Skip to content

chore: pin github actions and harden workflows#2467

Open
43081j wants to merge 1 commit into
fb55:masterfrom
43081j:jg/workflow-goodness
Open

chore: pin github actions and harden workflows#2467
43081j wants to merge 1 commit into
fb55:masterfrom
43081j:jg/workflow-goodness

Conversation

@43081j

@43081j 43081j commented Jul 8, 2026

Copy link
Copy Markdown
  • Pin all actions to a sha (dependabot supports this and will update
    them)
  • Disable credentials caching when checking out branches
  • Change the automerge workflow to use pull_request (the linked doc in
    the workflow does this)
  • Change the automerge workflow to check the user login rather than the
    HEAD actor name

Summary by CodeRabbit

  • Chores
    • Updated automated workflows to use fixed, versioned action references for more consistent builds and maintenance.
    • Improved Dependabot automation checks and workflow triggers for safer, more predictable pull request handling.
    • Kept CI and release-related workflows aligned across test, analysis, and publish steps.

- Pin all actions to a sha (dependabot supports this and will update
  them)
- Disable credentials caching when checking out branches
- Change the automerge workflow to use `pull_request` (the linked doc in
  the workflow does this)
- Change the automerge workflow to check the user login rather than the
  HEAD actor name
@chatgpt-codex-connector

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

GitHub Actions workflows for CodeQL analysis, Dependabot automerge, Node.js testing, and publishing were updated to reference pinned commit SHAs instead of version tags. The Dependabot automerge workflow's trigger event and job gating conditions were also modified.

Changes

CI Workflow Hardening

Layer / File(s) Summary
Pin actions to commit SHAs
.github/workflows/codeql-analysis.yml, .github/workflows/nodejs-test.yml, .github/workflows/publish.yml
actions/checkout, actions/setup-node, and github/codeql-action/init/analyze references replaced with pinned commit SHAs instead of version tags across lint, test, publish, and CodeQL jobs.
Tighten Dependabot automerge gating
.github/workflows/dependabot-automerge.yml
Trigger event changed from pull_request_target to pull_request, job condition tightened to check PR author is dependabot[bot] and repository is fb55/htmlparser2, and dependabot/fetch-metadata pinned to a commit SHA.

Estimated code review effort: 2 (Simple) | ~10 minutes

Poem

A rabbit hops through YAML fields so neat,
Pinning every action, no more floating feet.
Tags let go, SHAs take hold,
Workflows now run safe and bold.
Thump thump — CI's secure, or so I'm told! 🐇🔒

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: pinning GitHub Actions and hardening workflows.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependabot-automerge.yml:
- Line 3: The dependabot automerge workflow is missing PR-scoped concurrency, so
stale runs can continue writing state for the same pull request. Update the
workflow trigger section around the existing on: pull_request configuration to
add a concurrency group keyed to the PR and enable cancel-in-progress so only
the latest run can enable automerge. Use the workflow’s existing job entrypoint
in this file to keep the scope limited to this write-capable automerge path.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d64a1da2-ca53-4cc5-8ddf-959a69e5313d

📥 Commits

Reviewing files that changed from the base of the PR and between 47ac7bf and 25cf6c4.

📒 Files selected for processing (4)
  • .github/workflows/codeql-analysis.yml
  • .github/workflows/dependabot-automerge.yml
  • .github/workflows/nodejs-test.yml
  • .github/workflows/publish.yml

# Based on https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request
name: Dependabot auto-merge
on: pull_request_target
on: pull_request

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Add PR-scoped concurrency for this write-capable workflow.

This automerge job can be retriggered for the same PR; cancel stale runs so only the newest run attempts to enable automerge.

Proposed hardening
 on: pull_request
+
+concurrency:
+    group: dependabot-automerge-${{ github.event.pull_request.number }}
+    cancel-in-progress: true
 
 permissions:
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
on: pull_request
on: pull_request
concurrency:
group: dependabot-automerge-${{ github.event.pull_request.number }}
cancel-in-progress: true
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 3-3: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-automerge.yml at line 3, The dependabot
automerge workflow is missing PR-scoped concurrency, so stale runs can continue
writing state for the same pull request. Update the workflow trigger section
around the existing on: pull_request configuration to add a concurrency group
keyed to the PR and enable cancel-in-progress so only the latest run can enable
automerge. Use the workflow’s existing job entrypoint in this file to keep the
scope limited to this write-capable automerge path.

Source: Linters/SAST tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant