Skip to content

chore: make pinact failure actionable#3

Merged
gentamura merged 1 commit intomainfrom
chore/pinact-remediation-note
Sep 20, 2025
Merged

chore: make pinact failure actionable#3
gentamura merged 1 commit intomainfrom
chore/pinact-remediation-note

Conversation

@gentamura
Copy link
Member

@gentamura gentamura commented Sep 20, 2025

Summary

  • run pinact validation with continue-on-error to inspect the outcome
  • emit remediation instructions when pinact finds non-pinned actions
  • ensure pinact workflow has checks: write permission for reviewdog output

Testing

  • pinact run --check

Summary by CodeRabbit

  • Chores
    • Updated automated checks to use appropriate write permissions.
    • Improved error handling: workflows now surface clear, actionable messages when a step fails and will correctly fail the run afterward.
    • Added step identifiers to enhance traceability in check logs.
    • Maintains existing behavior for skipping pushes when applicable.

@coderabbitai
Copy link

coderabbitai bot commented Sep 20, 2025

Walkthrough

Adds write permission for checks, assigns an id to the pinact step, allows it to continue on error, and introduces a conditional remediation step that triggers on pinact failure to print guidance and then fail the workflow. Existing pinact-action usage and parameters remain unchanged.

Changes

Cohort / File(s) Summary of Changes
CI workflow: pinact
\.github/workflows/pinact.yml
- Set permissions: checks: write.
- Added id: pinact to the pinact-action step.
- Enabled continue-on-error: true for pinact-action.
- Added conditional remediation step (if: steps.pinact.outcome == "failure") that echoes guidance and exits non-zero.
- Kept existing action usage and skip_push unchanged.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub Actions
  participant Job as pinact Job
  participant Step1 as pinact-action
  participant Step2 as Remediation Step

  Dev->>GH: Push / PR triggers workflow
  GH->>Job: Start job (permissions: checks: write)
  Job->>Step1: Run pinact-action (continue-on-error: true)
  alt pinact succeeds
    Step1-->>Job: outcome = success
    Note right of Job: Workflow continues/finishes normally
  else pinact fails
    Step1-->>Job: outcome = failure
    rect rgba(255,230,230,0.6)
      Note over Step2: Conditional remediation on failure
      Job->>Step2: Print guidance and exit 1
    end
    Step2-->>GH: Fail workflow
  end
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Poem

A rabbit taps the pipeline drum,
Pinact stumbles—still we hum.
With gentle notes and exit one,
We catch the glitch before it runs.
Ears up, logs neat, checks write—done! 🐇✅

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title "chore: make pinact failure actionable" succinctly and accurately captures the primary change in this PR — making pinact failures actionable by running pinact with continue-on-error and emitting remediation guidance, along with the workflow permission update. It is concise, specific to the main change, and suitable for a teammate scanning PR history.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch chore/pinact-remediation-note

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fabf036 and 16b3b0f.

📒 Files selected for processing (1)
  • .github/workflows/pinact.yml (2 hunks)
🧰 Additional context used
📓 Path-based instructions (3)
.github/workflows/*.yml

📄 CodeRabbit inference engine (AGENTS.md)

.github/workflows/*.yml: Optionally run actionlint for static analysis of workflow files
Workflow filenames use kebab-case with .yml extension
Job IDs are lowercase and concise (e.g., lint, test)
Step name fields should be human-readable
Reference the internal composite action relatively as ./.github/actions/setup-bun so it works in act and on GitHub

Files:

  • .github/workflows/pinact.yml
.github/workflows/pinact.yml

📄 CodeRabbit inference engine (AGENTS.md)

Provide and/or use a pinact workflow (pinact.yml) to verify action pinning

Files:

  • .github/workflows/pinact.yml
.github/**/*.yml

📄 CodeRabbit inference engine (AGENTS.md)

.github/**/*.yml: Use 2-space indentation in all YAML files
Reference external actions using stable tags (e.g., actions/checkout@v5) rather than floating tags
Do not log sensitive information in workflow or action steps
Ensure third-party actions are pinned (stable tags or commits); enforcement is via pinact

Files:

  • .github/workflows/pinact.yml
🧠 Learnings (4)
📓 Common learnings
Learnt from: CR
PR: listee-dev/listee-ci#0
File: AGENTS.md:0-0
Timestamp: 2025-09-18T13:40:39.361Z
Learning: Applies to .github/workflows/pinact.yml : Provide and/or use a pinact workflow (pinact.yml) to verify action pinning
Learnt from: CR
PR: listee-dev/listee-ci#0
File: AGENTS.md:0-0
Timestamp: 2025-09-18T13:40:39.361Z
Learning: Applies to .github/**/*.yml : Ensure third-party actions are pinned (stable tags or commits); enforcement is via pinact
📚 Learning: 2025-09-18T13:40:39.361Z
Learnt from: CR
PR: listee-dev/listee-ci#0
File: AGENTS.md:0-0
Timestamp: 2025-09-18T13:40:39.361Z
Learning: Applies to .github/workflows/pinact.yml : Provide and/or use a pinact workflow (pinact.yml) to verify action pinning

Applied to files:

  • .github/workflows/pinact.yml
📚 Learning: 2025-09-18T13:40:39.361Z
Learnt from: CR
PR: listee-dev/listee-ci#0
File: AGENTS.md:0-0
Timestamp: 2025-09-18T13:40:39.361Z
Learning: Applies to .github/**/*.yml : Ensure third-party actions are pinned (stable tags or commits); enforcement is via pinact

Applied to files:

  • .github/workflows/pinact.yml
📚 Learning: 2025-09-18T13:40:39.361Z
Learnt from: CR
PR: listee-dev/listee-ci#0
File: AGENTS.md:0-0
Timestamp: 2025-09-18T13:40:39.361Z
Learning: Applies to .github/workflows/release.yml : Minimize permissions in release.yml to contents and pull-requests

Applied to files:

  • .github/workflows/pinact.yml
🔇 Additional comments (3)
.github/workflows/pinact.yml (3)

12-12: LGTM: checks: write is correctly scoped for reviewdog/checks output.

Matches the PR objective and least‑privilege intent alongside contents: read and pull-requests: read.


23-25: Good pattern — continue-on-error with follow-up; check steps..outcome

Using an id with continue-on-error is fine. When the action fails with continue-on-error: true, steps.<id>.outcome == 'failure' while steps.<id>.conclusion == 'success'; check steps.<id>.outcome (e.g. if: steps.pinact.outcome == 'failure') to detect the pre-continue failure.


29-37: Tighten the failure gate and clean up message formatting.

  • Use explicit expression syntax for the if to aid readability.
  • Remove unnecessary backslashes before backticks.
  • Add an alternative install path for non‑Homebrew users and correct the actionlint example (the download helper expects VERSION and DIR, e.g. latest ./bin, not -b).

Apply:

-      - name: Suggest remediation when pinact fails
-        if: steps.pinact.outcome == "failure"
-        run: |
-          echo '::error::Some GitHub Actions are not pinned to commit SHAs.'
-          echo '::error::Fix steps:'
-          echo '::error::1. Install pinact (brew install pinact).'
-          echo '::error::2. Run \`pinact run\` or \`pinact run -u\` locally to update SHAs.'
-          echo '::error::3. Commit the changes and push again.'
-          exit 1
+      - name: Suggest remediation when pinact fails
+        if: ${{ steps.pinact.outcome == 'failure' }}
+        run: |
+          echo '::error::Some GitHub Actions are not pinned to commit SHAs.'
+          echo '::error::Remediation steps:'
+          echo '::error::1. Install pinact (brew install pinact) or: go install github.com/suzuki-shunsuke/pinact/cmd/pinact@latest'
+          echo '::error::2. Run `pinact run` (or `pinact run -u` to update SHAs) locally.'
+          echo '::error::3. Commit the changes and push again.'
+          exit 1

Optionally run actionlint locally to sanity-check the workflow:

#!/bin/bash
set -euo pipefail
# Install actionlint (adjust VERSION/DIR for your OS/arch as needed).
curl -sSL https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash | bash -s -- latest ./bin
./bin/actionlint --color

Comment @coderabbitai help to get the list of available commands and usage tips.

@gentamura gentamura self-assigned this Sep 20, 2025
@gentamura gentamura merged commit 0fc4a27 into main Sep 20, 2025
3 checks passed
@gentamura gentamura deleted the chore/pinact-remediation-note branch September 20, 2025 07:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant