ci: lock actions version#228
Conversation
WalkthroughThis PR updates GitHub Actions workflows to use pinned commit SHAs instead of floating version tags for checkout, setup-go, CodeQL actions, golangci-lint, goreleaser, and setup-node across four workflow files. No workflow logic or code changes were made. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Pull request overview
Pins GitHub Actions used in CI workflows to immutable commit SHAs to improve supply-chain security and build reproducibility.
Changes:
- Replace
@v*action references with commit-SHA pins foractions/checkout,actions/setup-go, andactions/setup-node. - Pin GoReleaser, golangci-lint, and CodeQL actions to commit SHAs across release/lint/code-scanning workflows.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/release.yml | Pins checkout/setup-go/goreleaser/setup-node actions to SHAs for deterministic releases. |
| .github/workflows/lint.yml | Pins checkout/setup-go/golangci-lint actions to SHAs for deterministic linting. |
| .github/workflows/codeql.yaml | Pins checkout/setup-go/codeql actions to SHAs for deterministic code scanning. |
| .github/workflows/build-test.yml | Pins checkout/setup-go actions to SHAs for deterministic build/test runs. |
Comments suppressed due to low confidence (1)
.github/workflows/release.yml:40
goreleaser/goreleaser-actionis now pinned to a commit SHA, but thewith.version: latestsetting still pulls an unpinned GoReleaser binary at runtime. This makes releases non-reproducible and can unexpectedly change behavior. Consider pinningwith.versionto a specific GoReleaser version (or to a known good range) so the release workflow is fully deterministic.
- uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7.1.0
with:
distribution: goreleaser
version: latest
args: release --clean
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/release.yml (1)
22-46: Consider automating SHA updates.While pinning to commit SHAs improves security, it requires manual updates for security patches and new features. Consider enabling Dependabot for GitHub Actions to automatically create PRs when new versions are released.
📝 Sample Dependabot configuration
Create or update
.github/dependabot.yml:version: 2 updates: - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" commit-message: prefix: "ci" include: "scope"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/release.yml around lines 22 - 46, The workflow pins GitHub Actions to specific commit SHAs which requires manual updates; add Dependabot configuration to auto-open PRs for github-actions updates and prefer version tags or ranges instead of fixed commit SHAs where acceptable. Create or update a .github/dependabot.yml to enable package-ecosystem: "github-actions" with a weekly schedule (or desired cadence) so Dependabot will propose updated action versions; then replace hard SHAs in the workflow (e.g., the uses entries for actions/checkout, actions/setup-go, goreleaser/goreleaser-action, actions/setup-node) with semantic version tags or ranges (or keep caret/major pins) to allow Dependabot to bump them automatically.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/codeql.yaml:
- Line 44: The workflow comment for the CodeQL checkout is inconsistent with the
pinned SHA: update the line referencing
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd (the current pinned
commit) so the version label matches, or re-pin to the correct v4.35.2 commit
SHA (7fc6561ed893d15cec696e062df840b21db27eb0); specifically edit the uses entry
and its trailing comment (the "# v4.35.2" label) so the SHA and the version
label are aligned with the other CodeQL sub-action pins.
---
Nitpick comments:
In @.github/workflows/release.yml:
- Around line 22-46: The workflow pins GitHub Actions to specific commit SHAs
which requires manual updates; add Dependabot configuration to auto-open PRs for
github-actions updates and prefer version tags or ranges instead of fixed commit
SHAs where acceptable. Create or update a .github/dependabot.yml to enable
package-ecosystem: "github-actions" with a weekly schedule (or desired cadence)
so Dependabot will propose updated action versions; then replace hard SHAs in
the workflow (e.g., the uses entries for actions/checkout, actions/setup-go,
goreleaser/goreleaser-action, actions/setup-node) with semantic version tags or
ranges (or keep caret/major pins) to allow Dependabot to bump them
automatically.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: e4bed196-71ed-4774-9880-db2f6f6f6849
📒 Files selected for processing (4)
.github/workflows/build-test.yml.github/workflows/codeql.yaml.github/workflows/lint.yml.github/workflows/release.yml
Description (required)
Related issues & labels (optional)
Summary by CodeRabbit
Note: This release contains infrastructure maintenance only. No user-facing features or functionality changes.