ci: pin agent-shield reusable workflow to SHA#178
Conversation
|
@don-petry This PR is ready for your review and merge. It pins the |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Pins the AgentShield reusable workflow reference to an immutable commit SHA to satisfy the org action-pinning compliance requirement and close the related audit finding (#154).
Changes:
- Updated
.github/workflows/agent-shield.ymlto use a full commit SHA instead of the@v1tag for the reusable workflow reference.
| jobs: | ||
| agent-shield: | ||
| uses: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@v1 | ||
| uses: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@ae9709f4466dec60a5733c9e7487f69dcd004e05 # v1 |
There was a problem hiding this comment.
The header comment states this stub "MUST NOT change" the uses: line and that the source of truth lives in petry-projects/.github/standards/workflows/agent-shield.yml, but this PR intentionally changes uses: to a pinned SHA. To avoid confusing future editors (and potential drift from the upstream standard), consider updating the header guidance to explicitly allow updating the ref for pinning, and/or syncing this change back to the upstream source-of-truth workflow.
Superseded by automated re-review at
|
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 67b1446d0568387ce5668dec1d5d8855460e798a
Review mode: triage-approved (single reviewer)
Summary
One-line CI hygiene fix that pins petry-projects/.github/.github/workflows/agent-shield-reusable.yml from the mutable @v1 tag to commit SHA ae9709f4466dec60a5733c9e7487f69dcd004e05, keeping # v1 as a human-readable comment per org convention. Confirming the triage tier's LOW-risk assessment.
Linked issue analysis
Closes #154 — a weekly compliance-audit finding (action-pinning / unpinned-actions-agent-shield.yml) requesting that this exact uses: line be pinned to a SHA per standards/ci-standards.md#action-pinning-policy. The diff resolves the finding precisely.
Findings
- Diff scope: 1 file, +1/-1, no logic change. Only the
uses:ref in.github/workflows/agent-shield.ymlis touched. - SHA verification:
ae9709f4466dec60a5733c9e7487f69dcd004e05exists inpetry-projects/.github(commit dated 2026-04-08,docs(dependabot): App secrets at org level…). Resolvable and immutable. - Tag movement (informational, not a blocker): the
v1tag in the upstream repo has since moved tod3d768dabb7f28cc63283cdfe48630da53700e50. This is precisely why SHA-pinning is mandated — the PR locks this caller to a specific reviewed commit regardless of future tag movement. The# v1trailing comment is now a snapshot of the tag at pin time, which is the expected convention. - No security smells: no secrets, credentials, permissions changes, or workflow-trigger expansion.
permissions:block in the workflow is unchanged. - No unresolved review threads: CodeRabbit reported "No actionable comments" and SonarCloud quality gate passed with 0 new issues. The earlier
@claudeping to address review comments errored out, but there are no outstanding actionable items from CodeRabbit, Copilot, or SonarCloud to address.
CI status
All required checks green: CodeQL (actions, javascript-typescript, python), CodeRabbit, SonarCloud quality gate.
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
|
Auto-rebase failed — merge conflict — this branch has conflicts with Please resolve the conflicts and push: |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: c517de94f8fe344437420f64189dadedd5aa133d
Review mode: triage-approved (single reviewer)
Summary
Single-line action-pinning fix in .github/workflows/agent-shield.yml: petry-projects/.github/.github/workflows/agent-shield-reusable.yml@v1 is replaced with the immutable SHA reference @ae9709f4466dec60a5733c9e7487f69dcd004e05 # v1. The # v1 trailing comment preserves human readability per org convention. No other files are touched.
Linked issue analysis
Closes #154 (compliance-audit finding unpinned-actions-agent-shield.yml, severity error). The issue specifically calls out the @v1 reference, and the PR pins that exact uses: line to a commit SHA in accordance with standards/ci-standards.md#action-pinning-policy. Remediation is complete.
Findings
- Diff scope: 1 file, +1/−1. Pure config change; no logic, no secrets, no dependencies added.
- SHA format: Full 40-character SHA with
# v1comment — matches the policy's prescribed format. - Triage confirmation: Prior triage tier flagged this as low-risk; on independent re-review the assessment holds. Nothing the triage missed.
- Merge state: PR currently shows
CONFLICTING / DIRTYand the auto-rebase bot reported a conflict on 2026-05-21. This is a process/rebase concern, not a code concern — the author will need to manually rebase before merge, but it does not affect this review verdict.
CI status
All checks green: CodeQL, CodeRabbit (no actionable comments), SonarCloud Quality Gate passed, Analyze (actions / javascript-typescript / python), and the dependabot config check. Copilot's prior automated review and the cascade's earlier reviews all approved.
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
Superseded by automated re-review at c517de9.
Automated review — human attention neededThis PR has been through 3 automated review cycles (cap: 3) without converging on an approval-and-merge state. Further automated review has been paused to avoid infinite loops. Please take a look manually, or close this PR if it's no longer needed. Once a human review resolves the situation, remove the Posted by the donpetry-bot PR-review cascade. |
|
Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead. |
Summary
petry-projects/.github/.github/workflows/agent-shield-reusable.ymlfrom@v1to@ae9709f4466dec60a5733c9e7487f69dcd004e05 # v1Changes
.github/workflows/agent-shield.yml: replaced@v1tag reference with the corresponding commit SHA (ae9709f4466dec60a5733c9e7487f69dcd004e05), keeping# v1as a human-readable comment per org convention.The SHA was resolved by dereferencing the annotated tag:
208ec2d69b75227d375edf8745d84fbac05a76b2ae9709f4466dec60a5733c9e7487f69dcd004e05Closes #154
Generated with Claude Code
Summary by CodeRabbit