Thanks to visit codestin.com
Credit goes to github.com

Skip to content

LCORE- Update checkout action#2074

Merged
tisnik merged 1 commit into
lightspeed-core:mainfrom
samdoran:update-checkout-action
Jul 7, 2026
Merged

LCORE- Update checkout action#2074
tisnik merged 1 commit into
lightspeed-core:mainfrom
samdoran:update-checkout-action

Conversation

@samdoran

@samdoran samdoran commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Description

Update the checkout action to resolve the issue where the task will fail if the job is triggered by a tag. This is causing release pipeline failures.

Type of change

  • Refactor
  • New feature
  • Bug fix
  • CVE fix
  • Optimization
  • Documentation Update
  • Configuration Update
  • Bump-up service version
  • Bump-up dependent library
  • Bump-up library or tool used for development (does not change the final image)
  • CI configuration change
  • Konflux configuration change
  • Unit tests improvement
  • Integration tests improvement
  • End to end tests improvement
  • Benchmarks improvement

Tools used to create PR

Just me

Related Tickets & Documents

actions/checkout#1467
actions/checkout#2356

Checklist before requesting a review

  • I have performed a self-review of my code.
  • PR has passed all pre-merge test jobs.
  • If it is a core feature, I have added thorough tests.

Testing

It's difficult to test this without running the job on a commit that is also a tag.

Summary by CodeRabbit

  • Chores
    • Updated GitHub Actions workflows to use a newer repository checkout action version across build, test, lint, and dependency-check jobs.
    • One workflow now updates two checkout steps to the newer version.
    • No build, test, or validation commands were changed.

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@samdoran, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 24 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 219d5193-8ece-4ee7-a16d-58e009701707

📥 Commits

Reviewing files that changed from the base of the PR and between 6d53333 and 10fe900.

📒 Files selected for processing (17)
  • .github/workflows/black.yaml
  • .github/workflows/build_and_push_dev.yaml
  • .github/workflows/build_pr.yaml
  • .github/workflows/check_dependencies.yaml
  • .github/workflows/e2e_tests.yaml
  • .github/workflows/e2e_tests_lightspeed_evaluation.yaml
  • .github/workflows/e2e_tests_rhaiis.yaml
  • .github/workflows/integration_tests.yaml
  • .github/workflows/mypy.yaml
  • .github/workflows/openapi_spectral.yaml
  • .github/workflows/outdated_dependencies.yaml
  • .github/workflows/pydocstyle.yaml
  • .github/workflows/pylint.yaml
  • .github/workflows/pyright.yaml
  • .github/workflows/ruff.yaml
  • .github/workflows/shellcheck.yaml
  • .github/workflows/unit_tests.yaml

Walkthrough

This PR updates the actions/checkout GitHub Action version from v4 to v7 across nineteen CI workflow files. No workflow logic, job structure, triggers, or commands are otherwise changed.

Changes

Checkout Action Version Update

Layer / File(s) Summary
Bump actions/checkout to v7
.github/workflows/black.yaml, .github/workflows/build_and_push_dev.yaml, .github/workflows/build_pr.yaml, .github/workflows/check_dependencies.yaml, .github/workflows/e2e_tests.yaml, .github/workflows/e2e_tests_lightspeed_evaluation.yaml, .github/workflows/e2e_tests_rhaiis.yaml, .github/workflows/integration_tests.yaml, .github/workflows/mypy.yaml, .github/workflows/openapi_spectral.yaml, .github/workflows/outdated_dependencies.yaml, .github/workflows/pydocstyle.yaml, .github/workflows/pylint.yaml, .github/workflows/pyright.yaml, .github/workflows/ruff.yaml, .github/workflows/shellcheck.yaml, .github/workflows/unit_tests.yaml
Each workflow's checkout step (including both checkout steps in the lightspeed evaluation E2E workflow) is updated from actions/checkout@v4 to actions/checkout@v7, with all other workflow logic unchanged.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the primary change: updating the checkout action used in CI workflows.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
✨ Simplify code
  • Create PR with simplified code

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@tisnik tisnik left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 11

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)
.github/workflows/e2e_tests.yaml (3)

27-41: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider pinning actions/checkout to a commit SHA and hardening persist-credentials.

Static analysis flags: the action isn't pinned to a hash (supply-chain hardening), and credentials persist by default for non-pull_request_target events since persist-credentials is only forced false under pull_request_target. Consider pinning to a SHA and disabling credential persistence unless later steps genuinely need authenticated git.

🔒 Example pin (verify current SHA for v7 before applying)
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@<full-commit-sha>  # v7.x.x
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/e2e_tests.yaml around lines 27 - 41, The checkout step in
the e2e workflow is not hardened enough: actions/checkout should be pinned to a
specific commit SHA, and persist-credentials should not stay enabled by default.
Update the existing actions/checkout usage in the workflow to reference a
verified SHA instead of a version tag, and change the persist-credentials
setting so credentials are disabled unless a later step explicitly needs git
authentication.

Source: Linters/SAST tools


41-41: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Replace the curly quotes in submodules
submodules: ‘recursive’ passes a different literal string, so actions/checkout won’t enable recursive submodule checkout for lightspeed-providers.

🛠️ Fix the quoting
-          submodules: ‘recursive’
+          submodules: 'recursive'
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/e2e_tests.yaml at line 41, The checkout configuration in
the e2e workflow is using curly quotes for the submodules value, which makes it
a different literal string. Update the actions/checkout configuration to use the
standard quoted value for submodules in the workflow so recursive submodule
checkout is enabled for lightspeed-providers.

27-41: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Add the unsafe PR checkout opt-in here. .github/workflows/e2e_tests.yaml:27-41 runs on pull_request_target and checks out the fork head; actions/checkout@v7 blocks that pattern by default, so this job will fail unless you set allow-unsafe-pr-checkout: true or move it to an unprivileged pull_request flow.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/e2e_tests.yaml around lines 27 - 41, The e2e_tests
workflow uses actions/checkout@v7 with a pull_request_target fork-head checkout
pattern, which is blocked unless explicitly opted in. Update the checkout step
in e2e_tests.yaml to set allow-unsafe-pr-checkout: true when running under
pull_request_target, or refactor the job to run under an unprivileged
pull_request flow; keep the existing repository, ref, persist-credentials, and
submodules settings aligned with that checkout behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/black.yaml:
- Line 14: The checkout step in the workflow should be hardened while keeping
the actions/checkout v7 upgrade. Update the `actions/checkout` reference in the
workflow to a pinned commit SHA for v7.0.0, and set `persist-credentials: false`
on that same checkout step so credentials are not left in the git config. Use
the existing checkout invocation as the anchor and adjust only this step.

In @.github/workflows/build_and_push_dev.yaml:
- Line 28: The checkout step is using a floating actions tag, which violates the
pinning policy. Update the uses reference in the workflow’s checkout step to a
specific commit SHA for actions/checkout v7 rather than the version tag, and
verify the SHA corresponds to v7.0.0 before changing it.

In @.github/workflows/build_pr.yaml:
- Line 26: The checkout step in the workflow is still using an unpinned action
reference, which violates the unpinned-uses policy. Update the
`actions/checkout` usage in this workflow to a pinned commit SHA, matching the
approach used or intended for the sibling workflow referenced by
`build_and_push_dev.yaml`, so the `checkout` step remains functionally the same
but is pinned for supply-chain safety.

In @.github/workflows/check_dependencies.yaml:
- Line 14: The checkout step in the workflow uses an unpinned action ref and
does not disable credential persistence, matching the same hardening gap as in
black.yaml. Update the `actions/checkout` usage in this workflow to a pinned
version/ref and set `persist-credentials` to false, following the same pattern
used for the hardened checkout configuration elsewhere.

In @.github/workflows/openapi_spectral.yaml:
- Line 18: The workflow step using actions/checkout is referencing a floating
tag instead of a fixed revision. Update the checkout step in the openapi
spectral workflow to pin actions/checkout to a specific commit SHA rather than
`@v7`, keeping the same step location and action usage but replacing the external
reference with an immutable digest.

In @.github/workflows/outdated_dependencies.yaml:
- Line 14: The workflow uses floating action references, so update the external
actions in this job to pinned commit SHAs instead of version tags. Replace the
`actions/checkout` and `astral-sh/setup-uv` references in the workflow with
their full SHA-pinned equivalents, and keep the existing step structure intact
so the pinned action versions remain easy to locate and maintain.

In @.github/workflows/pydocstyle.yaml:
- Line 14: The workflow uses a floating major tag for actions/checkout, so
update the checkout step in the pydocstyle workflow to reference the v7 commit
SHA instead of `@v7`. Locate the uses: actions/checkout entry and replace the tag
with the pinned SHA so the action version is fixed and reproducible.

In @.github/workflows/pylint.yaml:
- Line 15: The workflow step using actions/checkout is still referencing a
floating tag, so update that checkout usage to a specific commit SHA instead of
actions/checkout@v7. Keep the same workflow step in pylint.yaml and replace the
external action reference with a pinned SHA-based version so the pipeline uses
an immutable dependency.

In @.github/workflows/pyright.yaml:
- Line 15: The workflow step in pyright.yaml uses the mutable
actions/checkout@v7 tag; update the checkout action reference to a pinned commit
SHA instead of the version tag. Locate the step using actions/checkout and
replace the tag with the corresponding full commit hash to keep the action
immutable.

In @.github/workflows/ruff.yaml:
- Line 14: The checkout step in the ruff workflow should use a pinned action
reference and disable credential persistence, matching the same fix needed in
black.yaml. Update the actions/checkout usage in the workflow job to a specific
immutable version or commit SHA, and add persist-credentials: false in the
checkout configuration so the workflow does not retain the default token.

In @.github/workflows/shellcheck.yaml:
- Line 14: The checkout step in this workflow still uses an unpinned actions ref
and does not disable credential persistence, matching the issue noted in
black.yaml. Update the actions/checkout usage in the workflow to a specific
commit SHA or other pinned ref, and add persist-credentials: false on the same
checkout step so it does not leave repo credentials available after the job
runs.

---

Outside diff comments:
In @.github/workflows/e2e_tests.yaml:
- Around line 27-41: The checkout step in the e2e workflow is not hardened
enough: actions/checkout should be pinned to a specific commit SHA, and
persist-credentials should not stay enabled by default. Update the existing
actions/checkout usage in the workflow to reference a verified SHA instead of a
version tag, and change the persist-credentials setting so credentials are
disabled unless a later step explicitly needs git authentication.
- Line 41: The checkout configuration in the e2e workflow is using curly quotes
for the submodules value, which makes it a different literal string. Update the
actions/checkout configuration to use the standard quoted value for submodules
in the workflow so recursive submodule checkout is enabled for
lightspeed-providers.
- Around line 27-41: The e2e_tests workflow uses actions/checkout@v7 with a
pull_request_target fork-head checkout pattern, which is blocked unless
explicitly opted in. Update the checkout step in e2e_tests.yaml to set
allow-unsafe-pr-checkout: true when running under pull_request_target, or
refactor the job to run under an unprivileged pull_request flow; keep the
existing repository, ref, persist-credentials, and submodules settings aligned
with that checkout behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5a0c481b-491e-40ab-9b32-74d1e2bd0fef

📥 Commits

Reviewing files that changed from the base of the PR and between fb0e2bf and 6d53333.

📒 Files selected for processing (17)
  • .github/workflows/black.yaml
  • .github/workflows/build_and_push_dev.yaml
  • .github/workflows/build_pr.yaml
  • .github/workflows/check_dependencies.yaml
  • .github/workflows/e2e_tests.yaml
  • .github/workflows/e2e_tests_lightspeed_evaluation.yaml
  • .github/workflows/e2e_tests_rhaiis.yaml
  • .github/workflows/integration_tests.yaml
  • .github/workflows/mypy.yaml
  • .github/workflows/openapi_spectral.yaml
  • .github/workflows/outdated_dependencies.yaml
  • .github/workflows/pydocstyle.yaml
  • .github/workflows/pylint.yaml
  • .github/workflows/pyright.yaml
  • .github/workflows/ruff.yaml
  • .github/workflows/shellcheck.yaml
  • .github/workflows/unit_tests.yaml
📜 Review details
⏰ Context from checks skipped due to timeout. (13)
  • GitHub Check: integration_tests (3.12)
  • GitHub Check: Pylinter
  • GitHub Check: integration_tests (3.13)
  • GitHub Check: build-pr
  • GitHub Check: unit_tests (3.13)
  • GitHub Check: unit_tests (3.12)
  • GitHub Check: E2E Tests for Lightspeed Evaluation job
  • GitHub Check: E2E: library mode / ci / group 1
  • GitHub Check: E2E: library mode / ci / group 2
  • GitHub Check: E2E: server mode / ci / group 2
  • GitHub Check: E2E: library mode / ci / group 3
  • GitHub Check: E2E: server mode / ci / group 3
  • GitHub Check: E2E: server mode / ci / group 1
⚠️ CI failures not shown inline (2)

GitHub Actions: OpenAPI (Spectral) / spectral: LCORE- Update checkout action

Conclusion: failure

View job details

##[group]Run set -euo pipefail
 �[36;1mset -euo pipefail�[0m
 �[36;1muv run python scripts/generate_openapi_schema.py /tmp/openapi-generated.json�[0m
 �[36;1mif ! diff -u docs/openapi.json /tmp/openapi-generated.json; then�[0m
 �[36;1m  echo "::error::docs/openapi.json is out of date. Regenerate with: uv run scripts/generate_openapi_schema.py docs/openapi.json"�[0m

GitHub Actions: OpenAPI (Spectral) / 0_spectral.txt: LCORE- Update checkout action

Conclusion: failure

View job details

##[group]Run set -euo pipefail
 �[36;1mset -euo pipefail�[0m
 �[36;1muv run python scripts/generate_openapi_schema.py /tmp/openapi-generated.json�[0m
 �[36;1mif ! diff -u docs/openapi.json /tmp/openapi-generated.json; then�[0m
 �[36;1m  echo "::error::docs/openapi.json is out of date. Regenerate with: uv run scripts/generate_openapi_schema.py docs/openapi.json"�[0m
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2026-05-06T08:35:54.687Z
Learnt from: radofuchs
Repo: lightspeed-core/lightspeed-stack PR: 1690
File: .github/workflows/e2e_tests_providers.yaml:279-285
Timestamp: 2026-05-06T08:35:54.687Z
Learning: In .github/workflows/e2e_tests_providers.yaml and related e2e workflow files, the show_logs step should not use docker compose logs with --tail or --since (i.e., keep logs unbounded). The quick connectivity test runs once immediately after container startup, so the log output is small and a log tail limit is unnecessary. If you adjust this, add a rationale comment in the workflow explaining why unbounded logs are acceptable and ensure CI behavior remains deterministic.

Applied to files:

  • .github/workflows/build_pr.yaml
  • .github/workflows/ruff.yaml
  • .github/workflows/shellcheck.yaml
  • .github/workflows/openapi_spectral.yaml
  • .github/workflows/mypy.yaml
  • .github/workflows/pydocstyle.yaml
  • .github/workflows/e2e_tests_rhaiis.yaml
  • .github/workflows/e2e_tests_lightspeed_evaluation.yaml
  • .github/workflows/outdated_dependencies.yaml
  • .github/workflows/black.yaml
  • .github/workflows/e2e_tests.yaml
  • .github/workflows/build_and_push_dev.yaml
  • .github/workflows/unit_tests.yaml
  • .github/workflows/integration_tests.yaml
  • .github/workflows/check_dependencies.yaml
  • .github/workflows/pylint.yaml
  • .github/workflows/pyright.yaml
🪛 zizmor (1.26.1)
.github/workflows/build_pr.yaml

[error] 26-26: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/ruff.yaml

[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/shellcheck.yaml

[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/openapi_spectral.yaml

[warning] 18-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/mypy.yaml

[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/pydocstyle.yaml

[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/e2e_tests_rhaiis.yaml

[warning] 41-55: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 41-41: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/e2e_tests_lightspeed_evaluation.yaml

[error] 20-20: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 50-50: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/outdated_dependencies.yaml

[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/black.yaml

[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/e2e_tests.yaml

[warning] 27-41: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/build_and_push_dev.yaml

[error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/unit_tests.yaml

[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/integration_tests.yaml

[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/check_dependencies.yaml

[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/pylint.yaml

[warning] 15-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

.github/workflows/pyright.yaml

[warning] 15-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🔇 Additional comments (11)
.github/workflows/e2e_tests_lightspeed_evaluation.yaml (3)

19-34: Same v7 pull_request_target fork-checkout risk as e2e_tests.yaml.

This checkout step uses the identical pull_request_target-conditional pattern (repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}, persist-credentials: ${{ github.event_name != 'pull_request_target' }}). Same concern applies: verify the workflow's triggers to confirm this checkout won't be blocked by v7's new pwn-request guardrail.


20-20: Consider pinning both actions/checkout steps to a commit SHA.

Same unpinned-action finding as raised in e2e_tests.yaml.

Also applies to: 50-50


49-53: LGTM!

.github/workflows/e2e_tests_rhaiis.yaml (2)

41-55: Same v7 pull_request_target fork-checkout risk as e2e_tests.yaml.

Identical with: pattern (repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}, persist-credentials: ${{ github.event_name != 'pull_request_target' }}). Same verification of this workflow's triggers is needed.


41-41: Consider pinning actions/checkout to a commit SHA.

Same unpinned-action / persist-credentials finding as raised in e2e_tests.yaml.

.github/workflows/integration_tests.yaml (2)

17-17: Consider pinning actions/checkout to a commit SHA.

Same unpinned-action finding as raised in e2e_tests.yaml.


17-17: LGTM! No with: block, so no pull_request_target fork-checkout exposure from this bump.

.github/workflows/mypy.yaml (2)

14-14: Consider pinning actions/checkout to a commit SHA.

Same unpinned-action finding as raised in e2e_tests.yaml.


14-14: LGTM! Straightforward checkout, no fork/pull_request_target handling affected by this bump.

.github/workflows/unit_tests.yaml (2)

17-17: Consider pinning actions/checkout to a commit SHA.

Same unpinned-action finding as raised in e2e_tests.yaml.


17-17: LGTM! Straightforward checkout, no fork/pull_request_target handling affected by this bump.

pull-requests: read
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v7

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Version bump is correct; consider hardening the checkout step.

The v4v7 bump is valid (v7.0.0 is the current GA release) and matches the PR's stated intent. Static analysis flags two pre-existing gaps on this line worth addressing while touching it: the action isn't pinned to a commit SHA, and persist-credentials: false isn't set (credentials otherwise remain in the local git config for the rest of the job).

🔒 Suggested hardening
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@a1caf0398a3f77c5db1a91c264eb1f6a0cb0e4d6 # v7.0.0
+        with:
+          persist-credentials: false

Please verify the exact commit SHA for v7.0.0 before pinning.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@v7
- uses: actions/checkout@a1caf0398a3f77c5db1a91c264eb1f6a0cb0e4d6 # v7.0.0
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/black.yaml at line 14, The checkout step in the workflow
should be hardened while keeping the actions/checkout v7 upgrade. Update the
`actions/checkout` reference in the workflow to a pinned commit SHA for v7.0.0,
and set `persist-credentials: false` on that same checkout step so credentials
are not left in the git config. Use the existing checkout invocation as the
anchor and adjust only this step.

Source: Linters/SAST tools

sudo apt install -y buildah qemu-user-static
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v7

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Version bump is correct; consider pinning to a commit SHA.

Bump to v7 is valid. zizmor flags this line as unpinned (unpinned-uses), which is a pre-existing pattern (v4 was also a floating tag) but is required by the stated "blanket policy."

🔒 Suggested hardening
-        uses: actions/checkout@v7
+        uses: actions/checkout@a1caf0398a3f77c5db1a91c264eb1f6a0cb0e4d6 # v7.0.0

Please verify the exact commit SHA for v7.0.0 before pinning.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build_and_push_dev.yaml at line 28, The checkout step is
using a floating actions tag, which violates the pinning policy. Update the uses
reference in the workflow’s checkout step to a specific commit SHA for
actions/checkout v7 rather than the version tag, and verify the SHA corresponds
to v7.0.0 before changing it.

Source: Linters/SAST tools

sudo apt install -y buildah qemu-user-static
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v7

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Version bump is correct; same unpinned-ref concern as build_and_push_dev.yaml.

Consistent with the sibling workflow's checkout step; consider pinning to a SHA to satisfy the blanket unpinned-uses policy flagged by zizmor.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 26-26: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build_pr.yaml at line 26, The checkout step in the
workflow is still using an unpinned action reference, which violates the
unpinned-uses policy. Update the `actions/checkout` usage in this workflow to a
pinned commit SHA, matching the approach used or intended for the sibling
workflow referenced by `build_and_push_dev.yaml`, so the `checkout` step remains
functionally the same but is pinned for supply-chain safety.

Source: Linters/SAST tools

pull-requests: read
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v7

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Version bump is correct; same pinning/persist-credentials gaps as black.yaml.

Same pattern as black.yaml (Line 14): unpinned ref plus missing persist-credentials: false. Consider applying the same hardening here for consistency.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/check_dependencies.yaml at line 14, The checkout step in
the workflow uses an unpinned action ref and does not disable credential
persistence, matching the same hardening gap as in black.yaml. Update the
`actions/checkout` usage in this workflow to a pinned version/ref and set
`persist-credentials` to false, following the same pattern used for the hardened
checkout configuration elsewhere.

Source: Linters/SAST tools

pull-requests: read
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v7

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Workflow excerpt:"
sed -n '1,80p' .github/workflows/openapi_spectral.yaml | cat -n

echo
echo "Search for other checkout references:"
rg -n "actions/checkout@" .github/workflows -n

Repository: lightspeed-core/lightspeed-stack

Length of output: 3738


Pin actions/checkout to a commit SHA.

actions/checkout@v7 is a floating external reference; pin it to a specific commit SHA before merging.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 18-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/openapi_spectral.yaml at line 18, The workflow step using
actions/checkout is referencing a floating tag instead of a fixed revision.
Update the checkout step in the openapi spectral workflow to pin
actions/checkout to a specific commit SHA rather than `@v7`, keeping the same step
location and action usage but replacing the external reference with an immutable
digest.

Source: Linters/SAST tools

pull-requests: read
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v7

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

git ls-files .github/workflows/pydocstyle.yaml README.md .github/workflows

Repository: lightspeed-core/lightspeed-stack

Length of output: 986


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== pydocstyle workflow =="
cat -n .github/workflows/pydocstyle.yaml | sed -n '1,120p'

echo
echo "== pinning guidance search =="
rg -n --hidden --glob '!**/.git/**' -e 'pin|SHA|checkout@v|actions/checkout' README.md .github/workflows .github 2>/dev/null || true

Repository: lightspeed-core/lightspeed-stack

Length of output: 5014


🌐 Web query:

actions/checkout v7 release GitHub tag

💡 Result:

The actions/checkout v7 release was officially published on June 18, 2026, under the version tag v7.0.0 [1][2][3]. Key details regarding the v7 release include: - General Availability: The release was made generally available on June 18, 2026 [3]. - Security Improvements: A primary feature of v7 is improved security for workflows using pull_request_target or workflow_run triggers [3][4]. By default, v7 refuses to check out code from fork pull requests in these scenarios to prevent security vulnerabilities, such as "pwn request" attacks [3][4]. Users who require this functionality can opt in by setting the new input allow-unsafe-pr-checkout: true [4]. - Technical Updates: The action was migrated to ESM (ECMAScript Modules) to support newer versions of the @actions/* packages, requiring a minimum Actions Runner version of v2.327.1 [5][4]. - Documentation: Updated usage examples now reference actions/checkout@v7 [6][7][4]. For additional details, the full changelog and release notes are available on the official GitHub repository for actions/checkout [1][2][8].

Citations:


Pin actions/checkout to a commit SHA. actions/checkout@v7 is a floating major tag; use the v7 commit SHA instead.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pydocstyle.yaml at line 14, The workflow uses a floating
major tag for actions/checkout, so update the checkout step in the pydocstyle
workflow to reference the v7 commit SHA instead of `@v7`. Locate the uses:
actions/checkout entry and replace the tag with the pinned SHA so the action
version is fixed and reproducible.

Source: Linters/SAST tools

name: "Pylinter"
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v7

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow and any repository guidance about pinning actions.
git ls-files .github/workflows/pylint.yaml README.md .github | sed -n '1,120p'
printf '\n--- pylint workflow ---\n'
cat -n .github/workflows/pylint.yaml

printf '\n--- search for action pinning guidance ---\n'
rg -n --hidden --glob '!.git' -e 'pin(ning)?' -e 'actions/checkout@' -e 'commit SHA' -e 'SHA' -e 'security policy' .github README.md .

Repository: lightspeed-core/lightspeed-stack

Length of output: 50390


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n--- .github/dependabot.yml ---\n'
cat -n .github/dependabot.yml

printf '\n--- .github/renovate.json ---\n'
cat -n .github/renovate.json

printf '\n--- workflow action references ---\n'
rg -n --hidden --glob '.github/workflows/*.yaml' 'uses:\s+[^@]+@v[0-9]+' .github/workflows

printf '\n--- pinned SHA references in workflows ---\n'
rg -n --hidden --glob '.github/workflows/*.yaml' 'uses:\s+[^@]+@[0-9a-f]{7,40}' .github/workflows

Repository: lightspeed-core/lightspeed-stack

Length of output: 4460


Pin actions/checkout to a commit SHA. actions/checkout@v7 is a floating external reference; pin it to a commit SHA before merge.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 15-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pylint.yaml at line 15, The workflow step using
actions/checkout is still referencing a floating tag, so update that checkout
usage to a specific commit SHA instead of actions/checkout@v7. Keep the same
workflow step in pylint.yaml and replace the external action reference with a
pinned SHA-based version so the pipeline uses an immutable dependency.

Source: Linters/SAST tools

name: "Pyright"
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v7

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow around the reported line.
git ls-files .github/workflows/pyright.yaml
cat -n .github/workflows/pyright.yaml | sed -n '1,40p'

# Try to resolve the referenced action tag to a commit SHA, if network/API access is available.
python3 - <<'PY'
import json, urllib.request, urllib.error
url = "https://api.github.com/repos/actions/checkout/git/refs/tags/v7"
req = urllib.request.Request(url, headers={"Accept":"application/vnd.github+json","User-Agent":"CodeRabbit"})
try:
    with urllib.request.urlopen(req, timeout=20) as r:
        data = json.load(r)
    print("REF:", json.dumps(data, indent=2))
except Exception as e:
    print("ERROR:", repr(e))
PY

Repository: lightspeed-core/lightspeed-stack

Length of output: 993


Pin actions/checkout to a commit SHA. .github/workflows/pyright.yaml:15 uses the mutable actions/checkout@v7 tag; pinning it removes supply-chain drift risk.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 15-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pyright.yaml at line 15, The workflow step in pyright.yaml
uses the mutable actions/checkout@v7 tag; update the checkout action reference
to a pinned commit SHA instead of the version tag. Locate the step using
actions/checkout and replace the tag with the corresponding full commit hash to
keep the action immutable.

Source: Linters/SAST tools

pull-requests: read
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v7

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Version bump is correct; same pinning/persist-credentials gaps as black.yaml.

Same pattern as black.yaml (Line 14): unpinned ref plus missing persist-credentials: false.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ruff.yaml at line 14, The checkout step in the ruff
workflow should use a pinned action reference and disable credential
persistence, matching the same fix needed in black.yaml. Update the
actions/checkout usage in the workflow job to a specific immutable version or
commit SHA, and add persist-credentials: false in the checkout configuration so
the workflow does not retain the default token.

Source: Linters/SAST tools

pull-requests: read
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v7

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Version bump is correct; same pinning/persist-credentials gaps as black.yaml.

Same pattern as black.yaml (Line 14): unpinned ref plus missing persist-credentials: false.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/shellcheck.yaml at line 14, The checkout step in this
workflow still uses an unpinned actions ref and does not disable credential
persistence, matching the issue noted in black.yaml. Update the actions/checkout
usage in the workflow to a specific commit SHA or other pinned ref, and add
persist-credentials: false on the same checkout step so it does not leave repo
credentials available after the job runs.

Source: Linters/SAST tools

@samdoran

samdoran commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

I can pin the versions if we want. I made the change to match how current action versions are specified.

Resolves the issue where the task will fail if the job is triggered by a tag.
@samdoran samdoran force-pushed the update-checkout-action branch from 6d53333 to 10fe900 Compare July 6, 2026 20:39
@samdoran

samdoran commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

The test failure seemed unrelated to these changes. I triggered another test run.

@tisnik tisnik merged commit 6d05b4b into lightspeed-core:main Jul 7, 2026
27 of 28 checks passed
@samdoran samdoran deleted the update-checkout-action branch July 7, 2026 13:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants