chore: pin github actions and harden workflows#2467
Conversation
- Pin all actions to a sha (dependabot supports this and will update them) - Disable credentials caching when checking out branches - Change the automerge workflow to use `pull_request` (the linked doc in the workflow does this) - Change the automerge workflow to check the user login rather than the HEAD actor name
|
Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits. |
📝 WalkthroughWalkthroughGitHub Actions workflows for CodeQL analysis, Dependabot automerge, Node.js testing, and publishing were updated to reference pinned commit SHAs instead of version tags. The Dependabot automerge workflow's trigger event and job gating conditions were also modified. ChangesCI Workflow Hardening
Estimated code review effort: 2 (Simple) | ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/dependabot-automerge.yml:
- Line 3: The dependabot automerge workflow is missing PR-scoped concurrency, so
stale runs can continue writing state for the same pull request. Update the
workflow trigger section around the existing on: pull_request configuration to
add a concurrency group keyed to the PR and enable cancel-in-progress so only
the latest run can enable automerge. Use the workflow’s existing job entrypoint
in this file to keep the scope limited to this write-capable automerge path.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: d64a1da2-ca53-4cc5-8ddf-959a69e5313d
📒 Files selected for processing (4)
.github/workflows/codeql-analysis.yml.github/workflows/dependabot-automerge.yml.github/workflows/nodejs-test.yml.github/workflows/publish.yml
| # Based on https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request | ||
| name: Dependabot auto-merge | ||
| on: pull_request_target | ||
| on: pull_request |
There was a problem hiding this comment.
🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win
Add PR-scoped concurrency for this write-capable workflow.
This automerge job can be retriggered for the same PR; cancel stale runs so only the newest run attempts to enable automerge.
Proposed hardening
on: pull_request
+
+concurrency:
+ group: dependabot-automerge-${{ github.event.pull_request.number }}
+ cancel-in-progress: true
permissions:📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| on: pull_request | |
| on: pull_request | |
| concurrency: | |
| group: dependabot-automerge-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 3-3: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting
(concurrency-limits)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/dependabot-automerge.yml at line 3, The dependabot
automerge workflow is missing PR-scoped concurrency, so stale runs can continue
writing state for the same pull request. Update the workflow trigger section
around the existing on: pull_request configuration to add a concurrency group
keyed to the PR and enable cancel-in-progress so only the latest run can enable
automerge. Use the workflow’s existing job entrypoint in this file to keep the
scope limited to this write-capable automerge path.
Source: Linters/SAST tools
them)
pull_request(the linked doc inthe workflow does this)
HEAD actor name
Summary by CodeRabbit