Skip to content

ci: pin checkout, setup-python to commit SHA#15

Open
ry-ops wants to merge 2 commits into
mainfrom
git-steer/pin-actions-1778310102174
Open

ci: pin checkout, setup-python to commit SHA#15
ry-ops wants to merge 2 commits into
mainfrom
git-steer/pin-actions-1778310102174

Conversation

@ry-ops

@ry-ops ry-ops commented May 9, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Owner

git-steer: Pin GitHub Actions to commit SHAs

Auto-generated by git-steer autoRemediateFindings.

Summary by CodeRabbit

  • Chores
    • Pinned GitHub Actions to specific commit hashes in CI and release workflows.

Review Change Stack

@coderabbitai

coderabbitai Bot commented May 9, 2026
edited
Loading

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fc3d2591-f73b-4c1a-8988-47bcbf4a4d57

📥 Commits

Reviewing files that changed from the base of the PR and between c13f578 and b47cbdd.

📒 Files selected for processing (2)
  • .github/workflows/ci.yml
  • .github/workflows/release.yml
📝 Walkthrough

Walkthrough

This PR pins GitHub Actions to specific commit SHAs across CI and release workflows, replacing floating @v4 and @v5 tag references with fixed commit hashes. The pattern is applied consistently to actions/checkout and actions/setup-python in the test job, security job, and release job.

Changes

GitHub Actions Security Pinning

Layer / File(s) Summary
CI Workflow Actions Pinning
.github/workflows/ci.yml		 Test job (lines 20–23) and security job (lines 54–57) pin actions/checkout and actions/setup-python to fixed commit SHAs.
Release Workflow Actions Pinning
.github/workflows/release.yml		 Release job (lines 15–18) pins actions/checkout and actions/setup-python to fixed commit SHAs with inline version comments.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A rabbit hops through workflows bright,
🐰 Pinning actions left and right,
No floating tags to drift away,
Commit hashes keep us on the way,
Stable builds—hip, hip, hooray!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'ci: pin checkout, setup-python to commit SHA' accurately and concisely describes the main change in the pull request: pinning GitHub Actions to commit SHAs.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch git-steer/pin-actions-1778310102174

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ry-ops