Skip to content

Pin actions to hash (cron-ci.yaml)#7686

Open
ShaharNaveh wants to merge 1 commit intoRustPython:mainfrom
ShaharNaveh:cron-ci-bump-actions
Open

Pin actions to hash (cron-ci.yaml)#7686
ShaharNaveh wants to merge 1 commit intoRustPython:mainfrom
ShaharNaveh:cron-ci-bump-actions

Conversation

@ShaharNaveh
Copy link
Copy Markdown
Contributor

@ShaharNaveh ShaharNaveh commented Apr 25, 2026
edited by coderabbitai Bot
Loading

closes #7567

Summary by CodeRabbit

  • Chores
    • Updated CI/CD pipeline configuration and dependencies.
    • Upgraded action versions to pinned commits for improved stability.
    • Modified workflow trigger conditions for the main branch.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Apr 25, 2026
edited
Loading

📝 Walkthrough

Walkthrough

The CI workflow file has been updated to trigger only on main branch pushes, adds a global Node.js environment variable, and pins specific versions of third-party actions (taiki-e/install-action and codecov/codecov-action) with commit hashes instead of version tags.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow
.github/workflows/cron-ci.yaml		 Updated trigger conditions to run on push to main only; added FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true' environment variable; pinned taiki-e/install-action and codecov/codecov-action to specific commit versions for reproducibility; refactored tool configuration to use with.tool parameter; added blank line spacing between workflow blocks.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A workflow so fine, now pinned just right,
No more wandering versions in the night!
With main branch protection and Node24's care,
This CI pipeline's sturdy beyond compare! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: pinning GitHub Actions to specific commit hashes in the cron-ci.yaml workflow file.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

ShaharNaveh
ShaharNaveh commented Apr 25, 2026
View reviewed changes
Comment thread .github/workflows/cron-ci.yaml
paths:
- .github/workflows/cron-ci.yaml
branches:
- main
Copy link
Copy Markdown
Contributor Author

@ShaharNaveh ShaharNaveh Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested by #7567 (comment)

coderabbitai[bot]
coderabbitai Bot reviewed Apr 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/cron-ci.yaml (1)

33-33: Optional: dtolnay/rust-toolchain@stable is still an unpinned branch ref.

The PR title says "Pin actions to hash", but dtolnay/rust-toolchain@stable (also at lines 73, 111, 174) remains a moving branch reference. If a future scope is to fully pin everything in this file for supply-chain hygiene, these are the remaining holdouts. Note that dtolnay/rust-toolchain does not publish version tags, so pinning would have to be done via commit SHA with manual updates — feel free to defer if that's not the intent here.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cron-ci.yaml at line 33, The workflow uses an unpinned
branch ref dtolnay/rust-toolchain@stable; replace each occurrence of
dtolnay/rust-toolchain@stable with a fixed commit SHA
(dtolnay/rust-toolchain@<commit-sha>) to pin the action for supply-chain
hygiene, updating all instances of that exact reference so they point to the
same chosen immutable SHA rather than the moving "stable" ref.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/cron-ci.yaml:
- Line 33: The workflow uses an unpinned branch ref
dtolnay/rust-toolchain@stable; replace each occurrence of
dtolnay/rust-toolchain@stable with a fixed commit SHA
(dtolnay/rust-toolchain@<commit-sha>) to pin the action for supply-chain
hygiene, updating all instances of that exact reference so they point to the
same chosen immutable SHA rather than the moving "stable" ref.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 3b9a2a01-22b0-4d97-9e0c-564bb4782984

📥 Commits

Reviewing files that changed from the base of the PR and between 6ab1f80 and 3094de8.

📒 Files selected for processing (1)
  • .github/workflows/cron-ci.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ShaharNaveh