Skip to content

fix: use pinned step versions and set workflow permissions#825

Merged
steveiliop56 merged 2 commits intomainfrom
fix/workflow-versions-and-perms
Apr 28, 2026
Merged

fix: use pinned step versions and set workflow permissions#825
steveiliop56 merged 2 commits intomainfrom
fix/workflow-versions-and-perms

Conversation

@steveiliop56
Copy link
Copy Markdown
Member

@steveiliop56 steveiliop56 commented Apr 28, 2026
edited by coderabbitai Bot
Loading

Solves most if not all of the scoreboard issues.

Summary by CodeRabbit

  • Chores
    • Added explicit permissions to CI/CD workflows to enforce least-privilege access.
    • Pinned workflow action references (including Docker-related steps) to immutable commits for greater stability and supply-chain security.
    • No runtime/job logic or user-facing behavior was changed.

@dosubot dosubot Bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Apr 28, 2026
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Apr 28, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 9a16eae7-d6a9-4839-a612-8ec0c67df6ce

📥 Commits

Reviewing files that changed from the base of the PR and between 11e5fab and f0c38b0.

📒 Files selected for processing (1)
  • .github/workflows/sponsors.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/sponsors.yml
📝 Walkthrough

Walkthrough

Six GitHub workflow files were updated to add explicit top-level permissions and to pin referenced GitHub and Docker Actions from floating version tags to specific commit SHAs; no job logic, step scripts, or other functional behavior were changed.

Changes

Cohort / File(s) Summary
Workflow Security Hardening
.github/workflows/ci.yml, .github/workflows/nightly.yml, .github/workflows/release.yml, .github/workflows/scorecard.yml, .github/workflows/sponsors.yml, .github/workflows/stale.yml		 Added explicit workflow-level permissions (read/write scoped per workflow). Replaced floating action tags with pinned commit SHAs for GitHub Actions and Docker actions, preserving original major-version intent via inline comments. No other logic or inputs were modified.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 With SHAs locked tight, no drifting versions here,
Permissions plainly stated, crystal clear!
We thwart the supply chain's sneaky schemes,
One commit hash at a time—workflow security dreams! 🔐

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main changes: pinning GitHub Actions to specific commit SHAs and adding explicit workflow permissions across multiple CI/CD workflows.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/workflow-versions-and-perms

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/sponsors.yml:
- Around line 5-8: The workflow's permissions block uses "contents: read" which
prevents the peter-evans/create-pull-request action from pushing
branches/creating PRs; update the permissions in the file by changing the
"contents" permission to "write" while keeping "pull-requests: write" so the
create-pull-request action (peter-evans/create-pull-request) can use
secrets.GITHUB_TOKEN to push and create/update PRs.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 4ac55ae3-bd50-4b69-910a-6646a00d987d

📥 Commits

Reviewing files that changed from the base of the PR and between c68a022 and 11e5fab.

📒 Files selected for processing (6)
  • .github/workflows/ci.yml
  • .github/workflows/nightly.yml
  • .github/workflows/release.yml
  • .github/workflows/scorecard.yml
  • .github/workflows/sponsors.yml
  • .github/workflows/stale.yml

Comment thread .github/workflows/sponsors.yml
@dosubot dosubot Bot added the lgtm This PR has been approved by a maintainer label Apr 28, 2026
@steveiliop56 steveiliop56 merged commit d51e3ef into main Apr 28, 2026
2 checks passed
@coderabbitai coderabbitai Bot mentioned this pull request Apr 29, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@Rycochet Rycochet Rycochet approved these changes

Assignees

No one assigned

Labels

lgtm This PR has been approved by a maintainer size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@steveiliop56 @Rycochet