Skip to content

chore(deps): Update GitHub Actions#44

Merged
williaby merged 2 commits into
mainfrom
renovate/github-actions
Jun 10, 2026
Merged

chore(deps): Update GitHub Actions#44
williaby merged 2 commits into
mainfrom
renovate/github-actions

Conversation

@williaby

@williaby williaby commented May 28, 2026

Copy link
Copy Markdown
Contributor

Summary

Why

Scheduled patch update, bug fixes and security patches with no API changes.

Changes

This PR contains the following updates:

Package Change Type Update Age Adoption Passing Confidence OpenSSF
ByronWilliamsCPA/.github (changelog) 6bad2f8987d517 action digest
step-security/harden-runner v2.19.1v2.19.4 action patch age adoption passing confidence OpenSSF Scorecard

Impact

  • ✅ Patch update: bug fixes and security patches only
  • ✅ No breaking changes

Acceptance Criteria

  • All CI checks pass

Testing

  • CI gates pass (tests, lint, type checking, security scan)

Notes


Release Notes

step-security/harden-runner (step-security/harden-runner)

v2.19.4

Compare Source

What's Changed
  • Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

Compare Source

What's Changed

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

Compare Source

What's Changed
  • Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2


Configuration

📅 Schedule: (in timezone America/New_York)

  • Branch creation
    • "after 10pm every weekday,before 5am every weekday,every weekend"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Copilot AI review requested due to automatic review settings May 28, 2026 04:41
@coderabbitai

coderabbitai Bot commented May 28, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@williaby, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 28 minutes and 21 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 273d77f6-4685-423b-a078-b77a427d98c9

📥 Commits

Reviewing files that changed from the base of the PR and between b59642e and a8e184b.

📒 Files selected for processing (1)
  • .github/workflows/sbom.yml

Walkthrough

This PR updates GitHub Actions workflow files across the repository to improve dependency pinning and security. Org-level reusable workflows are pinned to a fixed commit SHA, and the step-security/harden-runner action is upgraded from v2.19.1 to v2.19.4.

Changes

GitHub Actions Dependency Pinning

Layer / File(s) Summary
Pin org-level reusable workflows to fixed commit SHA
.github/workflows/codecov.yml, .github/workflows/coverage.yml, .github/workflows/docs.yml, .github/workflows/fips-compatibility.yml, .github/workflows/mutation-testing.yml, .github/workflows/pr-validation.yml, .github/workflows/python-compatibility.yml, .github/workflows/qlty.yml, .github/workflows/sbom.yml, .github/workflows/slsa-provenance.yml, .github/workflows/sonarcloud.yml
Eleven org-level reusable workflows (python-codecov.yml, python-qlty-coverage.yml, python-docs.yml, python-fips-compatibility.yml, python-mutation.yml, python-supplemental-checks.yml, python-compatibility.yml, python-sonarcloud.yml, python-sbom.yml, python-slsa.yml) are pinned to a new fixed commit SHA 987d517d3c8e4b180f4dd15de6d9575f0df91182 instead of older or moving references.
Upgrade step-security/harden-runner to v2.19.4
.github/workflows/ci.yml, .github/workflows/codecov.yml, .github/workflows/codeql.yml, .github/workflows/dependency-review.yml, .github/workflows/pr-validation.yml, .github/workflows/publish-artifact-registry.yml, .github/workflows/release.yml, .github/workflows/slsa-provenance.yml
The step-security/harden-runner action is upgraded from v2.19.1 to v2.19.4 across 14 workflow jobs, pinned by new commit SHAs. This includes six updates in ci.yml (detect-changes, test-cloudflare-auth, test-gcs-utilities, security, coverage, ci-gate), and single updates in other workflows.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

  • Dependency Dashboard #24: Renovate Dependency Dashboard actions and reusable workflow pinning overlap directly with this PR's updates to step-security/harden-runner and org-level workflow SHAs.
  • Dependency Dashboard cookiecutter-python-template#35: Both update the same GitHub Actions workflow files and pin/update step-security/harden-runner and org-level reusable workflow references.
  • ByronWilliamsCPA/cookiecutter-template-sample#3: Both update org-level reusable workflow references and reppin step-security/harden-runner to v2.19.4 across GitHub workflow files, matching Renovate dependency updates.
  • ByronWilliamsCPA/template-sample#4: This PR's repinning of org reusable workflows and step-security/harden-runner updates directly correspond to the Renovate dependency updates and failures listed.
  • Dependency Dashboard DeQA-Doc#16: Changes match Renovate dependency updates for reusable workflow pinning and step-security/harden-runner v2.19.4 upgrades.
  • fix(ci): pin org reusable workflow references to SHA instead of @main audio-processor#9: Makes the same code-level changes—pinning org reusable workflow references and repinning step-security/harden-runner—across GitHub workflow files.
  • ByronWilliamsCPA/taxdome#7: Both repins org-level reusable workflows and upgrade step-security/harden-runner from v2.19.1 to v2.19.4, matching Renovate dependency updates.
  • Dependency Dashboard reference-library#10: Directly related; repins reusable workflow refs and upgrades step-security/harden-runner to v2.19.4 across the same GitHub Actions workflow files.
  • Dependency Dashboard family-office-portal#6: Both update GitHub Actions workflow dependencies—pinning step-security/harden-runner to v2.19.4 and other action references.
  • ByronWilliamsCPA/maester-tests#14: Directly related; repins org-level reusable workflows and upgrades step-security/harden-runner to v2.19.4, matching Renovate dependency entries.

Possibly related PRs

  • ByronWilliamsCPA/python-libs#13: Prior PR that migrated workflows to centralized reusable workflows; this PR now pins those reusable workflow references to fixed SHAs and upgrades harden-runner versions.

Suggested labels

dependencies, security

Poem

🐰 Pinned with care, a workflow's prayer,
Harden-runner v2.19.4 everywhere!
Commit SHAs locked, no drifting about,
Security tightened with nary a doubt.
Dependencies steady, the rabbits shall cheer! 🎉

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'chore(deps): Update GitHub Actions' accurately and concisely describes the main change—updating GitHub Actions and dependencies across the workflow files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/github-actions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov

codecov Bot commented May 28, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates pinned versions/digests for GitHub Actions and org-level reusable workflows used across this repo’s CI/security automation.

Changes:

  • Bump ByronWilliamsCPA/.github reusable workflow references to a newer pinned digest across multiple workflows.
  • Update actions/checkout to v4.3.1 (pinned by commit SHA).
  • Update github/codeql-action to v3.36.0 and step-security/harden-runner to v2.19.4 (both pinned by commit SHA).

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
.github/workflows/sonarcloud.yml Pins SonarCloud reusable workflow to updated .github digest.
.github/workflows/slsa-provenance.yml Updates harden-runner SHA and pins SLSA reusable workflow to updated .github digest.
.github/workflows/security-analysis.yml Pins security analysis reusable workflow to updated .github digest.
.github/workflows/scorecard.yml Pins scorecard reusable workflow to updated .github digest.
.github/workflows/sbom.yml Pins SBOM reusable workflow to updated .github digest.
.github/workflows/reuse.yml Pins REUSE reusable workflow to updated .github digest.
.github/workflows/qlty.yml Pins Qlty coverage reusable workflow to updated .github digest.
.github/workflows/python-compatibility.yml Pins compatibility reusable workflow to updated .github digest.
.github/workflows/pr-validation.yml Pins supplemental checks reusable workflow and updates harden-runner SHA.
.github/workflows/mutation-testing.yml Pins mutation testing reusable workflow to updated .github digest.
.github/workflows/docs.yml Pins docs reusable workflow to updated .github digest.
.github/workflows/dependency-review.yml Updates actions/checkout to v4.3.1 (pinned SHA).
.github/workflows/coverage.yml Pins Qlty coverage reusable workflow to updated .github digest.
.github/workflows/codeql.yml Updates harden-runner SHA and bumps CodeQL action to v3.36.0 (pinned SHA).
.github/workflows/codecov.yml Pins codecov reusable workflow to updated .github digest.
.github/workflows/fips-compatibility.yml Pins FIPS reusable workflow to updated .github digest.

Comment on lines 59 to 61
- name: Initialize CodeQL
uses: github/codeql-action/init@0daab03d71ff584ef619d027a3fd9146679c5d84 # v3.35.3
uses: github/codeql-action/init@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3.36.0
with:
@williaby williaby force-pushed the renovate/github-actions branch 4 times, most recently from 6eab07b to 61bec91 Compare June 2, 2026 05:13
@socket-security

socket-security Bot commented Jun 2, 2026

Copy link
Copy Markdown

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request

@williaby williaby force-pushed the renovate/github-actions branch 6 times, most recently from eb0d039 to d744dde Compare June 5, 2026 17:11
@coderabbitai coderabbitai Bot added ci and removed dependencies labels Jun 5, 2026
coderabbitai[bot]
coderabbitai Bot previously requested changes Jun 5, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
.github/workflows/mutation-testing.yml (1)

43-52: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Replace unconditional secret inheritance with explicit secret mapping.

Line 52 (secrets: inherit) forwards all available secrets to the called workflow, which weakens least-privilege boundaries. Pass only the specific secrets that job actually needs.

🔧 Proposed change
 jobs:
   mutation:
@@
-    secrets: inherit
+    secrets:
+      # Keep this list minimal; include only secrets required by python-mutation.yml
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

As per coding guidelines, .github/workflows/**: Review GitHub Actions workflows for proper secret handling.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/mutation-testing.yml around lines 43 - 52, The workflow
currently uses a broad "secrets: inherit" which passes all repo secrets to the
called workflow; replace this with an explicit secrets mapping that only
forwards the specific secrets required by the called workflow (reference the
called workflow invocation `uses:
ByronWilliamsCPA/.github/.github/workflows/python-mutation.yml@a9781c9f0f051339d5fed81b6b9f4fff2b064035`
and the surrounding job keys like `python-version`, `source-directory`,
`test-directory`, `mutation-threshold`, `fail-under-threshold`,
`post-pr-comment`, `timeout-minutes`) — list each secret needed (e.g.,
GITHUB_TOKEN, MUTATION_API_KEY, or whichever the downstream job uses) and
replace `secrets: inherit` with `secrets:` mapping that maps only those names to
their repository secrets.
.github/workflows/pr-validation.yml (1)

32-50: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid inheriting all secrets in the reusable-workflow call.

Line 49 (secrets: inherit) grants the called workflow access to every available secret, which breaks least-privilege. Pass only the exact secrets required by python-supplemental-checks.yml.

Suggested tightening
   supplemental-checks:
     uses: ByronWilliamsCPA/.github/.github/workflows/python-supplemental-checks.yml@a9781c9f0f051339d5fed81b6b9f4fff2b064035 # main
@@
-    secrets: inherit
+    # Map only explicitly required secrets for the called workflow.
+    # secrets:
+    #   REQUIRED_SECRET: ${{ secrets.REQUIRED_SECRET }}

As per coding guidelines, ".github/workflows/**: Review GitHub Actions workflows for: Security best practices (minimal permissions, pinned actions) and Proper secret handling."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-validation.yml around lines 32 - 50, The
reusable-workflow call currently uses "secrets: inherit", granting all repo
secrets to python-supplemental-checks.yml; instead inspect the called workflow
(python-supplemental-checks.yml) to determine which specific secrets it requires
and replace "secrets: inherit" with an explicit list that forwards only those
exact secrets (e.g., map each required secret name to ${{ secrets.NAME }}),
removing the blanket inherit to enforce least-privilege.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/dependency-review.yml:
- Around line 23-24: The checkout step using
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 should disable
credential persistence to avoid exposing the GITHUB_TOKEN; update the checkout
step (the step named "Checkout repository" that uses actions/checkout) to
include persist-credentials: false so credentials are not left in the local git
config after checkout.

---

Outside diff comments:
In @.github/workflows/mutation-testing.yml:
- Around line 43-52: The workflow currently uses a broad "secrets: inherit"
which passes all repo secrets to the called workflow; replace this with an
explicit secrets mapping that only forwards the specific secrets required by the
called workflow (reference the called workflow invocation `uses:
ByronWilliamsCPA/.github/.github/workflows/python-mutation.yml@a9781c9f0f051339d5fed81b6b9f4fff2b064035`
and the surrounding job keys like `python-version`, `source-directory`,
`test-directory`, `mutation-threshold`, `fail-under-threshold`,
`post-pr-comment`, `timeout-minutes`) — list each secret needed (e.g.,
GITHUB_TOKEN, MUTATION_API_KEY, or whichever the downstream job uses) and
replace `secrets: inherit` with `secrets:` mapping that maps only those names to
their repository secrets.

In @.github/workflows/pr-validation.yml:
- Around line 32-50: The reusable-workflow call currently uses "secrets:
inherit", granting all repo secrets to python-supplemental-checks.yml; instead
inspect the called workflow (python-supplemental-checks.yml) to determine which
specific secrets it requires and replace "secrets: inherit" with an explicit
list that forwards only those exact secrets (e.g., map each required secret name
to ${{ secrets.NAME }}), removing the blanket inherit to enforce
least-privilege.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 77dfcd5b-4abd-4230-bfd5-afc26c438946

📥 Commits

Reviewing files that changed from the base of the PR and between c0eb24a and d744dde.

📒 Files selected for processing (16)
  • .github/workflows/codecov.yml
  • .github/workflows/codeql.yml
  • .github/workflows/coverage.yml
  • .github/workflows/dependency-review.yml
  • .github/workflows/docs.yml
  • .github/workflows/fips-compatibility.yml
  • .github/workflows/mutation-testing.yml
  • .github/workflows/pr-validation.yml
  • .github/workflows/python-compatibility.yml
  • .github/workflows/qlty.yml
  • .github/workflows/reuse.yml
  • .github/workflows/sbom.yml
  • .github/workflows/scorecard.yml
  • .github/workflows/security-analysis.yml
  • .github/workflows/slsa-provenance.yml
  • .github/workflows/sonarcloud.yml

Comment thread .github/workflows/dependency-review.yml Outdated
Comment on lines +23 to +24
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify this job does not require authenticated git operations before enforcing persist-credentials:false
rg -n -C2 'git (push|tag|fetch|submodule|clone)|gh ' .github/workflows/dependency-review.yml

Repository: ByronWilliamsCPA/python-libs

Length of output: 245


Disable checkout credential persistence.

In .github/workflows/dependency-review.yml (lines 23-24), the actions/checkout step is pinned but doesn’t set persist-credentials: false, leaving credentials available in the local git context. Add it to reduce token exposure.

Suggested fix
       - name: Checkout repository
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 23-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependency-review.yml around lines 23 - 24, The checkout
step using actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 should
disable credential persistence to avoid exposing the GITHUB_TOKEN; update the
checkout step (the step named "Checkout repository" that uses actions/checkout)
to include persist-credentials: false so credentials are not left in the local
git config after checkout.

@williaby williaby force-pushed the renovate/github-actions branch 5 times, most recently from 9f55c05 to e82e86d Compare June 9, 2026 17:35
@williaby williaby added the skip-changelog PR intentionally omits a CHANGELOG entry label Jun 10, 2026
@williaby williaby force-pushed the renovate/github-actions branch from e82e86d to b59642e Compare June 10, 2026 05:15
@williaby williaby dismissed coderabbitai[bot]’s stale review June 10, 2026 12:54

Stale review: actionable comment targets pre-existing secrets:inherit outside this diff; PR is Renovate digest bumps only, rebased after review. All 4 required contexts green.

…table root)

The bumped python-sbom.yml SHA defaults no-build to true, which fails on
this repo's editable hatchling root package (no binary distribution).
Set no-build: false per the reusable workflow's own guidance.
@sonarqubecloud

Copy link
Copy Markdown

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@williaby williaby merged commit dd657d0 into main Jun 10, 2026
42 of 45 checks passed
@williaby williaby deleted the renovate/github-actions branch June 10, 2026 13:00
williaby added a commit that referenced this pull request Jun 10, 2026
* fix(ci): opt out of --no-build in org reusable workflow callers

The org reusable workflows gained a no-build input defaulting to true,
which passes --no-build to uv sync and fails on this repo's editable
hatchling root package (no binary distribution). This broke the docs,
SonarCloud, and FIPS runs on main and would break compatibility and
mutation runs on their next schedule. Set no-build: false in all five
callers, matching the sbom.yml fix merged in #44.

* fix(sonarcloud): enumerate package test dirs in sonar.tests

SonarCloud rejects wildcards in sonar.sources/sonar.tests; the
packages/*/tests/ entry failed the scan with exit code 3 once the
workflow was unbroken. List the four package test directories
explicitly.

* fix(sonarcloud): point CI analysis at the byronwilliamscpa org

The scanner 404'd on analysis creation because sonar-organization was
set to williaby, which has no python-libs project. The project key
ByronWilliamsCPA_python-libs exists in the byronwilliamscpa org
(confirmed via the SonarCloud components API).
@coderabbitai coderabbitai Bot mentioned this pull request Jun 30, 2026
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants