chore(ci): use checkout release tag#54
Conversation
📝 WalkthroughWalkthroughThis PR updates the pinned Changesactions/checkout version bump
Estimated code review effort: 1 (Trivial) | ~3 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Greptile SummaryThis PR updates the pinned
Confidence Score: 5/5Safe to merge — this is a mechanical pin update with no logic changes, and the new SHA is verified to match the upstream v7.0.0 release tag. All changes are identical one-line substitutions in CI workflow files. The replacement SHA No files require special attention. Important Files Changed
Reviews (1): Last reviewed commit: "chore(ci): use checkout release tag" | Re-trigger Greptile |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/build.yml:
- Line 22: The checkout step in both build jobs is persisting credentials
unnecessarily, which should be disabled for safer builds. Update each
actions/checkout usage in the build workflow to set persist-credentials to
false, and make sure both build-job checkout steps are changed consistently so
no token remains available to later steps.
In @.github/workflows/release-new.yml:
- Line 31: Disable persisted checkout credentials in the release workflow by
updating the actions/checkout step in the release-new job so it does not leave
the token in local git config. Since this job only reads repository contents and
invokes gh workflows, adjust the checkout configuration on the existing
actions/checkout step to avoid persisting credentials while keeping the rest of
the workflow unchanged.
In @.github/workflows/tests.yml:
- Line 20: In the syntax job using actions/checkout, the repository token is
still being persisted in git config by default; update the checkout step to
disable persisted credentials. Adjust the checkout configuration in the workflow
so the syntax/recipe validation job explicitly sets persist-credentials to false
on the actions/checkout step.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro Plus
Run ID: 4db3e9ff-3178-4bfa-a894-b30d99bcc2fd
📒 Files selected for processing (5)
.github/workflows/autobump.yml.github/workflows/build.yml.github/workflows/release-new.yml.github/workflows/release.yml.github/workflows/tests.yml
| runs-on: macos-14 | ||
| steps: | ||
| - uses: actions/checkout@4f1f4aec02e41874fa0262ea8ff5172d7978ad1e # main | ||
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n## build.yml (lines 1-140)\n'
cat -n .github/workflows/build.yml | sed -n '1,140p'
printf '\n## Credential-dependent keywords in workflow\n'
rg -n "git push|git commit|gh |github.token|persist-credentials|checkout@" .github/workflows/build.ymlRepository: jdx/ruby
Length of output: 6448
Disable persisted checkout credentials in both build jobs.
These jobs only build, test, and upload artifacts, so the checkout token is unnecessary and widens the blast radius if a later step is compromised. Set persist-credentials: false on both actions/checkout steps.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 22-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/build.yml at line 22, The checkout step in both build jobs
is persisting credentials unnecessarily, which should be disabled for safer
builds. Update each actions/checkout usage in the build workflow to set
persist-credentials to false, and make sure both build-job checkout steps are
changed consistently so no token remains available to later steps.
Source: Linters/SAST tools
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@4f1f4aec02e41874fa0262ea8ff5172d7978ad1e # main | ||
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "## File overview"
git ls-files .github/workflows/release-new.yml
echo
echo "## Relevant lines with numbers"
cat -n .github/workflows/release-new.yml | sed -n '1,220p'
echo
echo "## Search for checkout usage and any git push / gh / release-related steps in workflow"
rg -n "actions/checkout|persist-credentials|git push|gh |release|tag|push:" .github/workflows/release-new.ymlRepository: jdx/ruby
Length of output: 4736
Disable persisted checkout credentials here. This job only reads repository files and triggers gh workflows, so actions/checkout doesn’t need to leave its token in local git config.
Suggested change
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 31-31: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release-new.yml at line 31, Disable persisted checkout
credentials in the release workflow by updating the actions/checkout step in the
release-new job so it does not leave the token in local git config. Since this
job only reads repository contents and invokes gh workflows, adjust the checkout
configuration on the existing actions/checkout step to avoid persisting
credentials while keeping the rest of the workflow unchanged.
Source: Linters/SAST tools
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@4f1f4aec02e41874fa0262ea8ff5172d7978ad1e # main | ||
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
git ls-files .github/workflows/tests.yml
wc -l .github/workflows/tests.yml
cat -n .github/workflows/tests.yml | sed -n '1,220p'Repository: jdx/ruby
Length of output: 1631
Drop persisted checkout credentials in the syntax job.
actions/checkout leaves the token in the repo config by default. This job only validates recipes and Ruby syntax, so set persist-credentials: false to avoid keeping git auth around.
Suggested change
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 20-20: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/tests.yml at line 20, In the syntax job using
actions/checkout, the repository token is still being persisted in git config by
default; update the checkout step to disable persisted credentials. Adjust the
checkout configuration in the workflow so the syntax/recipe validation job
explicitly sets persist-credentials to false on the actions/checkout step.
Source: Linters/SAST tools
Summary
actions/checkoutworkflow pins that were annotated as# mainwith the currentv7.0.0tag digest.Validation
git diff --check HEAD~1..HEADlocally.Note
Low Risk
Mechanical CI dependency pin with no application or release logic changes; checkout behavior should be equivalent aside from the tagged action version.
Overview
Updates every
actions/checkoutstep in CI workflows (autobump,build,release-new,release,tests) from the previous digest (commented as# main) to thev7.0.0release digest9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0, while keeping full-SHA pinning.No build scripts, recipes, or runtime code change—only workflow checkout refs and their inline version comments.
Reviewed by Cursor Bugbot for commit 6ff6961. Bugbot is set up for automated code reviews on this repo. Configure here.
Summary by CodeRabbit