Skip to content

chore(ci): expand pinact pre-commit hook to cover all workflow files #42

Description

@fullsend-ai-retro

What happened

PR #29 added a pinact pre-commit hook in .pre-commit-config.yaml (lines 42-48) to enforce SHA-pinning on GitHub Actions. However, the hook is hardcoded to only check .github/workflows/lint.yml:

- id: pinact
  name: pinact (SHA-pin check)
  entry: pinact run --fix=false --no-api .github/workflows/lint.yml
  files: ^\.github/workflows/lint\.yml$
  pass_filenames: false

The repository has five workflow files (fullsend.yaml, lint.yml, release.yml, stale.yml, vouch-check.yml), but only lint.yml is checked. The other four workflows already use SHA-pinned references today, but future modifications could introduce unpinned actions without detection.

What could go better

The pinact hook should cover all workflow files so that SHA-pinning is enforced consistently. Without this, a contributor (human or code agent) could add an unpinned action reference to release.yml or vouch-check.yml and neither the pre-commit hook nor the CI test job would catch it.

Confidence: High. The files: regex and entry: command both explicitly restrict scope to lint.yml. This is verifiable from the file contents. The only uncertainty is whether this was intentional (e.g., because other workflows are managed externally and shouldn't be checked locally), but there's no indication of that in the repo.

Proposed change

In .pre-commit-config.yaml, update the pinact hook to cover all workflow files:

  1. Change the files regex from ^.github/workflows/lint\.yml$ to ^\.github/workflows/.*\.ya?ml$
  2. Change the entry from pinact run --fix=false --no-api .github/workflows/lint.yml to pinact run --fix=false --no-api (let pinact discover all workflow files, or pass a glob)
  3. If pinact requires explicit file arguments, enumerate all current workflow files or use shell globbing in the entry command

Note: fullsend.yaml uses @main branch reference for the internal dispatch workflow (fullsend-ai/.fullsend/.github/workflows/dispatch.yml@main). If pinact flags this as a violation, it may need to be excluded or the reference pattern reviewed. Test the change against all five workflows before merging.

Validation criteria

After the change:

  1. Running pre-commit run pinact --all-files should check all five workflow files (or at minimum all that use external action references)
  2. Adding an unpinned uses: reference (e.g., actions/checkout@v4 without a SHA) to any workflow file should cause pinact to fail
  3. The CI test job should also catch the same violations since it runs pre-commit run --all-files

Generated by retro agent from #29

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions