Skip to content

chore: Use full commit SHA hash for this dependency #287

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
shenxianpeng merged 1 commit into from
Oct 3, 2025
Merged

chore: Use full commit SHA hash for this dependency #287

shenxianpeng merged 1 commit into from
Oct 3, 2025

Conversation

@shenxianpeng
Copy link
Contributor

@shenxianpeng shenxianpeng commented Oct 3, 2025
edited by coderabbitai bot
Loading

closes #286

Summary by CodeRabbit

  • Chores
    • Pinned CI workflow actions to exact commit SHAs to improve supply-chain security, reproducibility, and reliability of builds.
    • Applies across benchmarking, main, and publish pipelines with no changes to step order or behavior.
    • No impact on application features or runtime; build and release processes remain functionally the same.

@shenxianpeng shenxianpeng requested a review from a team as a code owner October 3, 2025 16:57
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 3, 2025
edited
Loading

Walkthrough

Pins GitHub Actions in three workflow files to exact commit SHAs, replacing version tags. No steps, order, or logic changed.

Changes

Cohort / File(s) Summary
Workflow action pinning
.github/workflows/codspeed.yml, .github/workflows/main.yml, .github/workflows/publish-package.yml		 Replaced actions/* and CodSpeedHQ/action version tags with fixed commit SHAs; added inline comments indicating corresponding versions; no control-flow or step changes.

Sequence Diagram(s)

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

Possibly related PRs

Poem

A bunny taps the YAML keys, tap-tap, precise and spry,
Tags give way to SHAs now—no drifting versions fly.
Pipelines hop with steady paws, immutable and neat,
Carrots count in hex and hashes—verification sweet.
Commit by commit, onward we leap—secure, complete.

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)
Check name Status Explanation Resolution
Title Check ❓ Inconclusive The title “fix: Use full commit SHA hash for this dependency” alludes to pinning a dependency by SHA but is too vague and does not specify which dependency or reflect that multiple workflow actions are being updated. This lack of specificity makes it unclear to readers what the main change entails. Please update the title to clearly indicate that the pull request pins GitHub Actions workflows to full commit SHAs, for example “Pin GitHub Actions workflows to specific commit SHAs.”
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues Check ✅ Passed The pull request replaces all version tag aliases with corresponding full commit SHA hashes across the specified GitHub Actions workflow files, directly addressing the requirement of issue #286 to use full commit SHAs for dependencies.
Out of Scope Changes Check ✅ Passed All modifications are confined to updating action version references to specific commit SHAs in the workflow YAML files, with no unrelated code or logic changes introduced.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feature/use-full-commit-hash
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9f90bbd and 9ac0e37.

📒 Files selected for processing (3)
  • .github/workflows/codspeed.yml (1 hunks)
  • .github/workflows/main.yml (2 hunks)
  • .github/workflows/publish-package.yml (2 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)
  • GitHub Check: install (3.9, macos-latest)
  • GitHub Check: install (3.11, windows-latest)
  • GitHub Check: install (3.12, windows-latest)
  • GitHub Check: install (3.13, windows-latest)
  • GitHub Check: install (3.10, windows-latest)
  • GitHub Check: install (3.13, ubuntu-24.04)
  • GitHub Check: install (3.9, ubuntu-24.04)
  • GitHub Check: install (3.13, macos-latest)
  • GitHub Check: install (3.11, ubuntu-24.04)
  • GitHub Check: install (3.10, macos-latest)
  • GitHub Check: install (3.10, ubuntu-24.04)
  • GitHub Check: install (3.9, windows-latest)
  • GitHub Check: Run benchmarks
🔇 Additional comments (2)
.github/workflows/publish-package.yml (1)

17-37: Thanks for pinning these actions.

The SHAs align with the tagged releases noted in the comments, so this job now benefits from immutable revisions. Looks good.

.github/workflows/codspeed.yml (1)

32-42: Looks solid.

All external actions are now pinned to exact SHAs with clear version notes. Nice hardening step.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions github-actions bot added bug Something isn't working enhancement New feature or request labels Oct 3, 2025
@sonarqubecloud
Copy link

sonarqubecloud bot commented Oct 3, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@shenxianpeng shenxianpeng removed bug Something isn't working enhancement New feature or request labels Oct 3, 2025
@codecov
Copy link

codecov bot commented Oct 3, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.94%. Comparing base (e3d141c) to head (9ac0e37).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff             @@
##             main     #287       +/-   ##
===========================================
- Coverage   97.80%   79.94%   -17.87%     
===========================================
  Files           8        8               
  Lines         365      673      +308     
===========================================
+ Hits          357      538      +181     
- Misses          8      135      +127

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@codspeed-hq
Copy link

codspeed-hq bot commented Oct 3, 2025

CodSpeed Performance Report

Merging #287 will not alter performance

Comparing feature/use-full-commit-hash (9ac0e37) with main (9f90bbd)

Summary

✅ 27 untouched
⏩ 85 skipped1

Footnotes

  1. 85 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

@shenxianpeng shenxianpeng merged commit 41af6df into main Oct 3, 2025
28 of 29 checks passed
@shenxianpeng shenxianpeng deleted the feature/use-full-commit-hash branch October 3, 2025 17:42
@shenxianpeng shenxianpeng changed the title fix: Use full commit SHA hash for this dependency chore: Use full commit SHA hash for this dependency Oct 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

developer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use full commit SHA hash for this dependency

2 participants

@shenxianpeng