Skip to content

fix(ci): pin third-party github actions by sha (#84)#85

Merged
w7-mgfcode merged 1 commit into
devfrom
fix/ci-sha-pin-third-party-actions
May 11, 2026
Merged

fix(ci): pin third-party github actions by sha (#84)#85
w7-mgfcode merged 1 commit into
devfrom
fix/ci-sha-pin-third-party-actions

Conversation

@w7-mgfcode
Copy link
Copy Markdown
Owner

@w7-mgfcode w7-mgfcode commented May 11, 2026

Summary

  • SHA-pin the three third-party GitHub Actions used across all five workflows, per .claude/rules/security-patterns.md.
  • actions/checkout@v6 and actions/upload-artifact@v7 stay on major-tag (rule-permitted for first-party actions/*).
  • Dependabot watches .github/workflows/ weekly and will auto-bump these forward.

Closes #84.

Changes

Action Before After
googleapis/release-please-action @v5 @45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
astral-sh/setup-uv (×8) @v7 @37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
github/codeql-action/upload-sarif @v4 @c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v4.34.0

Total: 5 files, 11 insertions, 11 deletions. No behavior change — each SHA resolves to the same commit as the corresponding major-tag at time of writing.

Test plan

  • CI on this PR passes (lint, typecheck, test, migration-check) using the newly-pinned astral-sh/setup-uv SHA
  • schema-validation workflow does not trigger (no alembic/, app/**/models.py, or app/core/database.py changes here) — confirm
  • No regression in cached uv installs (SHA is the current v7 head, so cache key remains compatible)
  • After merge to dev, sanity-check dev → main release flow still picks up release-please-action correctly on the next release PR

@w7-mgfcode
fix(ci): pin third-party github actions by sha (#84)
3e4da4b 
Closes #84.

Per .claude/rules/security-patterns.md: "Pin third-party GitHub Actions by
full 40-char SHA"; first-party actions/* may use major-version.

Pinned (third-party):
- googleapis/release-please-action@v5
  → @45996ed1f6d02564a971a2fa1b5860e934307cf7  # v5.0.0
- astral-sh/setup-uv@v7  (×8 across all five workflows)
  → @37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7.6.0
- github/codeql-action/upload-sarif@v4
  → @c6f931105cb2c34c8f901cc885ba1e2e259cf745  # v4.34.0

Left as major-tag (first-party actions/* — rule-permitted):
- actions/checkout@v6
- actions/upload-artifact@v7

Dependabot watches .github/workflows/ weekly and will bump these forward.
sourcery-ai[bot]
sourcery-ai Bot reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown

@sourcery-ai sourcery-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @w7-mgfcode, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 11, 2026

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c8c79800-f929-4981-93ae-5351a5fcb735

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/ci-sha-pin-third-party-actions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 11, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedpypi/​numpy@​2.4.17510010010070
Addedpypi/​pandas@​3.0.07610010010080
Addedpypi/​mypy@​1.19.182100100100100
Addedpypi/​pydantic-ai@​1.51.010085100100100
Addedpypi/​pytest@​9.0.28799100100100
Addedpypi/​joblib@​1.5.392100100100100
Addedpypi/​scikit-learn@​1.8.093100100100100
Addedpypi/​openai@​2.16.096100100100100
Addedpypi/​pyright@​1.1.40897100100100100
Addedpypi/​sqlalchemy@​2.0.4697100100100100
Addedpypi/​uvicorn@​0.40.098100100100100
Addedpypi/​tiktoken@​0.12.099100100100100
Addedpypi/​python-dotenv@​1.2.19999100100100
Addedpypi/​pydantic@​2.12.5100100100100100
Addedpypi/​ruff@​0.14.14100100100100100
Addedpypi/​pydantic-settings@​2.12.0100100100100100
Addedpypi/​pytest-cov@​7.0.0100100100100100
Addedpypi/​pyyaml@​6.0.3100100100100100
Addedpypi/​pytest-asyncio@​1.3.0100100100100100
Addedpypi/​structlog@​25.5.0100100100100100
Addedpypi/​httpx@​0.28.1100100100100100
Addedpypi/​pgvector@​0.4.2100100100100100
Addedpypi/​pandas-stubs@​2.3.3.260113100100100100100

View full report

@w7-mgfcode w7-mgfcode merged commit fcaf78c into dev May 11, 2026
8 checks passed
@w7-mgfcode w7-mgfcode deleted the fix/ci-sha-pin-third-party-actions branch May 11, 2026 21:28
@w7-mgfcode w7-mgfcode mentioned this pull request May 11, 2026
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@w7-mgfcode