What happened
PR #29 added a pinact pre-commit hook in .pre-commit-config.yaml (lines 42-48) to enforce SHA-pinning on GitHub Actions. However, the hook is hardcoded to only check .github/workflows/lint.yml:
- id: pinact
name: pinact (SHA-pin check)
entry: pinact run --fix=false --no-api .github/workflows/lint.yml
files: ^\.github/workflows/lint\.yml$
pass_filenames: false
The repository has five workflow files (fullsend.yaml, lint.yml, release.yml, stale.yml, vouch-check.yml), but only lint.yml is checked. The other four workflows already use SHA-pinned references today, but future modifications could introduce unpinned actions without detection.
What could go better
The pinact hook should cover all workflow files so that SHA-pinning is enforced consistently. Without this, a contributor (human or code agent) could add an unpinned action reference to release.yml or vouch-check.yml and neither the pre-commit hook nor the CI test job would catch it.
Confidence: High. The files: regex and entry: command both explicitly restrict scope to lint.yml. This is verifiable from the file contents. The only uncertainty is whether this was intentional (e.g., because other workflows are managed externally and shouldn't be checked locally), but there's no indication of that in the repo.
Proposed change
In .pre-commit-config.yaml, update the pinact hook to cover all workflow files:
- Change the
files regex from ^.github/workflows/lint\.yml$ to ^\.github/workflows/.*\.ya?ml$
- Change the
entry from pinact run --fix=false --no-api .github/workflows/lint.yml to pinact run --fix=false --no-api (let pinact discover all workflow files, or pass a glob)
- If pinact requires explicit file arguments, enumerate all current workflow files or use shell globbing in the entry command
Note: fullsend.yaml uses @main branch reference for the internal dispatch workflow (fullsend-ai/.fullsend/.github/workflows/dispatch.yml@main). If pinact flags this as a violation, it may need to be excluded or the reference pattern reviewed. Test the change against all five workflows before merging.
Validation criteria
After the change:
- Running
pre-commit run pinact --all-files should check all five workflow files (or at minimum all that use external action references)
- Adding an unpinned
uses: reference (e.g., actions/checkout@v4 without a SHA) to any workflow file should cause pinact to fail
- The CI
test job should also catch the same violations since it runs pre-commit run --all-files
Generated by retro agent from #29
What happened
PR #29 added a pinact pre-commit hook in
.pre-commit-config.yaml(lines 42-48) to enforce SHA-pinning on GitHub Actions. However, the hook is hardcoded to only check.github/workflows/lint.yml:The repository has five workflow files (
fullsend.yaml,lint.yml,release.yml,stale.yml,vouch-check.yml), but onlylint.ymlis checked. The other four workflows already use SHA-pinned references today, but future modifications could introduce unpinned actions without detection.What could go better
The pinact hook should cover all workflow files so that SHA-pinning is enforced consistently. Without this, a contributor (human or code agent) could add an unpinned action reference to
release.ymlorvouch-check.ymland neither the pre-commit hook nor the CItestjob would catch it.Confidence: High. The
files:regex andentry:command both explicitly restrict scope tolint.yml. This is verifiable from the file contents. The only uncertainty is whether this was intentional (e.g., because other workflows are managed externally and shouldn't be checked locally), but there's no indication of that in the repo.Proposed change
In
.pre-commit-config.yaml, update the pinact hook to cover all workflow files:filesregex from^.github/workflows/lint\.yml$to^\.github/workflows/.*\.ya?ml$entryfrompinact run --fix=false --no-api .github/workflows/lint.ymltopinact run --fix=false --no-api(let pinact discover all workflow files, or pass a glob)Note:
fullsend.yamluses@mainbranch reference for the internal dispatch workflow (fullsend-ai/.fullsend/.github/workflows/dispatch.yml@main). If pinact flags this as a violation, it may need to be excluded or the reference pattern reviewed. Test the change against all five workflows before merging.Validation criteria
After the change:
pre-commit run pinact --all-filesshould check all five workflow files (or at minimum all that use external action references)uses:reference (e.g.,actions/checkout@v4without a SHA) to any workflow file should cause pinact to failtestjob should also catch the same violations since it runspre-commit run --all-filesGenerated by retro agent from #29