Skip to content

ci: pin GitHub Actions to full-length commit SHAs #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
maxandersen merged 1 commit into from
May 19, 2026
Merged

ci: pin GitHub Actions to full-length commit SHAs #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,10 @@ jobs:
build:
runs-on: 'ubuntu-latest'
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

- name: Set up JDK 21
uses: actions/setup-java@v5
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
java-version: '21'
distribution: 'temurin'
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,12 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0

- name: Set up JDK 21
uses: actions/setup-java@v5
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
with:
java-version: '21'
distribution: 'temurin'
Expand All @@ -37,7 +37,7 @@ jobs:
run: cp build/libs/jdkdb-scraper-${{ github.event.inputs.version }}-standalone.jar build/libs/jdkdb-scraper-standalone.jar

- name: Commit & Push changes
uses: stefanzweifel/git-auto-commit-action@v7
uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify git-auto-commit-action SHA corresponds to v7.x.x

# Fetch v7 tags
git ls-remote --tags https://github.com/stefanzweifel/git-auto-commit-action.git | grep -E 'v7\.' | head -20

# Check what tag points to this specific SHA
curl -s "https://api.github.com/repos/stefanzweifel/git-auto-commit-action/git/refs/tags" | \
  jq -r '.[] | select(.object.sha == "04702edda442b2e678b25b537cec683a1493fcb9") | .ref'

# Check the commit
curl -s "https://api.github.com/repos/stefanzweifel/git-auto-commit-action/commits/04702edda442b2e678b25b537cec683a1493fcb9" | \
  jq -r '.commit.message, .sha'

Repository: jbangdev/jdkdb-scraper

Length of output: 277

Update the inline comment to be more specific about the version.

The pinned SHA 04702edda442b2e678b25b537cec683a1493fcb9 correctly corresponds to v7.1.0. Update the comment from # v7 to # v7.1.0 for clarity and precision.

Also applies to: 65-65

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 40, Update the inline comment that
follows the pinned action SHA in the workflow step using the identifier uses:
stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 —
change the trailing comment text from "# v7" to the more specific "# v7.1.0";
make the same edit for the other occurrence that currently uses the same
SHA/comment pair.

with:
commit_message: "ci: Releasing version ${{ github.event.inputs.version }}"

Expand All @@ -49,7 +49,7 @@ jobs:
git push origin "v${{ github.event.inputs.version }}"

- name: Publish release
uses: softprops/action-gh-release@v3
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
with:
tag_name: v${{ github.event.inputs.version }}
name: Release v${{ github.event.inputs.version }}
Expand All @@ -62,6 +62,6 @@ jobs:
run: echo "version=${{ github.event.inputs.version }}.1-SNAPSHOT" > gradle.properties

- name: Commit & Push changes
uses: stefanzweifel/git-auto-commit-action@v7
uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7
with:
commit_message: "ci: Prepare for next development iteration"