fix: pin dependabot-automerge reusable workflow to SHA#180
Conversation
Pin `petry-projects/.github/.github/workflows/dependabot-automerge-reusable.yml` from `@v1` tag to commit SHA `ae9709f4466dec60a5733c9e7487f69dcd004e05` to comply with the org Action Pinning Policy. Closes #156 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
|
PR is ready for review. @don-petry please review and merge when ready. |
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 55 minutes and 30 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
There was a problem hiding this comment.
Pull request overview
Pins the Dependabot automerge reusable workflow reference to an immutable commit SHA to satisfy the org action-pinning compliance policy and close audit finding #156.
Changes:
- Updated
.github/workflows/dependabot-automerge.ymlto use a full 40-char commit SHA instead of the mutable@v1tag for the reusable workflow.
Automated review — APPROVEDRisk: LOW SummaryThis PR pins a reusable workflow reference from the mutable @v1 tag to commit SHA ae9709f4466dec60a5733c9e7487f69dcd004e05, which was independently verified to be the correct commit SHA for the v1 annotated tag in petry-projects/.github. All CI checks pass (CodeQL, SonarCloud, AgentShield, Node.js, Playwright), and the change is a net security improvement — SHA pinning is the recommended GitHub Actions hardening practice. FindingsInfo
CI statusAll CI checks pass: CodeQL, SonarCloud, AgentShield, Node.js, Playwright. Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with |
Pull request was closed



Summary
petry-projects/.github/.github/workflows/dependabot-automerge-reusable.ymlfrom mutable@v1tag to commit SHAae9709f4466dec60a5733c9e7487f69dcd004e05 # v1Changes
Updated
.github/workflows/dependabot-automerge.yml:The SHA was resolved from the
v1annotated tag via:Test plan
Closes #156
Generated with Claude Code