fix(ci): pin feature-ideation reusable workflow to SHA#220
Conversation
Pin `petry-projects/.github/.github/workflows/feature-ideation-reusable.yml` from `@v1` to `@ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1` to satisfy the action-pinning compliance policy. Also syncs file to the current standards template: - Add `dry_run` input to `workflow_dispatch` - Add `actions: read` permission (feed checkpoint query) - Add `sources_file` comment in `with:` block - Update inline comment formatting and step numbering Closes #159 Co-authored-by: don-petry <don-petry@users.noreply.github.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis PR updates the ChangesWorkflow Configuration & Input Wiring
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Possibly related issues
Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Self-reviewChanges verified:
Note: Previous PRs #183 and #203 addressed the same issue but were not merged. This supersedes both; they can be closed once this lands. @don-petry — please review and merge when CI is green. This fixes the weekly compliance finding on issue #159. |
There was a problem hiding this comment.
Pull request overview
Updates the Feature Ideation GitHub Actions workflow to comply with the org action-pinning standard by pinning the reusable workflow reference to an immutable SHA, while aligning the caller stub with the current template expectations.
Changes:
- Pinned
petry-projects/.github/.github/workflows/feature-ideation-reusable.ymlfrom@v1to a full commit SHA. - Added
dry_runas aworkflow_dispatchinput and forwarded it to the reusable workflow call. - Added
actions: readjob permission and expanded inline guidance aboutsources_file.
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: LOW
Reviewed commit: 8376aa9b56defcbac7a4d6621d68ce25823b5b6f
Review mode: triage-approved (single reviewer)
Summary
Pins the reusable workflow reference from the mutable tag @v1 to the immutable commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1 to satisfy the org action-pinning policy, and syncs the caller stub to the current standards template (adds a dry_run workflow_dispatch input, actions: read permission, and a sources_file comment block). The caller file is a thin stub — all behaviour lives in the reusable workflow at the pinned SHA — so the change surface is purely CI configuration.
Linked issue analysis
Closes #159, an auto-filed compliance finding from the weekly audit flagging feature-ideation.yml for the unpinned @v1 reference. The diff directly removes the offending unpinned uses: and replaces it with a SHA pin, so the audit should no longer flag this file after merge.
Findings
- Pinned SHA verified.
ee22b427cbce9ecadcf2b436acb57c3adf0cb63dresolves to a real commit inpetry-projects/.github(feat(feature-ideation): add curated reputable source list for Mary (#102), 2026-04-17) and that tree contains.github/workflows/feature-ideation-reusable.yml. The pin will resolve at call time. - Threat-model direction is favourable. Going from mutable tag → immutable SHA is the secure direction; this is precisely the change the action-pinning policy requires, not a regression of it.
- Permission addition is justified and minimal.
actions: readis required by the reusable workflow's feed-checkpoint step that queries the last successful run; it's a read scope and matches the comment block above thepermissions:map. - New
dry_runinput is safe. It's abooleanwithdefault: false, forwarded to the reusable workflow viadry_run: ${{ inputs.dry_run || false }}. Default-off means existing scheduled runs behave identically. - Caveat (non-blocking): The inline
# v1comment is a point-in-time label; the upstreamv1tag has since been moved to a newer commit (d3d768d…). The SHA pin itself is still immutable and correct — the comment is documentary only and matches the SHA that was current when this PR was authored. No action required. - No secrets, no logic changes, no migrations, no new external dependencies.
CI status
All required checks green: CodeQL (actions, javascript-typescript, python), CodeRabbit, SonarQube Cloud (Quality Gate passed, 0 new issues, 0 security hotspots). mergeStateStatus is BLOCKED only because human review approval is still required — there are no failing checks.
Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.
|



Summary
petry-projects/.github/.github/workflows/feature-ideation-reusable.ymlfrom@v1to@ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1dry_runinput,actions: readpermission, andsources_filecommentgh api repos/petry-projects/.github/git/refs/tags/v1Closes #159
Test plan
uses:line now references the full SHA commit hashGenerated with Claude Code
Summary by CodeRabbit