Skip to content

fix: pin dependabot-automerge reusable workflow to SHA#180

Closed
don-petry wants to merge 3 commits into
mainfrom
claude/issue-156-20260414-1116
Closed

fix: pin dependabot-automerge reusable workflow to SHA#180
don-petry wants to merge 3 commits into
mainfrom
claude/issue-156-20260414-1116

Conversation

@don-petry

Copy link
Copy Markdown
Collaborator

Summary

  • Pins petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml from mutable @v1 tag to commit SHA ae9709f4466dec60a5733c9e7487f69dcd004e05 # v1
  • Resolves the compliance finding from the weekly audit (action-pinning policy)

Changes

Updated .github/workflows/dependabot-automerge.yml:

uses: petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml@ae9709f4466dec60a5733c9e7487f69dcd004e05 # v1

The SHA was resolved from the v1 annotated tag via:

gh api repos/petry-projects/.github/git/refs/tags/v1 --jq '.object.sha'
# → tag object SHA (annotated tag)
gh api repos/petry-projects/.github/git/tags/<tag-object-sha> --jq '.object.sha'
# → ae9709f4466dec60a5733c9e7487f69dcd004e05

Test plan

  • Verify CI passes
  • Confirm compliance audit no longer flags this workflow

Closes #156

Generated with Claude Code

Pin `petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml`
from `@v1` tag to commit SHA `ae9709f4466dec60a5733c9e7487f69dcd004e05`
to comply with the org Action Pinning Policy.

Closes #156

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 14, 2026 11:18
@don-petry

Copy link
Copy Markdown
Collaborator Author

PR is ready for review. @don-petry please review and merge when ready.

@coderabbitai

coderabbitai Bot commented Apr 14, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 55 minutes and 30 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 55 minutes and 30 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ad8aee37-e69b-43f6-9acc-317f081cbdbb

📥 Commits

Reviewing files that changed from the base of the PR and between 56ee75a and d0b5152.

📒 Files selected for processing (1)
  • .github/workflows/dependabot-automerge.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-156-20260414-1116

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sonarqubecloud

Copy link
Copy Markdown

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins the Dependabot automerge reusable workflow reference to an immutable commit SHA to satisfy the org action-pinning compliance policy and close audit finding #156.

Changes:

  • Updated .github/workflows/dependabot-automerge.yml to use a full 40-char commit SHA instead of the mutable @v1 tag for the reusable workflow.

@don-petry

Copy link
Copy Markdown
Collaborator Author

Automated review — APPROVED

Risk: LOW
Reviewed commit: c45f496c1e1ee85f00de018f6a981578cf4319d1
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Summary

This PR pins a reusable workflow reference from the mutable @v1 tag to commit SHA ae9709f4466dec60a5733c9e7487f69dcd004e05, which was independently verified to be the correct commit SHA for the v1 annotated tag in petry-projects/.github. All CI checks pass (CodeQL, SonarCloud, AgentShield, Node.js, Playwright), and the change is a net security improvement — SHA pinning is the recommended GitHub Actions hardening practice.

Findings

Info

  • info .github/workflows/dependabot-automerge.yml:39 — SHA ae9709f4466dec60a5733c9e7487f69dcd004e05 independently verified against petry-projects/.github git/tags/v1 API — matches the commit the annotated tag object points to.
  • info .github/workflows/dependabot-automerge.yml:40secrets: inherit passes all caller secrets to the reusable workflow. This is pre-existing (not introduced by this PR) and acceptable given the reusable workflow lives in the org's own trusted .github repo.
  • info — The v1 annotated tag is not GPG-signed (verification.verified=false). This is common and does not undermine the SHA pinning — the SHA itself is what provides immutability.

CI status

All CI checks pass: CodeQL, SonarCloud, AgentShield, Node.js, Playwright.


Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

@don-petry don-petry enabled auto-merge (squash) April 16, 2026 20:08

@petry-projects-pr-review-agent petry-projects-pr-review-agent Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

@petry-projects-pr-review-agent petry-projects-pr-review-agent Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.

@don-petry

Copy link
Copy Markdown
Collaborator Author

Closing as duplicate of #223 — same fix for issue #180. The newest attempt is kept open.

@don-petry don-petry closed this May 3, 2026
auto-merge was automatically disabled May 3, 2026 15:00

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: unpinned-actions-dependabot-automerge.yml

2 participants