fix: pin pr-review-mention reusable workflow to SHA#272
Conversation
Pin `petry-projects/.github/.github/workflows/pr-review-mention-reusable.yml` from `@v1` to `@0cb4bba11d7563bf197ad805f12fb8639e4879e4` (v1) to satisfy the org action-pinning policy. Closes #271 Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThe PR pins the ChangesWorkflow Pinning and Documentation
Estimated code review effort🎯 2 (Simple) | ⏱️ ~5 minutes Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Pins the PR review mention thin-caller workflow to a specific commit SHA to comply with the action pinning policy referenced in issue #271.
Changes:
- Update the reusable workflow reference in
.github/workflows/pr-review-mention.ymlfrom@v1to a full commit SHA (@0cb4bba11d7563bf197ad805f12fb8639e4879e4) while retaining the# v1annotation.
The @v1 tag in petry-projects/.github pointed to commit 0cb4bba1 which predates the existence of pr-review-mention-reusable.yml, causing a parse-time 'workflow was not found' error. Pin to the correct SHA d3d768dabb7f28cc63283cdfe48630da53700e50 (latest main). Closes #271 Ref: petry-projects/.github#267
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/pr-review-mention.yml (1)
9-10:⚠️ Potential issue | 🟠 Major | ⚡ Quick winUpdate lines 9-10 to reflect the SHA-based pinning approach.
Lines 9-10 still reference the old tag-based approach (bumping
@v1→@v2), but the new documentation (lines 16-17) and implementation (line 39) use SHA-based pinning. This inconsistency could confuse future maintainers and lead them to revert to tags, violating the organization's action-pinning compliance policy that this PR is meant to satisfy.📝 Suggested documentation update
-# • You MAY change: the tag in the `uses:` line when upgrading the reusable -# workflow version (e.g. bump `@v1` → `@v2` when petry-projects/.github cuts a new release). +# • You MAY change: the SHA in the `uses:` line when upgrading the reusable +# workflow version (obtain the new SHA from petry-projects/.github and follow the fanout process below).Also applies to: 16-17
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/pr-review-mention.yml around lines 9 - 10, Update the explanatory comments that currently mention tag-based pinning (the guidance about bumping `@v1` → `@v2` found near the `uses:` explanation) to describe and require SHA-based pinning instead, matching the documentation later (lines referencing SHA-based pinning) and the actual `uses:` implementation at line 39; specifically replace the text that tells maintainers to bump tags with instructions to pin reusable workflows by full commit SHA and reference the `uses:` lines as the place to apply that SHA-based pinning so the comments are consistent with the implementation.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/pr-review-mention.yml:
- Around line 9-10: Update the explanatory comments that currently mention
tag-based pinning (the guidance about bumping `@v1` → `@v2` found near the
`uses:` explanation) to describe and require SHA-based pinning instead, matching
the documentation later (lines referencing SHA-based pinning) and the actual
`uses:` implementation at line 39; specifically replace the text that tells
maintainers to bump tags with instructions to pin reusable workflows by full
commit SHA and reference the `uses:` lines as the place to apply that SHA-based
pinning so the comments are consistent with the implementation.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 6cc79943-ef6a-495b-9df0-fa29c124b738
📒 Files selected for processing (1)
.github/workflows/pr-review-mention.yml
|
@don-petry I'm on it — starting a fresh review now. Results will appear in a few minutes. |
|
|
Auto-rebase failed — merge conflict — this branch has conflicts with Please resolve the conflicts and push: |
|
@dev-lead - please fix this PR |
Summary
.github/workflows/pr-review-mention.ymlto the correct SHAd3d768dabb7f28cc63283cdfe48630da53700e50(latestmaincommit containing the reusable workflow)Root cause: The
v1lightweight tag inpetry-projects/.githubpointed to commit0cb4bba1which predates the addition ofpr-review-mention-reusable.yml, causing a parse-time error in all caller repos:The
v1tag has been force-moved tod3d768dand a newv2tag cut at the same SHA.Ref: petry-projects/.github#267
Closes #271
Generated with Claude Code
Summary by CodeRabbit