Skip to content

chore(ci): use checkout release tag#54

Merged
jdx merged 1 commit into
mainfrom
codex/use-checkout-release-tag
Jul 6, 2026
Merged

chore(ci): use checkout release tag#54
jdx merged 1 commit into
mainfrom
codex/use-checkout-release-tag

Conversation

@jdx

@jdx jdx commented Jul 6, 2026

Copy link
Copy Markdown
Owner

Summary

  • Replace actions/checkout workflow pins that were annotated as # main with the current v7.0.0 tag digest.
  • Keep digest-pinned GitHub Action refs while making the source tag explicit in comments.

Validation

  • Ran git diff --check HEAD~1..HEAD locally.
  • Verified the generated remote tree matches the local committed tree.

Note

Low Risk
Mechanical CI dependency pin with no application or release logic changes; checkout behavior should be equivalent aside from the tagged action version.

Overview
Updates every actions/checkout step in CI workflows (autobump, build, release-new, release, tests) from the previous digest (commented as # main) to the v7.0.0 release digest 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0, while keeping full-SHA pinning.

No build scripts, recipes, or runtime code change—only workflow checkout refs and their inline version comments.

Reviewed by Cursor Bugbot for commit 6ff6961. Bugbot is set up for automated code reviews on this repo. Configure here.

Summary by CodeRabbit

  • Chores
    • Updated repository checkout steps across multiple automation workflows to a newer pinned version.
    • This improves consistency and helps keep CI and release processes aligned with the latest trusted action revision.

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR updates the pinned actions/checkout commit SHA to v7.0.0 across five GitHub Actions workflow files: autobump, build, release-new, release, and tests. No other workflow logic, jobs, triggers, or steps are modified.

Changes

actions/checkout version bump

Layer / File(s) Summary
Update pinned actions/checkout SHA
.github/workflows/autobump.yml, .github/workflows/build.yml, .github/workflows/release-new.yml, .github/workflows/release.yml, .github/workflows/tests.yml
Each workflow's actions/checkout step is repinned from the prior commit SHA to the commit corresponding to v7.0.0.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Possibly related PRs

  • jdx/ruby#39: Also updates the pinned actions/checkout commit SHA across the same set of GitHub workflow files.

Poem

A hop, a skip, a version bump,
checkout's SHA gets a fresh jump 🐇
v7.0.0 now pinned tight,
workflows humming through the night,
carrots counted, builds all clump!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: updating CI workflows to use a newer pinned checkout release tag.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@greptile-apps

greptile-apps Bot commented Jul 6, 2026

Copy link
Copy Markdown

Greptile Summary

This PR updates the pinned actions/checkout digest across all 5 workflow files, replacing the # main SHA (4f1f4aec...) with the v7.0.0 release SHA (9c091bb2...). The new digest is verified correct against the upstream actions/checkout v7.0.0 tag released June 18, 2026.

  • All six checkout steps across autobump.yml, build.yml, release-new.yml, release.yml, and tests.yml are updated consistently.
  • None of the affected workflows use pull_request_target or workflow_run with fork PRs, so the v7 breaking change (blocking unsafe fork checkouts in those event types) has no impact here.

Confidence Score: 5/5

Safe to merge — this is a mechanical pin update with no logic changes, and the new SHA is verified to match the upstream v7.0.0 release tag.

All changes are identical one-line substitutions in CI workflow files. The replacement SHA 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 is confirmed to be the tagged commit for actions/checkout v7.0.0. No workflow uses pull_request_target or workflow_run with fork code, so the v7 behavioral change around unsafe fork checkouts does not affect any of these pipelines.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/autobump.yml Replaces actions/checkout digest from # main pin to 9c091bb...# v7.0.0; no other changes.
.github/workflows/build.yml Updates both checkout steps (build-macos and build-linux jobs) from the # main digest to # v7.0.0.
.github/workflows/release-new.yml Single checkout pin bumped from # main to # v7.0.0 digest.
.github/workflows/release.yml Single checkout pin bumped in the create-release job from # main to # v7.0.0 digest.
.github/workflows/tests.yml Single checkout pin bumped in the syntax job from # main to # v7.0.0 digest.

Reviews (1): Last reviewed commit: "chore(ci): use checkout release tag" | Re-trigger Greptile

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Line 22: The checkout step in both build jobs is persisting credentials
unnecessarily, which should be disabled for safer builds. Update each
actions/checkout usage in the build workflow to set persist-credentials to
false, and make sure both build-job checkout steps are changed consistently so
no token remains available to later steps.

In @.github/workflows/release-new.yml:
- Line 31: Disable persisted checkout credentials in the release workflow by
updating the actions/checkout step in the release-new job so it does not leave
the token in local git config. Since this job only reads repository contents and
invokes gh workflows, adjust the checkout configuration on the existing
actions/checkout step to avoid persisting credentials while keeping the rest of
the workflow unchanged.

In @.github/workflows/tests.yml:
- Line 20: In the syntax job using actions/checkout, the repository token is
still being persisted in git config by default; update the checkout step to
disable persisted credentials. Adjust the checkout configuration in the workflow
so the syntax/recipe validation job explicitly sets persist-credentials to false
on the actions/checkout step.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 4db3e9ff-3178-4bfa-a894-b30d99bcc2fd

📥 Commits

Reviewing files that changed from the base of the PR and between ac1b8fb and 6ff6961.

📒 Files selected for processing (5)
  • .github/workflows/autobump.yml
  • .github/workflows/build.yml
  • .github/workflows/release-new.yml
  • .github/workflows/release.yml
  • .github/workflows/tests.yml

runs-on: macos-14
steps:
- uses: actions/checkout@4f1f4aec02e41874fa0262ea8ff5172d7978ad1e # main
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n## build.yml (lines 1-140)\n'
cat -n .github/workflows/build.yml | sed -n '1,140p'

printf '\n## Credential-dependent keywords in workflow\n'
rg -n "git push|git commit|gh |github.token|persist-credentials|checkout@" .github/workflows/build.yml

Repository: jdx/ruby

Length of output: 6448


Disable persisted checkout credentials in both build jobs.

These jobs only build, test, and upload artifacts, so the checkout token is unnecessary and widens the blast radius if a later step is compromised. Set persist-credentials: false on both actions/checkout steps.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 22-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml at line 22, The checkout step in both build jobs
is persisting credentials unnecessarily, which should be disabled for safer
builds. Update each actions/checkout usage in the build workflow to set
persist-credentials to false, and make sure both build-job checkout steps are
changed consistently so no token remains available to later steps.

Source: Linters/SAST tools

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@4f1f4aec02e41874fa0262ea8ff5172d7978ad1e # main
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "## File overview"
git ls-files .github/workflows/release-new.yml

echo
echo "## Relevant lines with numbers"
cat -n .github/workflows/release-new.yml | sed -n '1,220p'

echo
echo "## Search for checkout usage and any git push / gh / release-related steps in workflow"
rg -n "actions/checkout|persist-credentials|git push|gh |release|tag|push:" .github/workflows/release-new.yml

Repository: jdx/ruby

Length of output: 4736


Disable persisted checkout credentials here. This job only reads repository files and triggers gh workflows, so actions/checkout doesn’t need to leave its token in local git config.

Suggested change
       - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 31-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-new.yml at line 31, Disable persisted checkout
credentials in the release workflow by updating the actions/checkout step in the
release-new job so it does not leave the token in local git config. Since this
job only reads repository contents and invokes gh workflows, adjust the checkout
configuration on the existing actions/checkout step to avoid persisting
credentials while keeping the rest of the workflow unchanged.

Source: Linters/SAST tools

runs-on: ubuntu-latest
steps:
- uses: actions/checkout@4f1f4aec02e41874fa0262ea8ff5172d7978ad1e # main
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files .github/workflows/tests.yml
wc -l .github/workflows/tests.yml
cat -n .github/workflows/tests.yml | sed -n '1,220p'

Repository: jdx/ruby

Length of output: 1631


Drop persisted checkout credentials in the syntax job.

actions/checkout leaves the token in the repo config by default. This job only validates recipes and Ruby syntax, so set persist-credentials: false to avoid keeping git auth around.

Suggested change
       - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 20-20: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/tests.yml at line 20, In the syntax job using
actions/checkout, the repository token is still being persisted in git config by
default; update the checkout step to disable persisted credentials. Adjust the
checkout configuration in the workflow so the syntax/recipe validation job
explicitly sets persist-credentials to false on the actions/checkout step.

Source: Linters/SAST tools

@jdx jdx merged commit 9f43a4e into main Jul 6, 2026
11 checks passed
@jdx jdx deleted the codex/use-checkout-release-tag branch July 6, 2026 16:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant