chore: add pinact enforcement

[gentamura]

Summary

• pin all reusable workflows to commit SHAs with pinact
• add pinact validation workflow to CI and document the requirement
• update repository docs with local pinact guidance

Testing

• act -j pinact -W .github/workflows/pinact.yml --container-architecture linux/amd64

Summary by CodeRabbit

• Chores
  • Pinned external CI actions to specific commits, added a CI workflow to validate pinned actions, and standardized checkout credential handling and workflow permissions to improve supply-chain security and reproducible CI.
• Documentation
  • Updated README and AGENTS guide with the new pin verification workflow, local validation commands, and guidance on using pinned SHAs and related security practices.

[coderabbitai]

Walkthrough

This change pins several GitHub Actions to specific commit SHAs, adds a new pinact workflow plus .pinact.yaml to validate pinned actions, updates a composite setup-bun action to a pinned SHA, and updates documentation (README.md, AGENTS.md) to document pin verification and pinact usage.

Changes

Cohort / File(s)	Summary of Changes
Workflows: pinned checkout & permissions .github/workflows/actionlint.yml, .github/workflows/lint.yml, .github/workflows/release.yml, .github/workflows/test.yml, .github/workflows/typecheck.yml	Added top-level permissions (mostly contents: read, plus pull-requests: read and checks: write in actionlint). Replaced actions/checkout@v5 with a pinned commit actions/checkout@08c6903c... # v5.0.0 and added with: persist-credentials: false. Other action usages pinned (e.g., reviewdog/action-actionlint@95395aa..., changesets/action@e0145ed...). Minor step config additions (actionlint: filter_mode: nofilter, actionlint_flags).
Composite action: setup-bun .github/actions/setup-bun/action.yml	Pinned oven-sh/setup-bun from tag to commit 735343b6... with inline # v2.0.2 comment; remaining steps unchanged.
New workflow: pinact .github/workflows/pinact.yml	Added pinact workflow (on push to main and PRs) with permissions for reading contents and pull requests; job checks out with persist-credentials: false and runs suzuki-shunsuke/pinact-action@49cbd6a... with skip_push: "true".
Pinact config .pinact.yaml	Added Pinact configuration with schema reference, version: 3, commented examples for files and ignore_actions, and no active ignore rules.
Docs AGENTS.md, README.md	Documented the new pinact workflow and local pinact verification; updated notes to state external actions are pinned to full-length commit SHAs and to recommend running pinact locally/CI.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub
  participant WF as pinact workflow
  participant CO as actions/checkout@SHA
  participant PA as pinact-action@SHA

  Dev->>GH: Push / Open PR
  GH->>WF: Trigger pinact workflow
  WF->>CO: Checkout repo (persist-credentials: false)
  CO-->>WF: Working copy
  WF->>PA: Run pinact-action (skip_push: "true")
  PA-->>WF: Report validation results
  WF-->>GH: Job status reported
  GH-->>Dev: Status/check result shown on PR

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I thump my paw at tags that drift,
Now SHAs are locked—no sneaky shift.
Pinact hops through CI lanes,
Sniffing refs and checking chains.
Our burrow's builds are pinned and neat. 🐇🔐

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "chore: add pinact enforcement" is concise, follows conventional-commit style, and accurately summarizes the primary change—adding Pinact validation/enforcement (workflow, config, and docs) to ensure actions are pinned. It clearly communicates the main intent for reviewers without unnecessary detail.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore-pinact-integration

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 14a2313 and 6f410bc.

📒 Files selected for processing (1)

• .github/workflows/actionlint.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/actionlint.yml

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (15)

AGENTS.md (3)

15-15: Doc tweak: clarify local verification with Pinact workflow.

Consider adding the explicit act command (already shown in README) here for symmetry.

- - Pin verification: run `pinact run --check` locally or via the `pinact.yml` workflow.
+ - Pin verification: run `pinact run --check` locally or `act -j pinact -W .github/workflows/pinact.yml`.

---

26-26: Outdated guidance: “stable tags” conflicts with SHA pinning policy.

Replace with full-length commit SHAs to align with Pinact enforcement.

-- External actions should use stable tags (e.g., `actions/checkout@v5`). The internal composite action is referenced relatively: `./.github/actions/setup-bun` so it works both with `act` and on GitHub.
+- External actions must be pinned to full-length commit SHAs (e.g., `actions/checkout@08c6903c…`). The internal composite action is referenced relatively: `./.github/actions/setup-bun` so it works both with `act` and on GitHub.

---

44-44: Same inconsistency: avoid “stable tags”; emphasize SHA pins.

-- Do not log sensitive information. Using stable tags helps reduce supply chain risks; `pinact` enforcement ensures commits stay pinned.
+- Do not log sensitive information. Pin to full-length commit SHAs to reduce supply chain risk; `pinact` enforces the pins.

README.md (2)

31-31: Good security note. Optional: mention periodic pin refresh.

- - Runners: `ubuntu-latest` recommended. External actions are pinned to full-length commit SHAs via `pinact` to mitigate tag rewrite attacks.
+ - Runners: `ubuntu-latest` recommended. External actions are pinned to full-length commit SHAs via `pinact` to mitigate tag rewrite attacks (refresh pins periodically).

---

13-13: Add Pinact link for discoverability

Official repo: https://github.com/suzuki-shunsuke/pinact

- `pinact.yml`: Validate that reusable workflows reference full-length commit SHAs.
+ `pinact.yml`: Validate that reusable workflows reference full-length commit SHAs (see Pinact).

.github/workflows/lint.yml (1)

8-8: Keep the pin; disable persisted creds and restrict permissions

Confirmed actions/checkout v5.0.0 → 08c6903cd8c0fde910a37f88322edcfb5dd907a8.

-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false

Add at workflow root:

permissions:
  contents: read

.github/workflows/typecheck.yml (1)

8-8: Pin looks good; harden checkout and lock down permissions.

v5.0.0 tag points to commit 08c6903cd8c0fde910a37f88322edcfb5dd907a8 (confirmed).

• Add persist-credentials: false to prevent unintended pushes.
• Add minimal permissions: contents: read for this reusable workflow.

Apply:

-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false

Also add near the top (outside the hunk):

permissions:
  contents: read

.github/actions/setup-bun/action.yml (1)

6-6: Pin Bun version in setup-bun action

v2.0.2 maps to commit 735343b667d3e6f658f44d0eca948eb6282f2b76 — add a fixed bun-version to avoid silent Bun upgrades.

-    - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2
+    - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2
+      with:
+        bun-version: "1.1.x" # or a fixed full version you support

.github/workflows/actionlint.yml (1)

13-15: Add read-only workflow permissions and disable persisted credentials on checkout

Set persist-credentials: false on the checkout step and add workflow-level permissions: contents: read.

File: .github/workflows/actionlint.yml (lines 13-15)

-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false

Add at workflow root:

permissions:
  contents: read

Confirmed: reviewdog/action-actionlint v1.67.0 → 95395aac8c053577d0bc67eb7b74936c660c6f66.

.github/workflows/release.yml (1)

14-14: LGTM — checkout pin verified

Pinned actions/checkout@08c6903 (v5.0.0) confirmed. Consider explicitly setting minimal inherited permissions for safety; release already sets contents/pull-requests: write, so no change needed here beyond verifying the SHA mapping.

.github/workflows/pinact.yml (3)

3-8: Scope workflow to workflow/config changes to avoid unnecessary runs

Limit triggers to workflow and pinact config paths to save minutes and noise.

 on:
   push:
     branches:
       - main
+    paths:
+      - '.github/workflows/**'
+      - '.pinact.yaml'
   pull_request:
+    paths:
+      - '.github/workflows/**'
+      - '.pinact.yaml'

---

9-11: Tighten permissions (drop pull-requests: read unless needed)

This job reads the repo; it doesn’t touch PRs. Remove to follow least privilege.

 permissions:
   contents: read
-  pull-requests: read

---

14-16: Add concurrency to auto-cancel superseded runs

Prevents redundant work on rapid pushes.

 jobs:
   pinact:
     runs-on: ubuntu-latest
+    concurrency:
+      group: pinact-${{ github.ref }}
+      cancel-in-progress: true

.pinact.yaml (2)

1-3: Pin the JSON schema URL to a release tag or commit, not main

Editor validation should be stable; main can change and break schema.

-# yaml-language-server: $schema=https://raw.githubusercontent.com/suzuki-shunsuke/pinact/refs/heads/main/json-schema/pinact.json
+# yaml-language-server: $schema=https://raw.githubusercontent.com/suzuki-shunsuke/pinact/refs/tags/vX.Y.Z/json-schema/pinact.json
# pinact - https://github.com/suzuki-shunsuke/pinact

Replace vX.Y.Z with the version you’re standardizing on (or a specific commit SHA).

---

4-7: Consider enabling files patterns to include composite actions

If you keep local composite actions, explicitly include their manifests.

-# files:
-#   - pattern: action.yaml
-#   - pattern: */action.yaml
+files:
+  - pattern: action.yml
+  - pattern: action.yaml
+  - pattern: */action.yml
+  - pattern: */action.yaml

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between edc50f2 and 4492ba4.

📒 Files selected for processing (10)

• .github/actions/setup-bun/action.yml (1 hunks)
• .github/workflows/actionlint.yml (1 hunks)
• .github/workflows/lint.yml (1 hunks)
• .github/workflows/pinact.yml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• .github/workflows/test.yml (1 hunks)
• .github/workflows/typecheck.yml (1 hunks)
• .pinact.yaml (1 hunks)
• AGENTS.md (2 hunks)
• README.md (2 hunks)

🔇 Additional comments (4)

.github/workflows/release.yml (1)

17-17: Verified — changesets/action pin matches v1.5.3

Tag v1.5.3 points to commit e0145edc7d9d8679003495b11f87bd8ef63c0cba; the pinned SHA is correct.

.pinact.yaml (1)

8-14: LGTM: no ignores by default

Good default posture; only add ignores with justification in code review.

.github/workflows/pinact.yml (2)

21-24: Pinact step verified — v1.0.0 maps to 49cbd6acd0dbab6a6be2585d1dbdaa43b4410133

Script output confirms the tag → commit match; no changes required.

---

17-21: Good: checkout pinned to a commit and no credential persistence — tag mapping unverified

Could not confirm actions/checkout@v5.0.0 → 08c6903cd8c0fde910a37f88322edcfb5dd907a8: the provided verification script returned HTTP 404 from the GitHub API. Confirm the tag→commit mapping (or pin directly to the commit SHA) before merging.

[gentamura]

Applied least-privilege updates:

• add explicit read-only permissions to reusable workflows
• disable checkout credential persistence across all jobs

pinact run --check still passes.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/actionlint.yml (1)

20-25: Add checks: write for reviewdog “github-pr-check” reporter.

The reporter uses the Checks API; with restrictive defaults it needs checks: write (either at job-level or root). Without it, annotations won’t post.

Minimal job-scoped fix:

 jobs:
   actionlint:
+    permissions:
+      contents: read
+      pull-requests: read
+      checks: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
       - name: Run actionlint
         uses: reviewdog/action-actionlint@95395aac8c053577d0bc67eb7b74936c660c6f66 # v1.67.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           reporter: github-pr-check
           filter_mode: nofilter
           actionlint_flags: "-color -shellcheck="

♻️ Duplicate comments (2)

.github/workflows/test.yml (2)

4-5: Least-privilege defaults: LGTM (matches prior guidance).

The root permissions block is correctly set.

---

10-12: Pinned checkout + no persisted creds: LGTM (matches prior guidance).

Secure pin and token handling look good.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4492ba4 and bdfdf71.

📒 Files selected for processing (5)

• .github/workflows/actionlint.yml (2 hunks)
• .github/workflows/lint.yml (1 hunks)
• .github/workflows/release.yml (1 hunks)
• .github/workflows/test.yml (1 hunks)
• .github/workflows/typecheck.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/release.yml
• .github/workflows/typecheck.yml

🔇 Additional comments (3)

.github/workflows/lint.yml (2)

4-5: Least-privilege defaults: LGTM.

Root-level permissions with contents: read are appropriate for a lint-only workflow.

---

10-12: Pinned checkout + no persisted creds: LGTM.

SHA pin and persist-credentials: false harden the workflow without impacting lint.

.github/workflows/actionlint.yml (1)

16-18: Pinned checkout + no persisted creds: LGTM.

Good hardening for this workflow as well.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bdfdf71 and 33595f9.

📒 Files selected for processing (1)

• .github/workflows/actionlint.yml (1 hunks)

🔇 Additional comments (2)

.github/workflows/actionlint.yml (2)

16-18: Good: pinned checkout + no credential persistence

Pinned to a commit SHA and persist-credentials: false are the right hardening moves. No changes suggested.

---

20-20: Good: pin reviewdog/action-actionlint to a commit SHA

Version is pinned; inputs look fine.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.pinact.yaml (3)

1-1: Pin the JSON Schema URL to a release tag (avoid mutable branch).

Use a fixed tag to prevent silent schema drift in editors.

Apply this diff:

-# yaml-language-server: $schema=https://raw.githubusercontent.com/suzuki-shunsuke/pinact/refs/heads/main/json-schema/pinact.json
+# yaml-language-server: $schema=https://raw.githubusercontent.com/suzuki-shunsuke/pinact/v3.4.2/json-schema/pinact.json

Rationale: pinact docs recommend pinning the schema URL, and v3.4.2 is the latest release as of Aug 18, 2025. (github.com)

---

4-7: Make targets explicit for predictability (use glob patterns).

Defaults are fine, but being explicit reduces surprises and speeds scans.

Apply this diff:

-# files:
-#   - pattern: action.yaml
-#   - pattern: */action.yaml
+files:
+  - pattern: .github/workflows/*.yml
+  - pattern: .github/workflows/*.yaml
+  - pattern: .github/actions/*/action.yml
+  - pattern: .github/actions/*/action.yaml

These patterns follow pinact guidance for v3. (github.com)

---

8-14: Good: no ignores. If you add any, require exact-match regex for name and ref.

Keep ignore_actions empty by default; if you must add entries, use precise regexes for both name and ref (they must match exactly), and gate changes via CODEOWNERS/security review.

Docs note exact-match requirements for ignore rules. (github.com)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 33595f9 and 14a2313.

📒 Files selected for processing (1)

• .pinact.yaml (1 hunks)

🔇 Additional comments (1)

.pinact.yaml (1)

3-3: Schema version v3 looks correct. Ensure CI uses compatible pinact.

v3 is the latest schema and is supported by pinact v2.2.0+. Verify your workflow runs pinact ≥ 2.2.0.

Reference: pinact docs (“Schema v3 (latest) … v2.2.0 or later supports this version”). (github.com)