fix: pin claude-code-reusable.yml to SHA for action-pinning compliance#179
fix: pin claude-code-reusable.yml to SHA for action-pinning compliance#179don-petry wants to merge 1 commit into
Conversation
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 57 minutes and 35 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
There was a problem hiding this comment.
Pull request overview
Pins the org-level Claude Code reusable workflow reference in claude.yml to a specific commit SHA to comply with the action-pinning policy.
Changes:
- Updated the
uses:reference from@v1to@ae9709f4466dec60a5733c9e7487f69dcd004e05(annotated as# v1) for action-pinning compliance.
| jobs: | ||
| claude-code: | ||
| uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@v1 | ||
| uses: petry-projects/.github/.github/workflows/claude-code-reusable.yml@ae9709f4466dec60a5733c9e7487f69dcd004e05 # v1 |
There was a problem hiding this comment.
The header comment says you "MUST NOT change ... the uses: line", but this PR correctly updates the uses: ref to a pinned SHA. Consider updating that guidance to clarify that the workflow path must not change, but the ref may be updated when the org standard/pinning policy requires it, so future maintainers aren’t confused.
Automated review — APPROVEDRisk: LOW
SummaryThis PR pins a reusable workflow reference from the mutable @v1 tag to the underlying commit SHA ae9709f4466dec60a5733c9e7487f69dcd004e05, which was verified to correctly dereference the v1 annotated tag. The change improves supply-chain security and satisfies the org's action-pinning compliance requirement (issue #155). The one CI failure (claude-code / claude) is in the workflow being modified and is unrelated to the correctness of the SHA pin; all security-relevant checks (CodeQL, SonarCloud, AgentShield, dependency-audit, build-and-test) pass. FindingsInfo
CI statusAll security-relevant checks pass (CodeQL, SonarCloud, AgentShield, dependency audit, build-and-test). One unrelated CI failure in Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with |
|
Auto-rebase blocked — the base branch contains Please rebase this branch manually: |
Pull request was closed



Summary
petry-projects/.github/.github/workflows/claude-code-reusable.ymlfrom@v1to commit SHAae9709f4466dec60a5733c9e7487f69dcd004e05(v1) per the org action-pinning policy.v1annotated tag to its underlying commit.Closes #155
Generated with Claude Code