Skip to content

fix: pin auto-rebase reusable workflow to SHA (compliance #237)#238

Closed
don-petry wants to merge 3 commits into
mainfrom
claude/issue-237-20260501-1333
Closed

fix: pin auto-rebase reusable workflow to SHA (compliance #237)#238
don-petry wants to merge 3 commits into
mainfrom
claude/issue-237-20260501-1333

Conversation

@don-petry

Copy link
Copy Markdown
Collaborator

Summary

  • Pins petry-projects/.github/.github/workflows/auto-rebase-reusable.yml from @v1 (tag) to @126c1441ee9cf040f2ce3ef0eda85d459b82f8e9 (commit SHA)
  • Adds # v1 inline comment so the human-readable version tag is still visible
  • Satisfies the org-wide action-pinning policy

Test plan

  • Verify CI passes on this PR
  • Confirm the compliance audit no longer flags auto-rebase.yml after merge

Closes #237

Generated with Claude Code

Pin `petry-projects/.github/.github/workflows/auto-rebase-reusable.yml`
from tag `@v1` to commit SHA `126c1441ee9cf040f2ce3ef0eda85d459b82f8e9`
to satisfy the org-wide action-pinning policy.

Closes #237

Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 1, 2026 13:35
@coderabbitai

coderabbitai Bot commented May 1, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 2 minutes and 30 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 318a7a85-0215-4df9-ab36-ad4583c04e60

📥 Commits

Reviewing files that changed from the base of the PR and between 0979f9d and b2cf288.

📒 Files selected for processing (1)
  • .github/workflows/auto-rebase.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/issue-237-20260501-1333

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
Review rate limit: 0/1 reviews remaining, refill in 2 minutes and 30 seconds.

Comment @coderabbitai help to get the list of available commands and usage tips.

@don-petry

Copy link
Copy Markdown
Collaborator Author

Hey @don-petry — you're the code owner for this repo. This PR is ready for your review and merge. It's a one-line compliance fix (SHA pin) with no logic changes.

@sonarqubecloud

sonarqubecloud Bot commented May 1, 2026

Copy link
Copy Markdown

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins the org-level auto-rebase reusable workflow to an immutable commit SHA to satisfy the action-pinning compliance requirement (#237), while preserving the human-readable version tag in an inline comment.

Changes:

  • Update .github/workflows/auto-rebase.yml to use a commit SHA instead of @v1
  • Add an inline # v1 comment for readability/version traceability

@github-actions

github-actions Bot commented May 4, 2026

Copy link
Copy Markdown
Contributor

Auto-rebase blocked — the base branch contains .github/workflows/ changes that require the workflows permission to merge into this branch, but the auto-rebase workflow's token does not have that permission.

Please rebase this branch manually:

git fetch origin
git rebase origin/main
git push --force-with-lease

@don-petry

Copy link
Copy Markdown
Collaborator Author

@dev-lead - please fix this PR

@github-actions

Copy link
Copy Markdown
Contributor

Auto-rebase failed — merge conflict — this branch has conflicts with main that must be resolved manually.

Please resolve the conflicts and push:

git fetch origin
git merge origin/main
# resolve conflicts, then:
git add .
git commit
git push

@donpetry-bot donpetry-bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review — APPROVED ✓

Risk: LOW
Reviewed commit: b2cf28849d6eb2f13c6ab82caf6181fa8ddb34e4
Review mode: triage-approved (single reviewer)

Summary

One-line change in .github/workflows/auto-rebase.yml that pins the org-level reusable workflow from petry-projects/.github/.github/workflows/auto-rebase-reusable.yml@v1 to @126c1441ee9cf040f2ce3ef0eda85d459b82f8e9 # v1. Confirming the triage tier's LOW-risk assessment: this is a config-only compliance fix with no logic impact, the trailing # v1 comment preserves human-readable version traceability, and the pinned SHA matches what was looked up in the issue thread.

Linked issue analysis

Closes #237Compliance: unpinned-actions-auto-rebase.yml. The audit finding flagged exactly one unpinned action (auto-rebase-reusable.yml@v1), and this PR pins exactly that reference to a commit SHA per standards/ci-standards.md#action-pinning-policy. The next weekly compliance audit should mark the finding as resolved.

Findings

None blocking. One non-blocking note:

  • Merge conflict with mainmergeStateStatus is DIRTY and auto-rebase has reported both a permissions block (2026-05-04) and a merge conflict (2026-05-21). The code change itself is correct and approved; a manual rebase will be needed before this can land:
    git fetch origin && git rebase origin/main && git push --force-with-lease
    

CI status

All green: CodeQL (actions / javascript-typescript / python / aggregate) ✓, CodeRabbit ✓, SonarQube Cloud quality gate passed (0 new issues).


Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

@don-petry

Copy link
Copy Markdown
Collaborator Author

Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead.

@don-petry don-petry closed this Jun 2, 2026
auto-merge was automatically disabled June 2, 2026 12:16

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compliance: unpinned-actions-auto-rebase.yml

3 participants