Skip to content

ci: pin agent-shield reusable workflow to SHA#178

Closed
don-petry wants to merge 30 commits into
mainfrom
claude/issue-154-20260414-1111
Closed

ci: pin agent-shield reusable workflow to SHA#178
don-petry wants to merge 30 commits into
mainfrom
claude/issue-154-20260414-1111

Conversation

@don-petry

@don-petry don-petry commented Apr 14, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Pin petry-projects/.github/.github/workflows/agent-shield-reusable.yml from @v1 to @ae9709f4466dec60a5733c9e7487f69dcd004e05 # v1
  • Resolves the action-pinning compliance finding raised by the weekly audit

Changes

.github/workflows/agent-shield.yml: replaced @v1 tag reference with the corresponding commit SHA (ae9709f4466dec60a5733c9e7487f69dcd004e05), keeping # v1 as a human-readable comment per org convention.

The SHA was resolved by dereferencing the annotated tag:

  • Tag object: 208ec2d69b75227d375edf8745d84fbac05a76b2
  • Commit SHA: ae9709f4466dec60a5733c9e7487f69dcd004e05

Closes #154

Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated CI/CD workflow configuration to use pinned dependency reference for enhanced stability and reproducibility.

Pin petry-projects/.github/.github/workflows/agent-shield-reusable.yml
from @v1 to @ae9709f4466dec60a5733c9e7487f69dcd004e05 (v1) to comply
with the org action-pinning policy.

Closes #154

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 14, 2026 11:12
@don-petry

Copy link
Copy Markdown
Collaborator Author

@don-petry This PR is ready for your review and merge. It pins the agent-shield-reusable.yml reusable workflow to a commit SHA to resolve the action-pinning compliance finding in #154.

@coderabbitai

coderabbitai Bot commented Apr 14, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4b041a3b-19e4-4c17-8879-99ae4ccbb0db

📥 Commits

Reviewing files that changed from the base of the PR and between a13e964 and 47e53c3.

📒 Files selected for processing (1)
  • .github/workflows/agent-shield.yml

📝 Walkthrough

Walkthrough

The .github/workflows/agent-shield.yml workflow file is updated to pin the reusable workflow reference from a floating version tag (@v1) to a specific commit SHA (@ae9709f4466dec60a5733c9e7487f69dcd004e05) for compliance with action-pinning policy requirements.

Changes

Cohort / File(s) Summary
Workflow Reference Pinning
.github/workflows/agent-shield.yml
Pin petry-projects/.github/.github/workflows/agent-shield-reusable.yml reference from floating tag @v1 to commit SHA @ae9709f4466dec60a5733c9e7487f69dcd004e05 for compliance.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related issues

Possibly related PRs

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: pinning the agent-shield reusable workflow reference from @v1 tag to a specific commit SHA.
Linked Issues check ✅ Passed The code change directly addresses issue #154 by pinning the agent-shield reusable workflow to commit SHA ae9709f4466dec60a5733c9e7487f69dcd004e05, fulfilling the action-pinning compliance requirement.
Out of Scope Changes check ✅ Passed All changes are scoped to the stated objective; only the agent-shield workflow reference was updated from @v1 tag to pinned SHA with no extraneous modifications.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-154-20260414-1111

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins the AgentShield reusable workflow reference to an immutable commit SHA to satisfy the org action-pinning compliance requirement and close the related audit finding (#154).

Changes:

  • Updated .github/workflows/agent-shield.yml to use a full commit SHA instead of the @v1 tag for the reusable workflow reference.

jobs:
agent-shield:
uses: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@v1
uses: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@ae9709f4466dec60a5733c9e7487f69dcd004e05 # v1

Copilot AI Apr 14, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The header comment states this stub "MUST NOT change" the uses: line and that the source of truth lives in petry-projects/.github/standards/workflows/agent-shield.yml, but this PR intentionally changes uses: to a pinned SHA. To avoid confusing future editors (and potential drift from the upstream standard), consider updating the header guidance to explicitly allow updating the ref for pinning, and/or syncing this change back to the upstream source-of-truth workflow.

Copilot uses AI. Check for mistakes.
@don-petry

don-petry commented Apr 16, 2026

Copy link
Copy Markdown
Collaborator Author
Superseded by automated re-review at 67b1446d0568387ce5668dec1d5d8855460e798a — click to expand prior review.

Automated review — APPROVED

Risk: LOW
Reviewed commit: 47e53c3ee0aa99c6c3416ade34b81d480c1e35b3
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

This PR pins the agent-shield reusable workflow from a mutable @v1 tag to a specific commit SHA, which is a security best-practice improvement that prevents supply-chain attacks via tag mutation. All CI checks (CodeQL, SonarCloud, AgentShield, Node.js tests, Playwright, dependency audit) are green. The change is exactly one line in one workflow file with no logic impact.

Findings

Info

  • .github/workflows/agent-shield.yml:33 — Pinning reusable workflow to commit SHA (ae9709f4466dec60a5733c9e7487f69dcd004e05) instead of mutable tag @v1 is the recommended GitHub Actions supply-chain hardening pattern. Change is correct and beneficial.
  • CI status: All status checks passed: CodeQL (actions, JS/TS, Python), SonarCloud, AgentShield, build-and-test, coverage, Node.js Tests, Playwright UI Tests, dependency audit (npm). mergeStateStatus is BLOCKED but mergeable is MERGEABLE — likely awaiting a required human review approval, not a code issue.

CI status

All CI checks green. mergeStateStatus is BLOCKED (awaiting required human review approval) but code is MERGEABLE.


Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

@petry-projects-pr-review-agent petry-projects-pr-review-agent Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

donpetry-bot
donpetry-bot previously approved these changes May 17, 2026

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 67b1446d0568387ce5668dec1d5d8855460e798a
Review mode: triage-approved (single reviewer)

Summary

One-line CI hygiene fix that pins petry-projects/.github/.github/workflows/agent-shield-reusable.yml from the mutable @v1 tag to commit SHA ae9709f4466dec60a5733c9e7487f69dcd004e05, keeping # v1 as a human-readable comment per org convention. Confirming the triage tier's LOW-risk assessment.

Linked issue analysis

Closes #154 — a weekly compliance-audit finding (action-pinning / unpinned-actions-agent-shield.yml) requesting that this exact uses: line be pinned to a SHA per standards/ci-standards.md#action-pinning-policy. The diff resolves the finding precisely.

Findings

  • Diff scope: 1 file, +1/-1, no logic change. Only the uses: ref in .github/workflows/agent-shield.yml is touched.
  • SHA verification: ae9709f4466dec60a5733c9e7487f69dcd004e05 exists in petry-projects/.github (commit dated 2026-04-08, docs(dependabot): App secrets at org level…). Resolvable and immutable.
  • Tag movement (informational, not a blocker): the v1 tag in the upstream repo has since moved to d3d768dabb7f28cc63283cdfe48630da53700e50. This is precisely why SHA-pinning is mandated — the PR locks this caller to a specific reviewed commit regardless of future tag movement. The # v1 trailing comment is now a snapshot of the tag at pin time, which is the expected convention.
  • No security smells: no secrets, credentials, permissions changes, or workflow-trigger expansion. permissions: block in the workflow is unchanged.
  • No unresolved review threads: CodeRabbit reported "No actionable comments" and SonarCloud quality gate passed with 0 new issues. The earlier @claude ping to address review comments errored out, but there are no outstanding actionable items from CodeRabbit, Copilot, or SonarCloud to address.

CI status

All required checks green: CodeQL (actions, javascript-typescript, python), CodeRabbit, SonarCloud quality gate.


Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

@github-actions

Copy link
Copy Markdown
Contributor

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: c517de94f8fe344437420f64189dadedd5aa133d
Review mode: triage-approved (single reviewer)

Summary

Single-line action-pinning fix in .github/workflows/agent-shield.yml: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@v1 is replaced with the immutable SHA reference @ae9709f4466dec60a5733c9e7487f69dcd004e05 # v1. The # v1 trailing comment preserves human readability per org convention. No other files are touched.

Linked issue analysis

Closes #154 (compliance-audit finding unpinned-actions-agent-shield.yml, severity error). The issue specifically calls out the @v1 reference, and the PR pins that exact uses: line to a commit SHA in accordance with standards/ci-standards.md#action-pinning-policy. Remediation is complete.

Findings

  • Diff scope: 1 file, +1/−1. Pure config change; no logic, no secrets, no dependencies added.
  • SHA format: Full 40-character SHA with # v1 comment — matches the policy's prescribed format.
  • Triage confirmation: Prior triage tier flagged this as low-risk; on independent re-review the assessment holds. Nothing the triage missed.
  • Merge state: PR currently shows CONFLICTING / DIRTY and the auto-rebase bot reported a conflict on 2026-05-21. This is a process/rebase concern, not a code concern — the author will need to manually rebase before merge, but it does not affect this review verdict.

CI status

All checks green: CodeQL, CodeRabbit (no actionable comments), SonarCloud Quality Gate passed, Analyze (actions / javascript-typescript / python), and the dependabot config check. Copilot's prior automated review and the cascade's earlier reviews all approved.


Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

@donpetry-bot donpetry-bot dismissed their stale review May 30, 2026 20:08

Superseded by automated re-review at c517de9.

@donpetry-bot

Copy link
Copy Markdown
Contributor

Automated review — human attention needed

This PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops.

Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the needs-human-review label and the cascade can be re-engaged on the next push.

Posted by the donpetry-bot PR-review cascade.

@don-petry

Copy link
Copy Markdown
Collaborator Author

Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead.

@don-petry don-petry closed this Jun 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: unpinned-actions-agent-shield.yml

3 participants