chore(deps): Update GitHub Actions#44
Conversation
|
Warning Review limit reached
More reviews will be available in 28 minutes and 21 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughThis PR updates GitHub Actions workflow files across the repository to improve dependency pinning and security. Org-level reusable workflows are pinned to a fixed commit SHA, and the ChangesGitHub Actions Dependency Pinning
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related issues
Possibly related PRs
Suggested labels
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
There was a problem hiding this comment.
Pull request overview
Updates pinned versions/digests for GitHub Actions and org-level reusable workflows used across this repo’s CI/security automation.
Changes:
- Bump
ByronWilliamsCPA/.githubreusable workflow references to a newer pinned digest across multiple workflows. - Update
actions/checkoutto v4.3.1 (pinned by commit SHA). - Update
github/codeql-actionto v3.36.0 andstep-security/harden-runnerto v2.19.4 (both pinned by commit SHA).
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/sonarcloud.yml | Pins SonarCloud reusable workflow to updated .github digest. |
| .github/workflows/slsa-provenance.yml | Updates harden-runner SHA and pins SLSA reusable workflow to updated .github digest. |
| .github/workflows/security-analysis.yml | Pins security analysis reusable workflow to updated .github digest. |
| .github/workflows/scorecard.yml | Pins scorecard reusable workflow to updated .github digest. |
| .github/workflows/sbom.yml | Pins SBOM reusable workflow to updated .github digest. |
| .github/workflows/reuse.yml | Pins REUSE reusable workflow to updated .github digest. |
| .github/workflows/qlty.yml | Pins Qlty coverage reusable workflow to updated .github digest. |
| .github/workflows/python-compatibility.yml | Pins compatibility reusable workflow to updated .github digest. |
| .github/workflows/pr-validation.yml | Pins supplemental checks reusable workflow and updates harden-runner SHA. |
| .github/workflows/mutation-testing.yml | Pins mutation testing reusable workflow to updated .github digest. |
| .github/workflows/docs.yml | Pins docs reusable workflow to updated .github digest. |
| .github/workflows/dependency-review.yml | Updates actions/checkout to v4.3.1 (pinned SHA). |
| .github/workflows/coverage.yml | Pins Qlty coverage reusable workflow to updated .github digest. |
| .github/workflows/codeql.yml | Updates harden-runner SHA and bumps CodeQL action to v3.36.0 (pinned SHA). |
| .github/workflows/codecov.yml | Pins codecov reusable workflow to updated .github digest. |
| .github/workflows/fips-compatibility.yml | Pins FIPS reusable workflow to updated .github digest. |
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3.35.3 | ||
| uses: github/codeql-action/init@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3.36.0 | ||
| with: |
6eab07b to
61bec91
Compare
|
No dependency changes detected. Learn more about Socket for GitHub. 👍 No dependency changes detected in pull request |
eb0d039 to
d744dde
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/workflows/mutation-testing.yml (1)
43-52:⚠️ Potential issue | 🟠 Major | ⚡ Quick winReplace unconditional secret inheritance with explicit secret mapping.
Line 52 (
secrets: inherit) forwards all available secrets to the called workflow, which weakens least-privilege boundaries. Pass only the specific secrets that job actually needs.🔧 Proposed change
jobs: mutation: @@ - secrets: inherit + secrets: + # Keep this list minimal; include only secrets required by python-mutation.yml + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}As per coding guidelines,
.github/workflows/**: Review GitHub Actions workflows for proper secret handling.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/mutation-testing.yml around lines 43 - 52, The workflow currently uses a broad "secrets: inherit" which passes all repo secrets to the called workflow; replace this with an explicit secrets mapping that only forwards the specific secrets required by the called workflow (reference the called workflow invocation `uses: ByronWilliamsCPA/.github/.github/workflows/python-mutation.yml@a9781c9f0f051339d5fed81b6b9f4fff2b064035` and the surrounding job keys like `python-version`, `source-directory`, `test-directory`, `mutation-threshold`, `fail-under-threshold`, `post-pr-comment`, `timeout-minutes`) — list each secret needed (e.g., GITHUB_TOKEN, MUTATION_API_KEY, or whichever the downstream job uses) and replace `secrets: inherit` with `secrets:` mapping that maps only those names to their repository secrets..github/workflows/pr-validation.yml (1)
32-50:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAvoid inheriting all secrets in the reusable-workflow call.
Line 49 (
secrets: inherit) grants the called workflow access to every available secret, which breaks least-privilege. Pass only the exact secrets required bypython-supplemental-checks.yml.Suggested tightening
supplemental-checks: uses: ByronWilliamsCPA/.github/.github/workflows/python-supplemental-checks.yml@a9781c9f0f051339d5fed81b6b9f4fff2b064035 # main @@ - secrets: inherit + # Map only explicitly required secrets for the called workflow. + # secrets: + # REQUIRED_SECRET: ${{ secrets.REQUIRED_SECRET }}As per coding guidelines, ".github/workflows/**: Review GitHub Actions workflows for: Security best practices (minimal permissions, pinned actions) and Proper secret handling."
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/pr-validation.yml around lines 32 - 50, The reusable-workflow call currently uses "secrets: inherit", granting all repo secrets to python-supplemental-checks.yml; instead inspect the called workflow (python-supplemental-checks.yml) to determine which specific secrets it requires and replace "secrets: inherit" with an explicit list that forwards only those exact secrets (e.g., map each required secret name to ${{ secrets.NAME }}), removing the blanket inherit to enforce least-privilege.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/dependency-review.yml:
- Around line 23-24: The checkout step using
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 should disable
credential persistence to avoid exposing the GITHUB_TOKEN; update the checkout
step (the step named "Checkout repository" that uses actions/checkout) to
include persist-credentials: false so credentials are not left in the local git
config after checkout.
---
Outside diff comments:
In @.github/workflows/mutation-testing.yml:
- Around line 43-52: The workflow currently uses a broad "secrets: inherit"
which passes all repo secrets to the called workflow; replace this with an
explicit secrets mapping that only forwards the specific secrets required by the
called workflow (reference the called workflow invocation `uses:
ByronWilliamsCPA/.github/.github/workflows/python-mutation.yml@a9781c9f0f051339d5fed81b6b9f4fff2b064035`
and the surrounding job keys like `python-version`, `source-directory`,
`test-directory`, `mutation-threshold`, `fail-under-threshold`,
`post-pr-comment`, `timeout-minutes`) — list each secret needed (e.g.,
GITHUB_TOKEN, MUTATION_API_KEY, or whichever the downstream job uses) and
replace `secrets: inherit` with `secrets:` mapping that maps only those names to
their repository secrets.
In @.github/workflows/pr-validation.yml:
- Around line 32-50: The reusable-workflow call currently uses "secrets:
inherit", granting all repo secrets to python-supplemental-checks.yml; instead
inspect the called workflow (python-supplemental-checks.yml) to determine which
specific secrets it requires and replace "secrets: inherit" with an explicit
list that forwards only those exact secrets (e.g., map each required secret name
to ${{ secrets.NAME }}), removing the blanket inherit to enforce
least-privilege.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 77dfcd5b-4abd-4230-bfd5-afc26c438946
📒 Files selected for processing (16)
.github/workflows/codecov.yml.github/workflows/codeql.yml.github/workflows/coverage.yml.github/workflows/dependency-review.yml.github/workflows/docs.yml.github/workflows/fips-compatibility.yml.github/workflows/mutation-testing.yml.github/workflows/pr-validation.yml.github/workflows/python-compatibility.yml.github/workflows/qlty.yml.github/workflows/reuse.yml.github/workflows/sbom.yml.github/workflows/scorecard.yml.github/workflows/security-analysis.yml.github/workflows/slsa-provenance.yml.github/workflows/sonarcloud.yml
| - name: Checkout repository | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify this job does not require authenticated git operations before enforcing persist-credentials:false
rg -n -C2 'git (push|tag|fetch|submodule|clone)|gh ' .github/workflows/dependency-review.ymlRepository: ByronWilliamsCPA/python-libs
Length of output: 245
Disable checkout credential persistence.
In .github/workflows/dependency-review.yml (lines 23-24), the actions/checkout step is pinned but doesn’t set persist-credentials: false, leaving credentials available in the local git context. Add it to reduce token exposure.
Suggested fix
- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - name: Checkout repository | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 23-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/dependency-review.yml around lines 23 - 24, The checkout
step using actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 should
disable credential persistence to avoid exposing the GITHUB_TOKEN; update the
checkout step (the step named "Checkout repository" that uses actions/checkout)
to include persist-credentials: false so credentials are not left in the local
git config after checkout.
9f55c05 to
e82e86d
Compare
e82e86d to
b59642e
Compare
Stale review: actionable comment targets pre-existing secrets:inherit outside this diff; PR is Renovate digest bumps only, rebased after review. All 4 required contexts green.
…table root) The bumped python-sbom.yml SHA defaults no-build to true, which fails on this repo's editable hatchling root package (no binary distribution). Set no-build: false per the reusable workflow's own guidance.
|
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
* fix(ci): opt out of --no-build in org reusable workflow callers The org reusable workflows gained a no-build input defaulting to true, which passes --no-build to uv sync and fails on this repo's editable hatchling root package (no binary distribution). This broke the docs, SonarCloud, and FIPS runs on main and would break compatibility and mutation runs on their next schedule. Set no-build: false in all five callers, matching the sbom.yml fix merged in #44. * fix(sonarcloud): enumerate package test dirs in sonar.tests SonarCloud rejects wildcards in sonar.sources/sonar.tests; the packages/*/tests/ entry failed the scan with exit code 3 once the workflow was unbroken. List the four package test directories explicitly. * fix(sonarcloud): point CI analysis at the byronwilliamscpa org The scanner 404'd on analysis creation because sonar-organization was set to williaby, which has no python-libs project. The project key ByronWilliamsCPA_python-libs exists in the byronwilliamscpa org (confirmed via the SonarCloud components API).



Summary
Why
Scheduled patch update, bug fixes and security patches with no API changes.
Changes
This PR contains the following updates:
6bad2f8→987d517v2.19.1→v2.19.4Impact
Acceptance Criteria
Testing
Notes
Release Notes
step-security/harden-runner (step-security/harden-runner)
v2.19.4Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4
v2.19.3Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3
v2.19.2Compare Source
What's Changed
Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2
Configuration
📅 Schedule: (in timezone America/New_York)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate.