Skip to content

ci: SHA-pin all workflow templates so UI adoption is pinact-clean#60

Merged
dkastl merged 1 commit into
mainfrom
feat/59-sha-pin-templates
Jun 12, 2026
Merged

ci: SHA-pin all workflow templates so UI adoption is pinact-clean#60
dkastl merged 1 commit into
mainfrom
feat/59-sha-pin-templates

Conversation

@dkastl

@dkastl dkastl commented Jun 12, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Closes #59

What

SHA-pins every "New workflow (by Geolonia)" template so adopting one via the
GitHub UI produces a pinact-clean PR with no manual pinact run.

  • All 8 workflow-templates/*.yml uses: refs: @v1@92c8c6d # v1.16.0.
  • .pinact.yml: add a files: list (defaults + workflow-templates/*) so the
    templates themselves are now verified by the Action Pinning Check.

Why

The picker copies templates verbatim and GitHub can't pin at add-time, so @v1
made every UI adoption fail the adopter's pinact gate. geolonia/* is already
min-age-exempt, so pinning to a fresh release is allowed. Each adopting repo's
Dependabot bumps its own copy from there.

Verification

pinact run --fix=false --verify --verify-min-age → exit 0 locally (and this
PR's own Action Pinning Check now covers the templates).

Follow-up (not in this PR)

Dependabot can't scan workflow-templates/, so these template SHAs won't
auto-update. A release-time job that re-pins workflow-templates/ on each new
tag would keep them fresh — happy to add it separately.

Summary by CodeRabbit

Chores

  • Pinned GitHub Actions workflow versions to specific commits (v1.16.0) instead of floating version tags to ensure deterministic and consistent execution across environments.
  • Expanded workflow file configuration to comprehensively include all workflow templates and action manifests for complete coverage.

@dkastl
ci: SHA-pin all workflow templates + verify them in pinact
589a316 
The New-workflow picker copies templates verbatim, so @v1 made every UI
adoption fail the adopter's Action Pinning Check. Pin all workflow-templates/
uses refs to @92c8c6d # v1.16.0, and extend .pinact.yml files: to cover
workflow-templates/ so the templates stay pinned going forward. geolonia/* is
min-age-exempt, so the fresh release is fine; each adopting repo's Dependabot
keeps its copy current from there.

Verified locally: pinact run --fix=false --verify --verify-min-age -> exit 0.

Closes #59
@coderabbitai

coderabbitai Bot commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 811a4bf3-f266-4aa1-8aa7-e68ac4ecd588

📥 Commits

Reviewing files that changed from the base of the PR and between a0dda21 and 589a316.

📒 Files selected for processing (9)
  • .pinact.yml
  • workflow-templates/bumblebee-scan.yml
  • workflow-templates/cdk-deploy-monitor.yml
  • workflow-templates/pinact-check.yml
  • workflow-templates/publish-techdocs.yml
  • workflow-templates/release-auto-on-tag.yml
  • workflow-templates/route-issue.yml
  • workflow-templates/secret-leak-check.yml
  • workflow-templates/sync-team-access.yml

Walkthrough

This PR adds workflow template pinning for reproducibility. .pinact.yml configuration is expanded to include workflow templates in its file verification scope. All eight workflow templates in workflow-templates/ are then updated to reference their reusable workflows using pinned commit SHAs at version v1.16.0 instead of the floating @v1 tag.

Changes

Workflow Template SHA Pinning

Layer / File(s) Summary
Pinact configuration for workflow template verification
.pinact.yml		 .pinact.yml now explicitly includes workflow files under .github/workflows/, action manifests under .github/actions/, and workflow-template files under workflow-templates/ in the pinact files list.
SHA-pin all workflow template reusable references
workflow-templates/bumblebee-scan.yml, workflow-templates/cdk-deploy-monitor.yml, workflow-templates/pinact-check.yml, workflow-templates/publish-techdocs.yml, workflow-templates/release-auto-on-tag.yml, workflow-templates/route-issue.yml, workflow-templates/secret-leak-check.yml, workflow-templates/sync-team-access.yml		 All eight workflow templates update their reusable workflow uses: references from the floating @v1 tag to pinned commit SHAs at v1.16.0, ensuring deterministic behavior when templates are adopted into downstream repositories.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

  • geolonia/.github#51: Introduced the .pinact.yml configuration and canonical pinact enforcement infrastructure that this PR extends to cover workflow templates.
  • geolonia/.github#44: Added the bumblebee-scan.yml workflow template which this PR pins to a specific commit SHA.
  • geolonia/.github#57: Introduced the route-issue.yml workflow template which this PR pins to a specific commit SHA.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: SHA-pinning workflow templates to ensure pinact compliance for UI adoptions.
Description check ✅ Passed The description provides comprehensive details on what changed, why, and verification steps; it goes beyond the template but covers all essential information.
Linked Issues check ✅ Passed All coding requirements from #59 are met: all 8 workflow templates SHA-pinned to v1.16.0, and .pinact.yml updated with workflow-templates file coverage.
Out of Scope Changes check ✅ Passed All changes directly support the objective of pinning workflow templates and extending pinact coverage to them; no extraneous modifications detected.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/59-sha-pin-templates

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

github-actions Bot commented Jun 12, 2026

Copy link
Copy Markdown

Secret Leak Check

OK No secrets detected in this PR's diff.

@dkastl dkastl merged commit f9bead4 into main Jun 12, 2026
3 checks passed
@dkastl dkastl deleted the feat/59-sha-pin-templates branch June 12, 2026 00:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SHA-pin all workflow templates so UI adoption is pinact-clean

1 participant

@dkastl