Skip to content

fix(pinact): canonical .pinact.yml needs version 3 + geolonia exemption#49

Merged
dkastl merged 1 commit into
mainfrom
fix/pinact-canonical-config
Jun 8, 2026
Merged

fix(pinact): canonical .pinact.yml needs version 3 + geolonia exemption#49
dkastl merged 1 commit into
mainfrom
fix/pinact-canonical-config

Conversation

@dkastl

@dkastl dkastl commented Jun 8, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Follow-up to #48. The canonical pinact/.pinact.yml shipped in v1.15.0 is missing the required version: 3 schema field, so pinact v4 errors on it (schema version is required). This adds it, plus two refinements proven in the geolonia-infra-cdk pilot (geolonia-infra-cdk#133):

  • version: 3 — required by pinact v4; without it pinact run aborts.
  • separator: " # " — pins match the org two-space comment style (pinact default is one space).
  • rules exempting geolonia/* from the cooldown — the 7-day cooldown guards against a hijacked third-party release. We author and control geolonia/* releases ourselves, and a brand-new geolonia/.github reusable would otherwise be un-adoptable for a week (no older release contains it). Still SHA-pinned; Dependabot maintains them.

Docs note the exemption.

Part of geolonia-operations#144 / epic geolonia-operations#142.

Summary by CodeRabbit

  • Documentation

    • Enhanced workflow documentation with clearer explanations of action pinning checks and cooldown behavior.

  • Chores

    • Updated configuration requirements (now requiring v4+) and added explicit settings for improved organization-specific management controls.

@dkastl
fix(pinact): canonical .pinact.yml needs version 3 + geolonia exemption
7595751 
The canonical pinact/.pinact.yml shipped in v1.15.0 was missing the
required `version: 3` schema field, so pinact v4 errors on it
("schema version is required"). Add it, plus two refinements proven in
the geolonia-infra-cdk pilot:

- `separator: "  # "` so pins match the org's two-space comment style.
- A `rules` entry exempting `geolonia/*` from the 7-day cooldown: the
  cooldown guards against hijacked third-party releases, but a brand-new
  geolonia/.github reusable would otherwise be un-adoptable for a week
  (no older release contains it). Still SHA-pinned; Dependabot maintains.

Docs updated to note the exemption.
@coderabbitai

coderabbitai Bot commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b181939b-fa34-4f30-94e5-a844b9819743

📥 Commits

Reviewing files that changed from the base of the PR and between 881e90b and 7595751.

📒 Files selected for processing (2)
  • docs/workflows.md
  • pinact/.pinact.yml

Walkthrough

The PR updates documentation and configuration for the Action Pinning Check workflow. Documentation about cooldown protection is reflowed for readability, and the pinact configuration explicitly requires v4+ while adding Geolonia-specific rules that exempt geolonia/* actions from cooldown duration but maintain a 7-day minimum age enforcement.

Changes

Action Pinning Check Updates

Layer / File(s) Summary
Action Pinning Check Documentation Reflow
docs/workflows.md		 Documentation text explaining the hijacked-tag attack cooldown logic is reflowed across multiple lines for improved readability.
Pinact v4+ Configuration with Geolonia Rules
pinact/.pinact.yml		 Pinact configuration adds explicit v4+ version requirement in comments, introduces top-level version: 3 and separator: " # " fields, and adds a rules block with an expr condition matching geolonia/.* to exempt Geolonia actions from cooldown while maintaining 7-day min_age enforcement.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

  • geolonia/.github#48: This PR extends the canonical pinact configuration introduced in #48 by adding Geolonia-specific v3+/v4+ rule exemptions while maintaining the 7-day minimum-age policy.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main changes: adding version 3 schema field and geolonia exemption to the canonical pinact configuration file.
Description check ✅ Passed The description is comprehensive and covers all key aspects of the changes, including the rationale for each modification and related issue references.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/pinact-canonical-config

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

github-actions Bot commented Jun 8, 2026

Copy link
Copy Markdown

Secret Leak Check

OK No secrets detected in this PR's diff.

@dkastl dkastl merged commit c13a68c into main Jun 8, 2026
2 checks passed
@dkastl dkastl deleted the fix/pinact-canonical-config branch June 8, 2026 21:34
This was referenced Jun 8, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dkastl