fix: pin feature-ideation.yml reusable workflow to SHA#102
Conversation
Pin `petry-projects/.github/.github/workflows/feature-ideation-reusable.yml` from `@v1` to its resolved SHA `208ec2d69b75227d375edf8745d84fbac05a76b2` to satisfy the action-pinning compliance policy. Also syncs the file with the latest upstream template: adds the `dry_run` workflow_dispatch input that was added after the initial copy. Co-authored-by: don-petry <don-petry@users.noreply.github.com>
|
PR is ready for review. No CODEOWNERS file found — @don-petry please review and merge when CI passes. |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Pins the org-wide reusable “Feature Research & Ideation” workflow reference to a specific commit SHA to satisfy the action-pinning compliance policy, and syncs the caller stub with the latest upstream interface.
Changes:
- Pin
petry-projects/.github/.github/workflows/feature-ideation-reusable.ymlfrom@v1to a resolved commit SHA. - Add a
dry_runworkflow_dispatchinput and forward it to the reusable workflow.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| include A, B, C. Key emerging trends in this space: X, Y, Z." | ||
| focus_area: ${{ inputs.focus_area || '' }} | ||
| research_depth: ${{ inputs.research_depth || 'standard' }} | ||
| dry_run: ${{ inputs.dry_run || false }} |
There was a problem hiding this comment.
workflow_dispatch inputs are often surfaced as strings (e.g., 'true'/'false'). Using inputs.dry_run || false can therefore produce the string 'false' on a manual dispatch, which is truthy in GitHub expressions and can cause the reusable workflow to treat dry_run as enabled. Consider coercing to a real boolean (e.g., compare to 'true' or use fromJSON(inputs.dry_run)) before passing it to the reusable workflow.
| dry_run: ${{ inputs.dry_run || false }} | |
| dry_run: ${{ inputs.dry_run == true || inputs.dry_run == 'true' }} |
| @@ -75,7 +80,7 @@ jobs: | |||
| pull-requests: read | |||
| discussions: write | |||
| id-token: write | |||
There was a problem hiding this comment.
The header guidance says you “MUST NOT change … the uses: line”, but this PR legitimately changes it to pin to a SHA for compliance. To avoid future confusion (and reduce the risk of someone reverting the pin), update the guidance to explicitly allow/require SHA pin updates while still forbidding changing the referenced reusable workflow path.
| id-token: write | |
| id-token: write | |
| # Keep the reusable workflow path unchanged unless the standard itself moves. | |
| # Update the pinned commit SHA when adopting a newer approved standard version | |
| # or when compliance/security policy requires refreshing the pin. |
Superseded by automated re-review at
|
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: MEDIUM
Reviewed commit: 62a21838433790642bfad56ed7b925f04a905d4e
Cascade: triage → deep (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6)
Summary
This PR pins a reusable workflow reference from the mutable @v1 tag to an immutable SHA (208ec2d69b75227d375edf8745d84fbac05a76b2), directly satisfying the org's action-pinning compliance policy (issue #88). It also adds a boolean dry_run dispatch input forwarded safely as a typed with-parameter — no injection risk. All CI checks pass (CodeQL, SonarCloud zero issues/hotspots, AgentShield, CodeRabbit); the change is strictly security-improving.
Findings
- INFO: Workflow reference changed from mutable @v1 tag to pinned SHA 208ec2d69b75227d375edf8745d84fbac05a76b2 with a '# v1' human-readable comment. This is the correct, secure direction per the org's action-pinning policy and directly closes compliance finding #88.
- INFO: dry_run input declared as boolean type with default:false and forwarded via '${{ inputs.dry_run || false }}'. The expression is used as a typed reusable-workflow 'with' parameter, not interpolated into a shell command — no injection risk exists. The '|| false' fallback is redundant given the explicit default but harmless.
- INFO: All status checks green: CodeQL SUCCESS, SonarCloud SUCCESS (0 new issues, 0 security hotspots), AgentShield SUCCESS, CodeRabbit SUCCESS, Dependency audit SUCCESS. The retrigger commit (62a2183) at HEAD introduced no code changes — it only re-ran CI after merge-from-main syncs.
- INFO: Triage escalated with signal 'triage-output-invalid' — this is a triage infrastructure failure, not a code concern. Deep review conducted independently and finds no security or correctness issues.
Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.
|
@claude Please address all open review comments on this PR from CodeRabbit and Copilot. |
|
Claude encountered an error —— View job I'll analyze this and get back to you. |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
@dev-lead - please fix this PR |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
|
Closing due to merge conflict that cannot be auto-rebased. Re-implementing from fresh main via dev-lead. |
Pull request was closed
Summary
petry-projects/.github/.github/workflows/feature-ideation-reusable.ymlfrom@v1to its resolved SHA208ec2d69b75227d375edf8745d84fbac05a76b2to satisfy the action-pinning compliance policydry_runworkflow_dispatch inputCloses #88
Generated with Claude Code