chore(deps): Update GitHub Actions#51
Conversation
WalkthroughThirteen CI workflow files each update one or more pinned commit SHAs: reusable org-level workflow references are bumped to CI Workflow SHA Bumps
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related issues
Possibly related PRs
Suggested labels
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR updates the pinned commit SHA references for several org-level reusable GitHub Actions workflows (ByronWilliamsCPA/.github) from 987d517… to 7198a49…, keeping CI/security automation aligned with the latest patch-level fixes.
Changes:
- Bumped the referenced digest for the shared
python-*reusable workflows across CI-adjacent pipelines (SonarCloud, SLSA provenance, SBOM, coverage uploads, docs, compatibility, etc.). - No workflow logic or inputs were changed in this repo—only the pinned workflow revision.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/sonarcloud.yml | Update reusable workflow pin for SonarCloud analysis. |
| .github/workflows/slsa-provenance.yml | Update reusable workflow pin for SLSA provenance generation. |
| .github/workflows/sbom.yml | Update reusable workflow pin for SBOM generation/security scan. |
| .github/workflows/qlty.yml | Update reusable workflow pin for Qlty coverage upload. |
| .github/workflows/python-compatibility.yml | Update reusable workflow pin for compatibility matrix runs. |
| .github/workflows/pr-validation.yml | Update reusable workflow pin for supplemental PR checks. |
| .github/workflows/mutation-testing.yml | Update reusable workflow pin for mutation testing. |
| .github/workflows/fips-compatibility.yml | Update reusable workflow pin for FIPS compatibility checks. |
| .github/workflows/docs.yml | Update reusable workflow pin for docs build/deploy. |
| .github/workflows/coverage.yml | Update reusable workflow pin for Qlty coverage upload (post-CI). |
| .github/workflows/codecov.yml | Update reusable workflow pin for Codecov coverage upload. |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
a285c62 to
4fcf889
Compare
4fcf889 to
526af99
Compare
526af99 to
d5cf124
Compare
d5cf124 to
f86ae6a
Compare
f86ae6a to
3163077
Compare
3163077 to
f2b59df
Compare
f2b59df to
b30d141
Compare
b30d141 to
e047f62
Compare
e047f62 to
b5877f0
Compare
b5877f0 to
4489e10
Compare
4489e10 to
a1db00f
Compare
a1db00f to
9118fa4
Compare
9118fa4 to
0292649
Compare
7753140 to
7b7e5fc
Compare
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/mutation-testing.yml (1)
42-53: 🔒 Security & Privacy | 🟡 Minor | ⚡ Quick winConsider scoping secrets instead of
secrets: inherit.
secrets: inherit(Line 53) forwards every repo/org secret to the called workflow rather than only what it needs. Since this is a same-org, SHA-pinned reusable workflow the blast radius is bounded, but passing explicit named secrets follows least-privilege and silences the zizmorsecrets-inheritwarning. As per path instructions, review workflows for proper secret handling.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/mutation-testing.yml around lines 42 - 53, The reusable workflow call in mutation-testing.yml is using secrets: inherit, which passes all available secrets instead of only the ones needed; update the workflow invocation to pass explicit named secrets to the python-mutation.yml call and remove the blanket inheritance, using the existing reusable-workflow inputs/secrets mapping near the with block and secrets handling to keep least-privilege and satisfy the secrets-inherit warning.Sources: Path instructions, Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/mutation-testing.yml:
- Around line 42-53: The reusable workflow call in mutation-testing.yml is using
secrets: inherit, which passes all available secrets instead of only the ones
needed; update the workflow invocation to pass explicit named secrets to the
python-mutation.yml call and remove the blanket inheritance, using the existing
reusable-workflow inputs/secrets mapping near the with block and secrets
handling to keep least-privilege and satisfy the secrets-inherit warning.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 1bd7a2bf-ed41-4059-9254-3d86cd3c09b6
📒 Files selected for processing (12)
.github/workflows/codecov.yml.github/workflows/codeql.yml.github/workflows/coverage.yml.github/workflows/docs.yml.github/workflows/fips-compatibility.yml.github/workflows/mutation-testing.yml.github/workflows/pr-validation.yml.github/workflows/python-compatibility.yml.github/workflows/qlty.yml.github/workflows/sbom.yml.github/workflows/slsa-provenance.yml.github/workflows/sonarcloud.yml
f68043e to
ec2043b
Compare
ec2043b to
f592698
Compare
|



Summary
Why
Scheduled patch update, bug fixes and security patches with no API changes.
Changes
This PR contains the following updates:
987d517→1502ecdv4.1.0→v4.1.1v6.2.0→v6.3.0Impact
Acceptance Criteria
Testing
Notes
Release Notes
actions/attest-build-provenance (actions/attest-build-provenance)
v4.1.1Compare Source
What's Changed
Full Changelog: actions/attest-build-provenance@v4.1.0...v4.1.1
actions/setup-python (actions/setup-python)
v6.3.0Compare Source
What's Changed
Enhancement
Dependency update
Documentation
New Contributors
Full Changelog: actions/setup-python@v6...v6.3.0
Configuration
📅 Schedule: (in timezone America/New_York)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate.