fix: pin feature-ideation.yml reusable workflow to SHA#102
fix: pin feature-ideation.yml reusable workflow to SHA#102
Conversation
Pin `petry-projects/.github/.github/workflows/feature-ideation-reusable.yml` from `@v1` to its resolved SHA `208ec2d69b75227d375edf8745d84fbac05a76b2` to satisfy the action-pinning compliance policy. Also syncs the file with the latest upstream template: adds the `dry_run` workflow_dispatch input that was added after the initial copy. Co-authored-by: don-petry <don-petry@users.noreply.github.com>
|
PR is ready for review. No CODEOWNERS file found — @don-petry please review and merge when CI passes. |
|
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 43 minutes and 59 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Pins the org-wide reusable “Feature Research & Ideation” workflow reference to a specific commit SHA to satisfy the action-pinning compliance policy, and syncs the caller stub with the latest upstream interface.
Changes:
- Pin
petry-projects/.github/.github/workflows/feature-ideation-reusable.ymlfrom@v1to a resolved commit SHA. - Add a
dry_runworkflow_dispatchinput and forward it to the reusable workflow.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| include A, B, C. Key emerging trends in this space: X, Y, Z." | ||
| focus_area: ${{ inputs.focus_area || '' }} | ||
| research_depth: ${{ inputs.research_depth || 'standard' }} | ||
| dry_run: ${{ inputs.dry_run || false }} |
There was a problem hiding this comment.
workflow_dispatch inputs are often surfaced as strings (e.g., 'true'/'false'). Using inputs.dry_run || false can therefore produce the string 'false' on a manual dispatch, which is truthy in GitHub expressions and can cause the reusable workflow to treat dry_run as enabled. Consider coercing to a real boolean (e.g., compare to 'true' or use fromJSON(inputs.dry_run)) before passing it to the reusable workflow.
| dry_run: ${{ inputs.dry_run || false }} | |
| dry_run: ${{ inputs.dry_run == true || inputs.dry_run == 'true' }} |
| @@ -75,7 +80,7 @@ jobs: | |||
| pull-requests: read | |||
| discussions: write | |||
| id-token: write | |||
There was a problem hiding this comment.
The header guidance says you “MUST NOT change … the uses: line”, but this PR legitimately changes it to pin to a SHA for compliance. To avoid future confusion (and reduce the risk of someone reverting the pin), update the guidance to explicitly allow/require SHA pin updates while still forbidding changing the referenced reusable workflow path.
| id-token: write | |
| id-token: write | |
| # Keep the reusable workflow path unchanged unless the standard itself moves. | |
| # Update the pinned commit SHA when adopting a newer approved standard version | |
| # or when compliance/security policy requires refreshing the pin. |
Automated review — APPROVEDRisk: MEDIUM SummaryThis PR pins a reusable workflow reference from a mutable @v1 tag to an immutable SHA (208ec2d69b75227d375edf8745d84fbac05a76b2), which is a security improvement satisfying the org's action-pinning compliance policy (issue #88). It also adds a boolean dry_run dispatch input and forwards it to the reusable workflow — a trivial, safe change. All CI checks pass (CodeQL, SonarCloud Quality Gate, AgentShield, CodeRabbit) with zero new issues or security hotspots. FindingsInfo
CI statusAll checks green: CodeQL, SonarCloud Quality Gate (0 new issues, 0 security hotspots), AgentShield, CodeRabbit. Branch is BLOCKED only pending an approving review.
Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with |
Summary
petry-projects/.github/.github/workflows/feature-ideation-reusable.ymlfrom@v1to its resolved SHA208ec2d69b75227d375edf8745d84fbac05a76b2to satisfy the action-pinning compliance policydry_runworkflow_dispatch inputCloses #88
Generated with Claude Code