LCORE- Update checkout action#2074
Conversation
|
Warning Review limit reached
Next review available in: 24 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (17)
WalkthroughThis PR updates the ChangesCheckout Action Version Update
Estimated code review effort: 1 (Trivial) | ~5 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 11
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (3)
.github/workflows/e2e_tests.yaml (3)
27-41: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider pinning
actions/checkoutto a commit SHA and hardeningpersist-credentials.Static analysis flags: the action isn't pinned to a hash (supply-chain hardening), and credentials persist by default for non-
pull_request_targetevents sincepersist-credentialsis only forcedfalseunderpull_request_target. Consider pinning to a SHA and disabling credential persistence unless later steps genuinely need authenticated git.🔒 Example pin (verify current SHA for v7 before applying)
- - uses: actions/checkout@v7 + - uses: actions/checkout@<full-commit-sha> # v7.x.x🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/e2e_tests.yaml around lines 27 - 41, The checkout step in the e2e workflow is not hardened enough: actions/checkout should be pinned to a specific commit SHA, and persist-credentials should not stay enabled by default. Update the existing actions/checkout usage in the workflow to reference a verified SHA instead of a version tag, and change the persist-credentials setting so credentials are disabled unless a later step explicitly needs git authentication.Source: Linters/SAST tools
41-41: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick winReplace the curly quotes in
submodules
submodules: ‘recursive’passes a different literal string, soactions/checkoutwon’t enable recursive submodule checkout forlightspeed-providers.🛠️ Fix the quoting
- submodules: ‘recursive’ + submodules: 'recursive'🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/e2e_tests.yaml at line 41, The checkout configuration in the e2e workflow is using curly quotes for the submodules value, which makes it a different literal string. Update the actions/checkout configuration to use the standard quoted value for submodules in the workflow so recursive submodule checkout is enabled for lightspeed-providers.
27-41: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick winAdd the unsafe PR checkout opt-in here.
.github/workflows/e2e_tests.yaml:27-41runs onpull_request_targetand checks out the fork head;actions/checkout@v7blocks that pattern by default, so this job will fail unless you setallow-unsafe-pr-checkout: trueor move it to an unprivilegedpull_requestflow.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/e2e_tests.yaml around lines 27 - 41, The e2e_tests workflow uses actions/checkout@v7 with a pull_request_target fork-head checkout pattern, which is blocked unless explicitly opted in. Update the checkout step in e2e_tests.yaml to set allow-unsafe-pr-checkout: true when running under pull_request_target, or refactor the job to run under an unprivileged pull_request flow; keep the existing repository, ref, persist-credentials, and submodules settings aligned with that checkout behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/black.yaml:
- Line 14: The checkout step in the workflow should be hardened while keeping
the actions/checkout v7 upgrade. Update the `actions/checkout` reference in the
workflow to a pinned commit SHA for v7.0.0, and set `persist-credentials: false`
on that same checkout step so credentials are not left in the git config. Use
the existing checkout invocation as the anchor and adjust only this step.
In @.github/workflows/build_and_push_dev.yaml:
- Line 28: The checkout step is using a floating actions tag, which violates the
pinning policy. Update the uses reference in the workflow’s checkout step to a
specific commit SHA for actions/checkout v7 rather than the version tag, and
verify the SHA corresponds to v7.0.0 before changing it.
In @.github/workflows/build_pr.yaml:
- Line 26: The checkout step in the workflow is still using an unpinned action
reference, which violates the unpinned-uses policy. Update the
`actions/checkout` usage in this workflow to a pinned commit SHA, matching the
approach used or intended for the sibling workflow referenced by
`build_and_push_dev.yaml`, so the `checkout` step remains functionally the same
but is pinned for supply-chain safety.
In @.github/workflows/check_dependencies.yaml:
- Line 14: The checkout step in the workflow uses an unpinned action ref and
does not disable credential persistence, matching the same hardening gap as in
black.yaml. Update the `actions/checkout` usage in this workflow to a pinned
version/ref and set `persist-credentials` to false, following the same pattern
used for the hardened checkout configuration elsewhere.
In @.github/workflows/openapi_spectral.yaml:
- Line 18: The workflow step using actions/checkout is referencing a floating
tag instead of a fixed revision. Update the checkout step in the openapi
spectral workflow to pin actions/checkout to a specific commit SHA rather than
`@v7`, keeping the same step location and action usage but replacing the external
reference with an immutable digest.
In @.github/workflows/outdated_dependencies.yaml:
- Line 14: The workflow uses floating action references, so update the external
actions in this job to pinned commit SHAs instead of version tags. Replace the
`actions/checkout` and `astral-sh/setup-uv` references in the workflow with
their full SHA-pinned equivalents, and keep the existing step structure intact
so the pinned action versions remain easy to locate and maintain.
In @.github/workflows/pydocstyle.yaml:
- Line 14: The workflow uses a floating major tag for actions/checkout, so
update the checkout step in the pydocstyle workflow to reference the v7 commit
SHA instead of `@v7`. Locate the uses: actions/checkout entry and replace the tag
with the pinned SHA so the action version is fixed and reproducible.
In @.github/workflows/pylint.yaml:
- Line 15: The workflow step using actions/checkout is still referencing a
floating tag, so update that checkout usage to a specific commit SHA instead of
actions/checkout@v7. Keep the same workflow step in pylint.yaml and replace the
external action reference with a pinned SHA-based version so the pipeline uses
an immutable dependency.
In @.github/workflows/pyright.yaml:
- Line 15: The workflow step in pyright.yaml uses the mutable
actions/checkout@v7 tag; update the checkout action reference to a pinned commit
SHA instead of the version tag. Locate the step using actions/checkout and
replace the tag with the corresponding full commit hash to keep the action
immutable.
In @.github/workflows/ruff.yaml:
- Line 14: The checkout step in the ruff workflow should use a pinned action
reference and disable credential persistence, matching the same fix needed in
black.yaml. Update the actions/checkout usage in the workflow job to a specific
immutable version or commit SHA, and add persist-credentials: false in the
checkout configuration so the workflow does not retain the default token.
In @.github/workflows/shellcheck.yaml:
- Line 14: The checkout step in this workflow still uses an unpinned actions ref
and does not disable credential persistence, matching the issue noted in
black.yaml. Update the actions/checkout usage in the workflow to a specific
commit SHA or other pinned ref, and add persist-credentials: false on the same
checkout step so it does not leave repo credentials available after the job
runs.
---
Outside diff comments:
In @.github/workflows/e2e_tests.yaml:
- Around line 27-41: The checkout step in the e2e workflow is not hardened
enough: actions/checkout should be pinned to a specific commit SHA, and
persist-credentials should not stay enabled by default. Update the existing
actions/checkout usage in the workflow to reference a verified SHA instead of a
version tag, and change the persist-credentials setting so credentials are
disabled unless a later step explicitly needs git authentication.
- Line 41: The checkout configuration in the e2e workflow is using curly quotes
for the submodules value, which makes it a different literal string. Update the
actions/checkout configuration to use the standard quoted value for submodules
in the workflow so recursive submodule checkout is enabled for
lightspeed-providers.
- Around line 27-41: The e2e_tests workflow uses actions/checkout@v7 with a
pull_request_target fork-head checkout pattern, which is blocked unless
explicitly opted in. Update the checkout step in e2e_tests.yaml to set
allow-unsafe-pr-checkout: true when running under pull_request_target, or
refactor the job to run under an unprivileged pull_request flow; keep the
existing repository, ref, persist-credentials, and submodules settings aligned
with that checkout behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 5a0c481b-491e-40ab-9b32-74d1e2bd0fef
📒 Files selected for processing (17)
.github/workflows/black.yaml.github/workflows/build_and_push_dev.yaml.github/workflows/build_pr.yaml.github/workflows/check_dependencies.yaml.github/workflows/e2e_tests.yaml.github/workflows/e2e_tests_lightspeed_evaluation.yaml.github/workflows/e2e_tests_rhaiis.yaml.github/workflows/integration_tests.yaml.github/workflows/mypy.yaml.github/workflows/openapi_spectral.yaml.github/workflows/outdated_dependencies.yaml.github/workflows/pydocstyle.yaml.github/workflows/pylint.yaml.github/workflows/pyright.yaml.github/workflows/ruff.yaml.github/workflows/shellcheck.yaml.github/workflows/unit_tests.yaml
📜 Review details
⏰ Context from checks skipped due to timeout. (13)
- GitHub Check: integration_tests (3.12)
- GitHub Check: Pylinter
- GitHub Check: integration_tests (3.13)
- GitHub Check: build-pr
- GitHub Check: unit_tests (3.13)
- GitHub Check: unit_tests (3.12)
- GitHub Check: E2E Tests for Lightspeed Evaluation job
- GitHub Check: E2E: library mode / ci / group 1
- GitHub Check: E2E: library mode / ci / group 2
- GitHub Check: E2E: server mode / ci / group 2
- GitHub Check: E2E: library mode / ci / group 3
- GitHub Check: E2E: server mode / ci / group 3
- GitHub Check: E2E: server mode / ci / group 1
⚠️ CI failures not shown inline (2)
GitHub Actions: OpenAPI (Spectral) / spectral: LCORE- Update checkout action
Conclusion: failure
##[group]Run set -euo pipefail
�[36;1mset -euo pipefail�[0m
�[36;1muv run python scripts/generate_openapi_schema.py /tmp/openapi-generated.json�[0m
�[36;1mif ! diff -u docs/openapi.json /tmp/openapi-generated.json; then�[0m
�[36;1m echo "::error::docs/openapi.json is out of date. Regenerate with: uv run scripts/generate_openapi_schema.py docs/openapi.json"�[0m
GitHub Actions: OpenAPI (Spectral) / 0_spectral.txt: LCORE- Update checkout action
Conclusion: failure
##[group]Run set -euo pipefail
�[36;1mset -euo pipefail�[0m
�[36;1muv run python scripts/generate_openapi_schema.py /tmp/openapi-generated.json�[0m
�[36;1mif ! diff -u docs/openapi.json /tmp/openapi-generated.json; then�[0m
�[36;1m echo "::error::docs/openapi.json is out of date. Regenerate with: uv run scripts/generate_openapi_schema.py docs/openapi.json"�[0m
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2026-05-06T08:35:54.687Z
Learnt from: radofuchs
Repo: lightspeed-core/lightspeed-stack PR: 1690
File: .github/workflows/e2e_tests_providers.yaml:279-285
Timestamp: 2026-05-06T08:35:54.687Z
Learning: In .github/workflows/e2e_tests_providers.yaml and related e2e workflow files, the show_logs step should not use docker compose logs with --tail or --since (i.e., keep logs unbounded). The quick connectivity test runs once immediately after container startup, so the log output is small and a log tail limit is unnecessary. If you adjust this, add a rationale comment in the workflow explaining why unbounded logs are acceptable and ensure CI behavior remains deterministic.
Applied to files:
.github/workflows/build_pr.yaml.github/workflows/ruff.yaml.github/workflows/shellcheck.yaml.github/workflows/openapi_spectral.yaml.github/workflows/mypy.yaml.github/workflows/pydocstyle.yaml.github/workflows/e2e_tests_rhaiis.yaml.github/workflows/e2e_tests_lightspeed_evaluation.yaml.github/workflows/outdated_dependencies.yaml.github/workflows/black.yaml.github/workflows/e2e_tests.yaml.github/workflows/build_and_push_dev.yaml.github/workflows/unit_tests.yaml.github/workflows/integration_tests.yaml.github/workflows/check_dependencies.yaml.github/workflows/pylint.yaml.github/workflows/pyright.yaml
🪛 zizmor (1.26.1)
.github/workflows/build_pr.yaml
[error] 26-26: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/ruff.yaml
[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/shellcheck.yaml
[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/openapi_spectral.yaml
[warning] 18-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/mypy.yaml
[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/pydocstyle.yaml
[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/e2e_tests_rhaiis.yaml
[warning] 41-55: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 41-41: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/e2e_tests_lightspeed_evaluation.yaml
[error] 20-20: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 50-50: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/outdated_dependencies.yaml
[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/black.yaml
[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/e2e_tests.yaml
[warning] 27-41: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/build_and_push_dev.yaml
[error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/unit_tests.yaml
[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/integration_tests.yaml
[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/check_dependencies.yaml
[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/pylint.yaml
[warning] 15-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
.github/workflows/pyright.yaml
[warning] 15-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🔇 Additional comments (11)
.github/workflows/e2e_tests_lightspeed_evaluation.yaml (3)
19-34: Same v7 pull_request_target fork-checkout risk ase2e_tests.yaml.This checkout step uses the identical
pull_request_target-conditional pattern (repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }},persist-credentials: ${{ github.event_name != 'pull_request_target' }}). Same concern applies: verify the workflow's triggers to confirm this checkout won't be blocked by v7's new pwn-request guardrail.
20-20: Consider pinning bothactions/checkoutsteps to a commit SHA.Same unpinned-action finding as raised in
e2e_tests.yaml.Also applies to: 50-50
49-53: LGTM!.github/workflows/e2e_tests_rhaiis.yaml (2)
41-55: Same v7 pull_request_target fork-checkout risk ase2e_tests.yaml.Identical
with:pattern (repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }},persist-credentials: ${{ github.event_name != 'pull_request_target' }}). Same verification of this workflow's triggers is needed.
41-41: Consider pinningactions/checkoutto a commit SHA.Same unpinned-action / persist-credentials finding as raised in
e2e_tests.yaml..github/workflows/integration_tests.yaml (2)
17-17: Consider pinningactions/checkoutto a commit SHA.Same unpinned-action finding as raised in
e2e_tests.yaml.
17-17: LGTM! Nowith:block, so nopull_request_targetfork-checkout exposure from this bump..github/workflows/mypy.yaml (2)
14-14: Consider pinningactions/checkoutto a commit SHA.Same unpinned-action finding as raised in
e2e_tests.yaml.
14-14: LGTM! Straightforward checkout, no fork/pull_request_targethandling affected by this bump..github/workflows/unit_tests.yaml (2)
17-17: Consider pinningactions/checkoutto a commit SHA.Same unpinned-action finding as raised in
e2e_tests.yaml.
17-17: LGTM! Straightforward checkout, no fork/pull_request_targethandling affected by this bump.
| pull-requests: read | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win
Version bump is correct; consider hardening the checkout step.
The v4 → v7 bump is valid (v7.0.0 is the current GA release) and matches the PR's stated intent. Static analysis flags two pre-existing gaps on this line worth addressing while touching it: the action isn't pinned to a commit SHA, and persist-credentials: false isn't set (credentials otherwise remain in the local git config for the rest of the job).
🔒 Suggested hardening
- - uses: actions/checkout@v7
+ - uses: actions/checkout@a1caf0398a3f77c5db1a91c264eb1f6a0cb0e4d6 # v7.0.0
+ with:
+ persist-credentials: falsePlease verify the exact commit SHA for v7.0.0 before pinning.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@v7 | |
| - uses: actions/checkout@a1caf0398a3f77c5db1a91c264eb1f6a0cb0e4d6 # v7.0.0 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/black.yaml at line 14, The checkout step in the workflow
should be hardened while keeping the actions/checkout v7 upgrade. Update the
`actions/checkout` reference in the workflow to a pinned commit SHA for v7.0.0,
and set `persist-credentials: false` on that same checkout step so credentials
are not left in the git config. Use the existing checkout invocation as the
anchor and adjust only this step.
Source: Linters/SAST tools
| sudo apt install -y buildah qemu-user-static | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win
Version bump is correct; consider pinning to a commit SHA.
Bump to v7 is valid. zizmor flags this line as unpinned (unpinned-uses), which is a pre-existing pattern (v4 was also a floating tag) but is required by the stated "blanket policy."
🔒 Suggested hardening
- uses: actions/checkout@v7
+ uses: actions/checkout@a1caf0398a3f77c5db1a91c264eb1f6a0cb0e4d6 # v7.0.0Please verify the exact commit SHA for v7.0.0 before pinning.
🧰 Tools
🪛 zizmor (1.26.1)
[error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/build_and_push_dev.yaml at line 28, The checkout step is
using a floating actions tag, which violates the pinning policy. Update the uses
reference in the workflow’s checkout step to a specific commit SHA for
actions/checkout v7 rather than the version tag, and verify the SHA corresponds
to v7.0.0 before changing it.
Source: Linters/SAST tools
| sudo apt install -y buildah qemu-user-static | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win
Version bump is correct; same unpinned-ref concern as build_and_push_dev.yaml.
Consistent with the sibling workflow's checkout step; consider pinning to a SHA to satisfy the blanket unpinned-uses policy flagged by zizmor.
🧰 Tools
🪛 zizmor (1.26.1)
[error] 26-26: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/build_pr.yaml at line 26, The checkout step in the
workflow is still using an unpinned action reference, which violates the
unpinned-uses policy. Update the `actions/checkout` usage in this workflow to a
pinned commit SHA, matching the approach used or intended for the sibling
workflow referenced by `build_and_push_dev.yaml`, so the `checkout` step remains
functionally the same but is pinned for supply-chain safety.
Source: Linters/SAST tools
| pull-requests: read | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win
Version bump is correct; same pinning/persist-credentials gaps as black.yaml.
Same pattern as black.yaml (Line 14): unpinned ref plus missing persist-credentials: false. Consider applying the same hardening here for consistency.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/check_dependencies.yaml at line 14, The checkout step in
the workflow uses an unpinned action ref and does not disable credential
persistence, matching the same hardening gap as in black.yaml. Update the
`actions/checkout` usage in this workflow to a pinned version/ref and set
`persist-credentials` to false, following the same pattern used for the hardened
checkout configuration elsewhere.
Source: Linters/SAST tools
| pull-requests: read | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Workflow excerpt:"
sed -n '1,80p' .github/workflows/openapi_spectral.yaml | cat -n
echo
echo "Search for other checkout references:"
rg -n "actions/checkout@" .github/workflows -nRepository: lightspeed-core/lightspeed-stack
Length of output: 3738
Pin actions/checkout to a commit SHA.
actions/checkout@v7 is a floating external reference; pin it to a specific commit SHA before merging.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 18-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/openapi_spectral.yaml at line 18, The workflow step using
actions/checkout is referencing a floating tag instead of a fixed revision.
Update the checkout step in the openapi spectral workflow to pin
actions/checkout to a specific commit SHA rather than `@v7`, keeping the same step
location and action usage but replacing the external reference with an immutable
digest.
Source: Linters/SAST tools
| pull-requests: read | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
git ls-files .github/workflows/pydocstyle.yaml README.md .github/workflowsRepository: lightspeed-core/lightspeed-stack
Length of output: 986
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== pydocstyle workflow =="
cat -n .github/workflows/pydocstyle.yaml | sed -n '1,120p'
echo
echo "== pinning guidance search =="
rg -n --hidden --glob '!**/.git/**' -e 'pin|SHA|checkout@v|actions/checkout' README.md .github/workflows .github 2>/dev/null || trueRepository: lightspeed-core/lightspeed-stack
Length of output: 5014
🌐 Web query:
actions/checkout v7 release GitHub tag
💡 Result:
The actions/checkout v7 release was officially published on June 18, 2026, under the version tag v7.0.0 [1][2][3]. Key details regarding the v7 release include: - General Availability: The release was made generally available on June 18, 2026 [3]. - Security Improvements: A primary feature of v7 is improved security for workflows using pull_request_target or workflow_run triggers [3][4]. By default, v7 refuses to check out code from fork pull requests in these scenarios to prevent security vulnerabilities, such as "pwn request" attacks [3][4]. Users who require this functionality can opt in by setting the new input allow-unsafe-pr-checkout: true [4]. - Technical Updates: The action was migrated to ESM (ECMAScript Modules) to support newer versions of the @actions/* packages, requiring a minimum Actions Runner version of v2.327.1 [5][4]. - Documentation: Updated usage examples now reference actions/checkout@v7 [6][7][4]. For additional details, the full changelog and release notes are available on the official GitHub repository for actions/checkout [1][2][8].
Citations:
- 1: https://github.com/actions/checkout/releases/tag/v7.0.0
- 2: https://github.com/actions/checkout/releases
- 3: https://github.blog/changelog/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout/
- 4: https://github.com/actions/checkout/blob/main/README.md
- 5: https://github.com/actions/checkout
- 6: https://github.com/actions/checkout?tab=readme-ov-file
- 7: getting ready for checkout v7 release actions/checkout#2464
- 8: https://github.com/actions/checkout/blob/main/CHANGELOG.md
Pin actions/checkout to a commit SHA. actions/checkout@v7 is a floating major tag; use the v7 commit SHA instead.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pydocstyle.yaml at line 14, The workflow uses a floating
major tag for actions/checkout, so update the checkout step in the pydocstyle
workflow to reference the v7 commit SHA instead of `@v7`. Locate the uses:
actions/checkout entry and replace the tag with the pinned SHA so the action
version is fixed and reproducible.
Source: Linters/SAST tools
| name: "Pylinter" | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the workflow and any repository guidance about pinning actions.
git ls-files .github/workflows/pylint.yaml README.md .github | sed -n '1,120p'
printf '\n--- pylint workflow ---\n'
cat -n .github/workflows/pylint.yaml
printf '\n--- search for action pinning guidance ---\n'
rg -n --hidden --glob '!.git' -e 'pin(ning)?' -e 'actions/checkout@' -e 'commit SHA' -e 'SHA' -e 'security policy' .github README.md .Repository: lightspeed-core/lightspeed-stack
Length of output: 50390
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n--- .github/dependabot.yml ---\n'
cat -n .github/dependabot.yml
printf '\n--- .github/renovate.json ---\n'
cat -n .github/renovate.json
printf '\n--- workflow action references ---\n'
rg -n --hidden --glob '.github/workflows/*.yaml' 'uses:\s+[^@]+@v[0-9]+' .github/workflows
printf '\n--- pinned SHA references in workflows ---\n'
rg -n --hidden --glob '.github/workflows/*.yaml' 'uses:\s+[^@]+@[0-9a-f]{7,40}' .github/workflowsRepository: lightspeed-core/lightspeed-stack
Length of output: 4460
Pin actions/checkout to a commit SHA. actions/checkout@v7 is a floating external reference; pin it to a commit SHA before merge.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 15-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pylint.yaml at line 15, The workflow step using
actions/checkout is still referencing a floating tag, so update that checkout
usage to a specific commit SHA instead of actions/checkout@v7. Keep the same
workflow step in pylint.yaml and replace the external action reference with a
pinned SHA-based version so the pipeline uses an immutable dependency.
Source: Linters/SAST tools
| name: "Pyright" | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the workflow around the reported line.
git ls-files .github/workflows/pyright.yaml
cat -n .github/workflows/pyright.yaml | sed -n '1,40p'
# Try to resolve the referenced action tag to a commit SHA, if network/API access is available.
python3 - <<'PY'
import json, urllib.request, urllib.error
url = "https://api.github.com/repos/actions/checkout/git/refs/tags/v7"
req = urllib.request.Request(url, headers={"Accept":"application/vnd.github+json","User-Agent":"CodeRabbit"})
try:
with urllib.request.urlopen(req, timeout=20) as r:
data = json.load(r)
print("REF:", json.dumps(data, indent=2))
except Exception as e:
print("ERROR:", repr(e))
PYRepository: lightspeed-core/lightspeed-stack
Length of output: 993
Pin actions/checkout to a commit SHA. .github/workflows/pyright.yaml:15 uses the mutable actions/checkout@v7 tag; pinning it removes supply-chain drift risk.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 15-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pyright.yaml at line 15, The workflow step in pyright.yaml
uses the mutable actions/checkout@v7 tag; update the checkout action reference
to a pinned commit SHA instead of the version tag. Locate the step using
actions/checkout and replace the tag with the corresponding full commit hash to
keep the action immutable.
Source: Linters/SAST tools
| pull-requests: read | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win
Version bump is correct; same pinning/persist-credentials gaps as black.yaml.
Same pattern as black.yaml (Line 14): unpinned ref plus missing persist-credentials: false.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ruff.yaml at line 14, The checkout step in the ruff
workflow should use a pinned action reference and disable credential
persistence, matching the same fix needed in black.yaml. Update the
actions/checkout usage in the workflow job to a specific immutable version or
commit SHA, and add persist-credentials: false in the checkout configuration so
the workflow does not retain the default token.
Source: Linters/SAST tools
| pull-requests: read | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win
Version bump is correct; same pinning/persist-credentials gaps as black.yaml.
Same pattern as black.yaml (Line 14): unpinned ref plus missing persist-credentials: false.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 14-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/shellcheck.yaml at line 14, The checkout step in this
workflow still uses an unpinned actions ref and does not disable credential
persistence, matching the issue noted in black.yaml. Update the actions/checkout
usage in the workflow to a specific commit SHA or other pinned ref, and add
persist-credentials: false on the same checkout step so it does not leave repo
credentials available after the job runs.
Source: Linters/SAST tools
|
I can pin the versions if we want. I made the change to match how current action versions are specified. |
Resolves the issue where the task will fail if the job is triggered by a tag.
6d53333 to
10fe900
Compare
|
The test failure seemed unrelated to these changes. I triggered another test run. |
Description
Update the checkout action to resolve the issue where the task will fail if the job is triggered by a tag. This is causing release pipeline failures.
Type of change
Tools used to create PR
Just me
Related Tickets & Documents
actions/checkout#1467
actions/checkout#2356
Checklist before requesting a review
Testing
It's difficult to test this without running the job on a commit that is also a tag.
Summary by CodeRabbit