Skip to content

ci: update reusable action pins#3

Merged
samuelho-dev merged 1 commit into
mainfrom
fix/latest-actions
Jul 2, 2026
Merged

ci: update reusable action pins#3
samuelho-dev merged 1 commit into
mainfrom
fix/latest-actions

Conversation

@samuelho-dev

@samuelho-dev samuelho-dev commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Summary

  • Update reusable workflow action pins to latest stable releases.
  • Move Node-based actions to Node 24-capable releases.

Verification

  • Parsed all workflow YAML with PyYAML.
  • Ran git diff --check.

Summary by CodeRabbit

  • Chores
    • Updated multiple automation workflows to use newer pinned action versions.
    • Improved reliability and consistency across build, deploy, Terraform, Helm, and scanning pipelines.
    • Kept all workflow behavior, inputs, and outputs the same while refreshing the underlying action references.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@samuelho-dev, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 53 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9cd12c6e-a9e4-4ed9-a271-7398a9b7a3bd

📥 Commits

Reviewing files that changed from the base of the PR and between 96d0d0f and ef36bcc.

📒 Files selected for processing (13)
  • .github/workflows/docker-build-push.yml
  • .github/workflows/ecs-deploy.yml
  • .github/workflows/ecs-smoke.yml
  • .github/workflows/gitleaks-scan.yml
  • .github/workflows/helm-lint.yml
  • .github/workflows/helm-publish.yml
  • .github/workflows/sbom-generate.yml
  • .github/workflows/sync-main-to-dev.yml
  • .github/workflows/terraform-apply.yml
  • .github/workflows/terraform-plan.yml
  • .github/workflows/terraform-validate.yml
  • .github/workflows/test.yaml
  • .github/workflows/trivy-scan.yml
📝 Walkthrough

Walkthrough

This PR updates pinned commit SHAs for third-party GitHub Actions across all workflow files in .github/workflows/, including actions/checkout, docker/*, aws-actions/*, hashicorp/setup-terraform, aquasecurity/trivy-action, github/codeql-action/upload-sarif, actions/upload-artifact, and sigstore/cosign-installer. No workflow logic, inputs, outputs, or conditional behavior changed.

Changes

CI Action Version Pinning Updates

Layer / File(s) Summary
Docker build/push and SBOM/scan pipeline
.github/workflows/docker-build-push.yml
Upgrades pinned SHAs for checkout, buildx setup, login, metadata, build-push, Trivy table/SARIF scans, SARIF upload, artifact upload, and cosign-installer.
ECS deployment action pins
.github/workflows/ecs-deploy.yml
Pins configure-aws-credentials and amazon-ecs-deploy-express-service to newer SHAs, keeping the same inputs.
Security scan workflows
.github/workflows/gitleaks-scan.yml, .github/workflows/trivy-scan.yml, .github/workflows/sbom-generate.yml
Updates checkout, docker/login-action, trivy-action, upload-sarif, and upload-artifact pins while preserving scan configuration and conditionals.
Helm lint and publish workflows
.github/workflows/helm-lint.yml, .github/workflows/helm-publish.yml
Updates checkout, setup-helm, cosign-installer, docker/login-action, and upload-artifact pins.
Terraform apply/plan/validate workflows
.github/workflows/terraform-apply.yml, .github/workflows/terraform-plan.yml, .github/workflows/terraform-validate.yml
Updates checkout, aws-credentials, setup-terraform, artifact upload/download, infracost setup, github-script, and trivy-action pins.
Sync and reusable test workflow checkout pins
.github/workflows/sync-main-to-dev.yml, .github/workflows/test.yaml
Updates actions/checkout to a newer pinned SHA.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested labels: dependencies, github_actions, ci

Suggested reviewers: samuelho-dev

Related issues: None found

Related PRs: None found

🐰 Hop, hop, through workflows bright,
Pinning SHAs both day and night,
Checkout, Trivy, upload-artifact too,
Newer versions, tried and true,
A dozen files, one tidy update in sight.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: updating workflow action pins across reusable CI workflows.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/latest-actions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.github/workflows/docker-build-push.yml (1)

106-234: 🩺 Stability & Availability | 🔵 Trivial

Confirm self-hosted runners support Node 24 before this rollout.

runs-on is parameterized (${{ inputs.runs-on }}), so this reusable workflow can be invoked with self-hosted runners. actions/checkout v7, github/codeql-action v4, and sigstore/cosign-installer v4 all require newer runner versions to execute Node 24-based actions. If any consumer pins an older self-hosted runner, these steps will fail at runtime.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docker-build-push.yml around lines 106 - 234, The reusable
workflow’s build job now relies on Node 24-based actions, so verify every
supported value of inputs.runs-on includes self-hosted runners that meet the
required runner version before merging. Review the build steps using
actions/checkout, github/codeql-action/upload-sarif, and
sigstore/cosign-installer, and either document the minimum runner version in the
workflow contract or restrict inputs.runs-on to compatible runners so older
self-hosted agents do not break at runtime.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/test.yaml:
- Line 20: The checkout step in the test workflow is persisting git credentials
unnecessarily, which triggers the artipacked warning. Update the
actions/checkout usage in the test job to explicitly disable credential
persistence by setting persist-credentials to false, since the job only runs
local tests and does not need authenticated git access.

---

Nitpick comments:
In @.github/workflows/docker-build-push.yml:
- Around line 106-234: The reusable workflow’s build job now relies on Node
24-based actions, so verify every supported value of inputs.runs-on includes
self-hosted runners that meet the required runner version before merging. Review
the build steps using actions/checkout, github/codeql-action/upload-sarif, and
sigstore/cosign-installer, and either document the minimum runner version in the
workflow contract or restrict inputs.runs-on to compatible runners so older
self-hosted agents do not break at runtime.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 54539b6e-7f6a-4050-b110-d726c859fd23

📥 Commits

Reviewing files that changed from the base of the PR and between d17cf90 and 96d0d0f.

📒 Files selected for processing (12)
  • .github/workflows/docker-build-push.yml
  • .github/workflows/ecs-deploy.yml
  • .github/workflows/gitleaks-scan.yml
  • .github/workflows/helm-lint.yml
  • .github/workflows/helm-publish.yml
  • .github/workflows/sbom-generate.yml
  • .github/workflows/sync-main-to-dev.yml
  • .github/workflows/terraform-apply.yml
  • .github/workflows/terraform-plan.yml
  • .github/workflows/terraform-validate.yml
  • .github/workflows/test.yaml
  • .github/workflows/trivy-scan.yml

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Disable credential persistence on checkout.

zizmor flags this checkout as artipackedpersist-credentials isn't set to false. This job only runs a local test script and doesn't need authenticated git access, so persisting the token is unnecessary exposure.

🔒 Proposed fix
-      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 20-20: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yaml at line 20, The checkout step in the test
workflow is persisting git credentials unnecessarily, which triggers the
artipacked warning. Update the actions/checkout usage in the test job to
explicitly disable credential persistence by setting persist-credentials to
false, since the job only runs local tests and does not need authenticated git
access.

Source: Linters/SAST tools

@samuelho-dev samuelho-dev merged commit aad056c into main Jul 2, 2026
3 checks passed
@samuelho-dev samuelho-dev deleted the fix/latest-actions branch July 2, 2026 00:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant