
In @.github/workflows/docker-build-push.yml:
- Around line 106-234: The reusable workflow’s build job now relies on Node
24-based actions, so verify every supported value of inputs.runs-on includes
self-hosted runners that meet the required runner version before merging. Review
the build steps using actions/checkout, github/codeql-action/upload-sarif, and
sigstore/cosign-installer, and either document the minimum runner version in the
workflow contract or restrict inputs.runs-on to compatible runners so older
self-hosted agents do not break at runtime.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 54539b6e-7f6a-4050-b110-d726c859fd23
📒 Files selected for processing (12)
.github/workflows/docker-build-push.yml.github/workflows/ecs-deploy.yml.github/workflows/gitleaks-scan.yml.github/workflows/helm-lint.yml.github/workflows/helm-publish.yml.github/workflows/sbom-generate.yml.github/workflows/sync-main-to-dev.yml.github/workflows/terraform-apply.yml.github/workflows/terraform-plan.yml.github/workflows/terraform-validate.yml.github/workflows/test.yaml.github/workflows/trivy-scan.yml
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
Disable credential persistence on checkout.
zizmor flags this checkout as artipacked — persist-credentials isn't set to false. This job only runs a local test script and doesn't need authenticated git access, so persisting the token is unnecessary exposure.
🔒 Proposed fix
- - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+ - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 20-20: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/test.yaml at line 20, The checkout step in the test
workflow is persisting git credentials unnecessarily, which triggers the
artipacked warning. Update the actions/checkout usage in the test job to
explicitly disable credential persistence by setting persist-credentials to
false, since the job only runs local tests and does not need authenticated git
access.
Source: Linters/SAST tools
96d0d0f to
ef36bcc
Compare
Summary
Verification
Summary by CodeRabbit