docs: team best-practice guide for pinning GitHub Actions (#146)#53
Merged
Conversation
Developer-facing 'why and how' guide for the org Actions pinning standard: why SHA-pin (supply chain), how pinact + Dependabot + .pinact.yml fit (the 7-day rule, and why Dependabot cooldown is 8), how to add/bump an action, how to handle a Dependabot PR and a failing Action Pinning Check, and an FAQ (incl. persist-credentials on checkout v6+). Cross-links the reusable-workflow reference instead of duplicating. Added to the mkdocs nav and the index Related pages.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughAdds a new “GitHub Actions Pinning” guide documenting SHA-based action pinning, security rationale, pinact/Dependabot coordination (including an 8-day cooldown), adoption steps, operational rules, and integrates the page into site navigation and index. ChangesGitHub Actions Pinning Guide
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Secret Leak CheckOK No secrets detected in this PR's diff. |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/github-actions-pinning.md`:
- Around line 138-139: Update the incorrect canonical path reference
"pinact/.pinact.yml" in the docs text to the correct root path ".pinact.yml" so
it matches the documented source of truth and Line 129; specifically change the
string "pinact/.pinact.yml" (seen in the diff) to ".pinact.yml" and keep
"pinact/.pre-commit-config.example.yaml" as-is.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: e5f6adc0-115e-49de-8e9c-2ebae24bdba5
📒 Files selected for processing (3)
docs/github-actions-pinning.mddocs/index.mdmkdocs.yml
Make the adoption FAQ consistent with workflows.md and the See-also: the canonical file to copy is this repo's pinact/.pinact.yml, copied to the consuming repo root as .pinact.yml. (Root .pinact.yml in this repo is geolonia/.github's own active config, not the template.)
Secret Leak CheckOK No secrets detected in this PR's diff. |
…methods Review feedback: - Drop the FAQ and 'When the Action Pinning Check fails' sections and cut within-page repetition (guide is ~83 lines now, down from ~145). The essential 'never hand-edit a SHA; run pinact run' tip is folded into Day to day. - Add pinact/dependabot.yml as the canonical Dependabot template so the pinact/ directory holds all three copyable files; point the guide and workflows.md Required files at it. - Document both ways to add the Action Pinning Check workflow: the GitHub Actions 'New workflow -> By Geolonia' picker, or copying the file. - Point clearly at this repo's pinact/ directory (linked).
Secret Leak CheckOK No secrets detected in this PR's diff. |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/github-actions-pinning.md`:
- Line 42: Replace the unhyphenated phrase "168 hour floor" with the compound
adjective "168-hour floor" in the docs text (search for the exact string "168
hour floor"); ensure the hyphenated form is used where it modifies "floor" so
the phrase reads "168-hour floor".
- Around line 19-21: Update the incorrect incident date and wording for the
`tj-actions/changed-files` compromise: replace "2026" with "March 2025" and add
that the supply-chain/tag attack occurred in March 2025 (with retroactive tag
changes) and was mitigated by March 15, 2025; optionally append the advisory
identifier (GHSA-mw4p-6x4p-x5m5) for clarity where `tj-actions/changed-files` is
mentioned in the paragraph.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 89d4e9ff-1ecb-4b82-8b70-45a753b00f55
📒 Files selected for processing (3)
docs/github-actions-pinning.mddocs/workflows.mdpinact/dependabot.yml
Review feedback: drop the tj-actions example (and its date) and just state in plain words what pinning to a SHA prevents (a moved or hijacked tag silently swapping in different code on a run that can read secrets). Hyphenate '168-hour'.
Secret Leak CheckOK No secrets detected in this PR's diff. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes the documentation sub-issue of the Actions pinning standard (geolonia-operations#146, epic geolonia-operations#142).
Adds
docs/github-actions-pinning.md— a developer-facing guide covering:tj-actions/changed-filesexample)..pinact.yml(min-age), the one "nothing younger than 7 days" rule shared with pnpm, and why Dependabotcooldownis 8 while pinactmin_ageis 7.pinact rundo it.persist-credentialson checkout v6+, adopting in a new repo.It cross-links the Action Pinning Check reusable-workflow reference rather than duplicating it. Also added to the mkdocs nav and the index Related pages.
Summary by CodeRabbit