Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions .github/workflows/commit-check.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: Commit Check

on:
pull_request:
branches: 'main'
types: [opened, synchronize, reopened, edited]
workflow_dispatch:

jobs:
commit-check:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v7.0.0
with:
fetch-depth: 0 # Required for merge-base checks
- uses: commit-check/commit-check-action@v2.10.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

Pin commit-check-action to a full commit SHA.

Line 19 uses the mutable tag v2.10.0. Since this job has pull-requests: write permission (lines 12–14), using a mutable reference weakens supply-chain security. Pin commit-check-action to the specific commit SHA corresponding to v2.10.0 to ensure reproducible and secure execution, matching the pattern used for actions/checkout on line 16.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/commit-check.yml at line 19, The workflow step using
commit-check/commit-check-action should be pinned to an immutable full commit
SHA instead of the mutable v2.10.0 tag. Update the uses entry in the
commit-check job to reference the exact SHA for that release, matching the
pinning approach already used by actions/checkout, so the action reference is
reproducible and not subject to upstream tag changes.

with:
message: true
branch: true
job-summary: true
pr-comments: true
pr-title: true
34 changes: 34 additions & 0 deletions commit-check.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# ============================================================================
# commit-check — org-level base configuration
#
# Repos within the commit-check org can inherit this config by placing the
# following directive at the top of their own commit-check.toml:
#
# inherit_from = "github:commit-check/.github:commit-check.toml"
#
# Local settings override the inherited values (shallow merge per section).
# See https://github.com/commit-check/commit-check for full documentation.
# ============================================================================

[commit]
# https://www.conventionalcommits.org
conventional_commits = true
subject_capitalized = false
subject_imperative = true
subject_max_length = 100
subject_min_length = 5
allow_commit_types = ["feat", "fix", "docs", "style", "refactor", "test", "chore", "ci"]
allow_merge_commits = true
allow_revert_commits = true
allow_empty_commits = false
allow_fixup_commits = true
allow_wip_commits = false
require_body = false
require_signed_off_by = false
ignore_authors = ["dependabot[bot]", "copilot[bot]", "pre-commit-ci[bot]", "coderabbitai[bot]"]

[branch]
# https://conventional-branch.github.io/
conventional_branch = true
allow_branch_types = ["feature", "bugfix", "hotfix", "release", "chore", "feat", "fix", "ai", "claude", "codex", "copilot", "cursor"]
ignore_authors = ["dependabot[bot]", "copilot[bot]", "pre-commit-ci[bot]", "shenxianpeng"]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Restore coderabbitai[bot] in the branch ignore list.

Line 35 diverges from both Line 28 and the stated shared-policy objective: coderabbitai[bot] is no longer ignored for branch checks, while shenxianpeng gets a repo-specific exemption in the org-wide base config. That will make bot-authored PRs fail branch validation unexpectedly.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@commit-check.toml` at line 35, The branch ignore list in commit-check.toml is
missing coderabbitai[bot], which will cause bot-authored PRs to fail validation
unexpectedly. Update the ignore_authors setting to restore coderabbitai[bot]
alongside the existing bot entries, and keep the shared-policy list aligned with
the base config around the commit-check configuration.

Loading