chore: make pinact failure actionable

[gentamura]

Summary

• run pinact validation with continue-on-error to inspect the outcome
• emit remediation instructions when pinact finds non-pinned actions
• ensure pinact workflow has checks: write permission for reviewdog output

Testing

• pinact run --check

Summary by CodeRabbit

• Chores
  • Updated automated checks to use appropriate write permissions.
  • Improved error handling: workflows now surface clear, actionable messages when a step fails and will correctly fail the run afterward.
  • Added step identifiers to enhance traceability in check logs.
  • Maintains existing behavior for skipping pushes when applicable.

[coderabbitai]

Walkthrough

Adds write permission for checks, assigns an id to the pinact step, allows it to continue on error, and introduces a conditional remediation step that triggers on pinact failure to print guidance and then fail the workflow. Existing pinact-action usage and parameters remain unchanged.

Changes

Cohort / File(s)	Summary of Changes
CI workflow: pinact \.github/workflows/pinact.yml	- Set permissions: checks: write. - Added id: pinact to the pinact-action step. - Enabled continue-on-error: true for pinact-action. - Added conditional remediation step (if: steps.pinact.outcome == "failure") that echoes guidance and exits non-zero. - Kept existing action usage and skip_push unchanged.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub Actions
  participant Job as pinact Job
  participant Step1 as pinact-action
  participant Step2 as Remediation Step

  Dev->>GH: Push / PR triggers workflow
  GH->>Job: Start job (permissions: checks: write)
  Job->>Step1: Run pinact-action (continue-on-error: true)
  alt pinact succeeds
    Step1-->>Job: outcome = success
    Note right of Job: Workflow continues/finishes normally
  else pinact fails
    Step1-->>Job: outcome = failure
    rect rgba(255,230,230,0.6)
      Note over Step2: Conditional remediation on failure
      Job->>Step2: Print guidance and exit 1
    end
    Step2-->>GH: Fail workflow
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore: add pinact enforcement #2 — Modifies the same pinact workflow with similar step configuration and remediation handling.

Poem

A rabbit taps the pipeline drum,
Pinact stumbles—still we hum.
With gentle notes and exit one,
We catch the glitch before it runs.
Ears up, logs neat, checks write—done! 🐇✅

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "chore: make pinact failure actionable" succinctly and accurately captures the primary change in this PR — making pinact failures actionable by running pinact with continue-on-error and emitting remediation guidance, along with the workflow permission update. It is concise, specific to the main change, and suitable for a teammate scanning PR history.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/pinact-remediation-note

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fabf036 and 16b3b0f.

📒 Files selected for processing (1)

• .github/workflows/pinact.yml (2 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

.github/workflows/*.yml

📄 CodeRabbit inference engine (AGENTS.md)

.github/workflows/*.yml: Optionally run actionlint for static analysis of workflow files
Workflow filenames use kebab-case with .yml extension
Job IDs are lowercase and concise (e.g., lint, test)
Step name fields should be human-readable
Reference the internal composite action relatively as ./.github/actions/setup-bun so it works in act and on GitHub

Files:

• .github/workflows/pinact.yml

.github/workflows/pinact.yml

📄 CodeRabbit inference engine (AGENTS.md)

Provide and/or use a pinact workflow (pinact.yml) to verify action pinning

Files:

• .github/workflows/pinact.yml

.github/**/*.yml

📄 CodeRabbit inference engine (AGENTS.md)

.github/**/*.yml: Use 2-space indentation in all YAML files
Reference external actions using stable tags (e.g., actions/checkout@v5) rather than floating tags
Do not log sensitive information in workflow or action steps
Ensure third-party actions are pinned (stable tags or commits); enforcement is via pinact

Files:

• .github/workflows/pinact.yml

🧠 Learnings (4)

📓 Common learnings

Learnt from: CR
PR: listee-dev/listee-ci#0
File: AGENTS.md:0-0
Timestamp: 2025-09-18T13:40:39.361Z
Learning: Applies to .github/workflows/pinact.yml : Provide and/or use a pinact workflow (pinact.yml) to verify action pinning

Learnt from: CR
PR: listee-dev/listee-ci#0
File: AGENTS.md:0-0
Timestamp: 2025-09-18T13:40:39.361Z
Learning: Applies to .github/**/*.yml : Ensure third-party actions are pinned (stable tags or commits); enforcement is via pinact

📚 Learning: 2025-09-18T13:40:39.361Z

Learnt from: CR
PR: listee-dev/listee-ci#0
File: AGENTS.md:0-0
Timestamp: 2025-09-18T13:40:39.361Z
Learning: Applies to .github/workflows/pinact.yml : Provide and/or use a pinact workflow (pinact.yml) to verify action pinning

Applied to files:

• .github/workflows/pinact.yml

📚 Learning: 2025-09-18T13:40:39.361Z

Learnt from: CR
PR: listee-dev/listee-ci#0
File: AGENTS.md:0-0
Timestamp: 2025-09-18T13:40:39.361Z
Learning: Applies to .github/**/*.yml : Ensure third-party actions are pinned (stable tags or commits); enforcement is via pinact

Applied to files:

• .github/workflows/pinact.yml

📚 Learning: 2025-09-18T13:40:39.361Z

Learnt from: CR
PR: listee-dev/listee-ci#0
File: AGENTS.md:0-0
Timestamp: 2025-09-18T13:40:39.361Z
Learning: Applies to .github/workflows/release.yml : Minimize permissions in release.yml to contents and pull-requests

Applied to files:

• .github/workflows/pinact.yml

🔇 Additional comments (3)

.github/workflows/pinact.yml (3)

12-12: LGTM: checks: write is correctly scoped for reviewdog/checks output.

Matches the PR objective and least‑privilege intent alongside contents: read and pull-requests: read.

---

23-25: Good pattern — continue-on-error with follow-up; check steps..outcome

Using an id with continue-on-error is fine. When the action fails with continue-on-error: true, steps.<id>.outcome == 'failure' while steps.<id>.conclusion == 'success'; check steps.<id>.outcome (e.g. if: steps.pinact.outcome == 'failure') to detect the pre-continue failure.

---

29-37: Tighten the failure gate and clean up message formatting.

• Use explicit expression syntax for the if to aid readability.
• Remove unnecessary backslashes before backticks.
• Add an alternative install path for non‑Homebrew users and correct the actionlint example (the download helper expects VERSION and DIR, e.g. latest ./bin, not -b).

Apply:

-      - name: Suggest remediation when pinact fails
-        if: steps.pinact.outcome == "failure"
-        run: |
-          echo '::error::Some GitHub Actions are not pinned to commit SHAs.'
-          echo '::error::Fix steps:'
-          echo '::error::1. Install pinact (brew install pinact).'
-          echo '::error::2. Run \`pinact run\` or \`pinact run -u\` locally to update SHAs.'
-          echo '::error::3. Commit the changes and push again.'
-          exit 1
+      - name: Suggest remediation when pinact fails
+        if: ${{ steps.pinact.outcome == 'failure' }}
+        run: |
+          echo '::error::Some GitHub Actions are not pinned to commit SHAs.'
+          echo '::error::Remediation steps:'
+          echo '::error::1. Install pinact (brew install pinact) or: go install github.com/suzuki-shunsuke/pinact/cmd/pinact@latest'
+          echo '::error::2. Run `pinact run` (or `pinact run -u` to update SHAs) locally.'
+          echo '::error::3. Commit the changes and push again.'
+          exit 1

Optionally run actionlint locally to sanity-check the workflow:

#!/bin/bash
set -euo pipefail
# Install actionlint (adjust VERSION/DIR for your OS/arch as needed).
curl -sSL https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash | bash -s -- latest ./bin
./bin/actionlint --color

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}