Skip to content

fix(ci): pin feature-ideation reusable workflow to SHA#220

Merged
don-petry merged 22 commits into
mainfrom
claude/issue-159-20260419-2332
May 19, 2026
Merged

fix(ci): pin feature-ideation reusable workflow to SHA#220
don-petry merged 22 commits into
mainfrom
claude/issue-159-20260419-2332

Conversation

@don-petry

@don-petry don-petry commented Apr 19, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Pins petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from @v1 to @ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1
  • Syncs file to current standards template: adds dry_run input, actions: read permission, and sources_file comment
  • SHA looked up live via gh api repos/petry-projects/.github/git/refs/tags/v1

Closes #159

Test plan

  • Verify the uses: line now references the full SHA commit hash
  • Confirm compliance audit no longer flags this workflow after merge

Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated Feature Research & Ideation workflow with comprehensive configuration and documentation improvements for better maintainability.
    • Introduced dry-run mode option enabling safe workflow testing and validation without triggering actual operations.
    • Enhanced workflow security and reliability through refined job permissions and pinned dependency versions.
    • Expanded input parameters providing improved control and flexibility for workflow execution.

Review Change Stack

Pin `petry-projects/.github/.github/workflows/feature-ideation-reusable.yml`
from `@v1` to `@ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1` to satisfy
the action-pinning compliance policy.

Also syncs file to the current standards template:
- Add `dry_run` input to `workflow_dispatch`
- Add `actions: read` permission (feed checkpoint query)
- Add `sources_file` comment in `with:` block
- Update inline comment formatting and step numbering

Closes #159

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 19, 2026 23:35
@coderabbitai

coderabbitai Bot commented Apr 19, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1bf7caf9-1ed0-4637-9cd5-854d1acc37a7

📥 Commits

Reviewing files that changed from the base of the PR and between 42a3073 and 8ea8946.

📒 Files selected for processing (1)
  • .github/workflows/feature-ideation.yml

📝 Walkthrough

Walkthrough

This PR updates the feature-ideation.yml workflow stub by extending its adoption documentation, introducing a new dry_run workflow input, pinning the reusable workflow reference to a specific commit SHA for compliance, and wiring the new input through to the reusable workflow.

Changes

Workflow Configuration & Input Wiring

Layer / File(s) Summary
Documentation and dry-run input definition
.github/workflows/feature-ideation.yml
Expanded the workflow stub's adoption guidance with optional setup steps (sources file, org secret access) and added a new workflow_dispatch input dry_run (boolean, default false) to control mutation behavior.
Job configuration, pinning, and input wiring
.github/workflows/feature-ideation.yml
Updated the ideate job to add actions: read permission, pinned the reusable workflow reference from @v1 to a specific commit SHA, and passed the dry_run input alongside focus_area and research_depth through to the reusable workflow.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related issues

  • #159: Compliance finding resolved by pinning the reusable workflow reference from @v1 to a specific commit SHA per the action-pinning policy standard.

Possibly related PRs

Suggested reviewers

  • donpetry-bot
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: pinning the feature-ideation reusable workflow reference from @v1 to a specific commit SHA.
Linked Issues check ✅ Passed The pull request successfully addresses the compliance requirement in issue #159 by pinning the unpinned reusable workflow action to a commit SHA, bringing it into compliance with the action-pinning policy.
Out of Scope Changes check ✅ Passed Additional changes like adding the dry_run input and actions permission are standard template synchronization; they are related to maintaining consistency with the reusable workflow standards, not out-of-scope.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-159-20260419-2332

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry

Copy link
Copy Markdown
Collaborator Author

Self-review

Changes verified:

  • uses: line now references full commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d (looked up live via gh api repos/petry-projects/.github/git/refs/tags/v1) with # v1 inline comment for readability
  • File is now in sync with petry-projects/.github/standards/workflows/feature-ideation.yml template, including dry_run input, actions: read permission, and sources_file comment
  • No logic changes — this is a thin caller stub, all behaviour lives in the reusable workflow

Note: Previous PRs #183 and #203 addressed the same issue but were not merged. This supersedes both; they can be closed once this lands.

@don-petry — please review and merge when CI is green. This fixes the weekly compliance finding on issue #159.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Feature Ideation GitHub Actions workflow to comply with the org action-pinning standard by pinning the reusable workflow reference to an immutable SHA, while aligning the caller stub with the current template expectations.

Changes:

  • Pinned petry-projects/.github/.github/workflows/feature-ideation-reusable.yml from @v1 to a full commit SHA.
  • Added dry_run as a workflow_dispatch input and forwarded it to the reusable workflow call.
  • Added actions: read job permission and expanded inline guidance about sources_file.

@github-actions github-actions Bot requested a review from a team as a code owner May 4, 2026 20:39

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: 8376aa9b56defcbac7a4d6621d68ce25823b5b6f
Review mode: triage-approved (single reviewer)

Summary

Pins the reusable workflow reference from the mutable tag @v1 to the immutable commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1 to satisfy the org action-pinning policy, and syncs the caller stub to the current standards template (adds a dry_run workflow_dispatch input, actions: read permission, and a sources_file comment block). The caller file is a thin stub — all behaviour lives in the reusable workflow at the pinned SHA — so the change surface is purely CI configuration.

Linked issue analysis

Closes #159, an auto-filed compliance finding from the weekly audit flagging feature-ideation.yml for the unpinned @v1 reference. The diff directly removes the offending unpinned uses: and replaces it with a SHA pin, so the audit should no longer flag this file after merge.

Findings

  • Pinned SHA verified. ee22b427cbce9ecadcf2b436acb57c3adf0cb63d resolves to a real commit in petry-projects/.github (feat(feature-ideation): add curated reputable source list for Mary (#102), 2026-04-17) and that tree contains .github/workflows/feature-ideation-reusable.yml. The pin will resolve at call time.
  • Threat-model direction is favourable. Going from mutable tag → immutable SHA is the secure direction; this is precisely the change the action-pinning policy requires, not a regression of it.
  • Permission addition is justified and minimal. actions: read is required by the reusable workflow's feed-checkpoint step that queries the last successful run; it's a read scope and matches the comment block above the permissions: map.
  • New dry_run input is safe. It's a boolean with default: false, forwarded to the reusable workflow via dry_run: ${{ inputs.dry_run || false }}. Default-off means existing scheduled runs behave identically.
  • Caveat (non-blocking): The inline # v1 comment is a point-in-time label; the upstream v1 tag has since been moved to a newer commit (d3d768d…). The SHA pin itself is still immutable and correct — the comment is documentary only and matches the SHA that was current when this PR was authored. No action required.
  • No secrets, no logic changes, no migrations, no new external dependencies.

CI status

All required checks green: CodeQL (actions, javascript-typescript, python), CodeRabbit, SonarQube Cloud (Quality Gate passed, 0 new issues, 0 security hotspots). mergeStateStatus is BLOCKED only because human review approval is still required — there are no failing checks.


Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

@sonarqubecloud

Copy link
Copy Markdown

@don-petry don-petry merged commit 8fd81fd into main May 19, 2026
24 of 25 checks passed
@don-petry don-petry deleted the claude/issue-159-20260419-2332 branch May 19, 2026 04:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: unpinned-actions-feature-ideation.yml

3 participants