test

[suzuki-shunsuke]

Summary by CodeRabbit

• Chores
  • Broadened CI triggers to run on all pull request events for more consistent checks.
  • Updated workflow steps to use a dedicated installation token and improved permissions.
  • Pinned third-party workflow actions to specific commits for more stable, reproducible runs.
  • Replaced an old notification step and streamlined job steps to simplify CI behavior.

[coderabbitai]

Warning

Review limit reached

@suzuki-shunsuke, we couldn't start this review because you've used your available PR reviews for now.

Your plan currently allows 1 review/hour. Refill in 48 minutes and 20 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 07f5e5a2-34c4-4a01-9f4c-91d35cad71a0

📥 Commits

Reviewing files that changed from the base of the PR and between 32be3dc and 45b24b7.

📒 Files selected for processing (3)

• aqua-checksums.json
• aqua.yaml
• aqua/reviewdog.yaml

📝 Walkthrough

Walkthrough

Broaden test workflow trigger to all pull_request events, remove job-level gating, raise contents permission to write, change job steps to checkout (no persisted credentials), create a GitHub App token, and run pinact; separately pin multiple third-party actions to commit SHAs across workflows.

Changes

Test workflow rewrite

Layer / File(s)	Summary
Trigger and permissions configuration .github/workflows/test.yaml	Workflow trigger replaced by on: pull_request. Job-level if condition removed. permissions.contents changed from read to write; pull-requests: write retained.
Job steps: checkout, app token, pinact .github/workflows/test.yaml	Replaced job steps with actions/checkout using persist-credentials: false, actions/create-github-app-token using ${{ vars.APP_ID }} and ${{ secrets.APP_PRIVATE_KEY }} and explicit scopes, then suzuki-shunsuke/pinact-action authenticated via the generated token and run with review: true.

Pin third-party action references

Layer / File(s)	Summary
Pin actions and workflow refs .github/workflows/check-approval.yaml, .github/workflows/close-issue.yaml, .github/workflows/test-pinact.yaml	Replaced unpinned tags with specific commit SHAs for actions/github-script (v7 → v7.1.0 SHA), suzuki-shunsuke/issue-close-lock-action (v0.1.0 → pinned SHA), actions/checkout, actions/cache, and suzuki-shunsuke/actionlint-workflow in test-pinact.yaml.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through YAML, pins in my paws,
Replacing tags with exact, tidy laws.
Triggers widened, tokens set just right,
Pinact hops in to help tests take flight—
A little rabbit's work, snug and bright.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'test' is vague and generic, failing to describe what the pull request actually changes.	Replace the title with a specific summary of the main changes, such as 'Pin GitHub Actions to specific commit SHAs' or 'Update workflows to use pinned action versions'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch test-pinact-action-v3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/test.yaml:
- Around line 12-15: Replace the floating action refs with immutable
40-character commit SHAs: update the occurrences of "actions/checkout@v4" and
"suzuki-shunsuke/pinact-action@pr/1065" to use their respective full 40-char
commit SHA pins (e.g., "actions/checkout@<40-char-commit-sha>" and
"suzuki-shunsuke/pinact-action@<40-char-commit-sha>") so the workflow uses fixed
commits instead of version tags or PR refs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 17f59a3f-eda0-4e86-b7dd-0bce95b691ce

📥 Commits

Reviewing files that changed from the base of the PR and between 0e685d9 and 38b1280.

📒 Files selected for processing (1)

• .github/workflows/test.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

file=".github/workflows/test.yaml"

echo "Non-SHA action refs in ${file}:"
rg -n '^\s*-\s*uses:\s*[^@]+@([^\s#]+)' "$file" | while IFS=: read -r line content; do
  ref="$(echo "$content" | sed -E 's/.*@([^\s#]+).*/\1/')"
  if ! [[ "$ref" =~ ^[0-9a-fA-F]{40}$ ]]; then
    echo "Line ${line}: ${ref}"
  fi
done

echo
echo "PR-style refs (problematic for pinning tools):"
rg -n '^\s*-\s*uses:\s*[^@]+@pr/[0-9]+' "$file" || true

Repository: szksh-lab-2/test-github-action

Length of output: 258

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

file=".github/workflows/test.yaml"

echo "Non-SHA action refs in ${file}:"
rg -n '^\s*-\s*uses:\s*[^@]+@([^\s#]+)' "$file" | while IFS=: read -r line content; do
  ref="$(echo "$content" | sed -E 's/.*@([^\s#]+).*/\1/')"
  if ! [[ "$ref" =~ ^[0-9a-fA-F]{40}$ ]]; then
    echo "Line ${line}: ${ref}"
  fi
done

echo
echo "PR-style refs (problematic for pinning tools):"
rg -n '^\s*-\s*uses:\s*[^@]+@pr/[0-9]+' "$file" || true

Repository: szksh-lab-2/test-github-action

Length of output: 258

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

file=".github/workflows/test.yaml"

echo "Non-SHA action refs in ${file}:"
rg -n '^\s*-\s*uses:\s*[^@]+@([^\s#]+)' "$file" | while IFS=: read -r line content; do
  ref="$(echo "$content" | sed -E 's/.*@([^\s#]+).*/\1/')"
  if ! [[ "$ref" =~ ^[0-9a-fA-F]{40}$ ]]; then
    echo "Line ${line}: ${ref}"
  fi
done

Repository: szksh-lab-2/test-github-action

Length of output: 155

---

Pin uses: action refs to immutable 40-char commit SHAs (lines 12-15 in .github/workflows/test.yaml)

• Line 12: actions/checkout@v4 must be replaced with actions/checkout@<40-char-commit-sha>
• Line 15: suzuki-shunsuke/pinact-action@pr/1065 must be replaced with suzuki-shunsuke/pinact-action@<40-char-commit-sha> (no pr/* refs)

🧰 Tools

🪛 GitHub Actions: test / 0_test.txt

[error] 15-15: pinact failed: "failed to handle a line: action can't be pinned". Line contains an unpin-able uses reference: "- uses: suzuki-shunsuke/pinact-action@pr/1065".

🪛 GitHub Actions: test / test

[error] 15-15: pinact failed: action can't be pinned

🪛 GitHub Check: test

[failure] 15-15: pinact error
action can't be pinned

---

[notice] 12-12: pinact error
- uses: actions/checkout@34e1148 # v4.3.1

🪛 zizmor (1.25.2)

[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

---

[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yaml around lines 12 - 15, Replace the floating
action refs with immutable 40-character commit SHAs: update the occurrences of
"actions/checkout@v4" and "suzuki-shunsuke/pinact-action@pr/1065" to use their
respective full 40-char commit SHA pins (e.g.,
"actions/checkout@<40-char-commit-sha>" and
"suzuki-shunsuke/pinact-action@<40-char-commit-sha>") so the workflow uses fixed
commits instead of version tags or PR refs.

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/test.yaml (1)

23-23: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Pin suzuki-shunsuke/pinact-action to an immutable 40-char SHA.

Line 23 uses @pr/1065, which is mutable/unpinnable and is the direct cause of the failing run (pinact failed: action can't be pinned).

🔧 Minimal fix

-      - uses: suzuki-shunsuke/pinact-action@pr/1065
+      - uses: suzuki-shunsuke/pinact-action@<40-char-commit-sha> # vX.Y.Z

#!/bin/bash
set -euo pipefail
file=".github/workflows/test.yaml"

echo "Non-SHA action refs in ${file}:"
rg -n '^\s*-\s*uses:\s*[^@]+@([^\s#]+)' "$file" | while IFS=: read -r ln content; do
  ref="$(sed -E 's/.*@([^\s#]+).*/\1/' <<< "$content")"
  if ! [[ "$ref" =~ ^[0-9a-fA-F]{40}$ ]]; then
    echo "Line ${ln}: ${ref}"
  fi
done

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test.yaml at line 23, The workflow uses an unpinned
mutable ref "suzuki-shunsuke/pinact-action@pr/1065"; replace that with an
immutable 40-character commit SHA for the action. Locate the "uses:
suzuki-shunsuke/pinact-action@pr/1065" entry in the workflow and update the
suffix to the action repo's full 40-char commit hash (you can get it from the
action repo's commits on GitHub), then commit the updated line so the workflow
reads "uses: suzuki-shunsuke/pinact-action@<40-char-sha>".

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/test.yaml:
- Line 23: The workflow uses an unpinned mutable ref
"suzuki-shunsuke/pinact-action@pr/1065"; replace that with an immutable
40-character commit SHA for the action. Locate the "uses:
suzuki-shunsuke/pinact-action@pr/1065" entry in the workflow and update the
suffix to the action repo's full 40-char commit hash (you can get it from the
action repo's commits on GitHub), then commit the updated line so the workflow
reads "uses: suzuki-shunsuke/pinact-action@<40-char-sha>".

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: de981db6-0ecd-4841-ab07-95ddd9839316

📥 Commits

Reviewing files that changed from the base of the PR and between 38b1280 and 32be3dc.

📒 Files selected for processing (4)

• .github/workflows/check-approval.yaml
• .github/workflows/close-issue.yaml
• .github/workflows/test-pinact.yaml
• .github/workflows/test.yaml

[szksh-lab-2-app]

🚫 [pinact] _{reported by reviewdog 🐶}
failed to handle a line: action can't be pinned