+
Skip to content

Added commit SHAs instead of versions #2384

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Mar 28, 2025
Merged

Added commit SHAs instead of versions #2384

merged 5 commits into from
Mar 28, 2025

Conversation

samyak003
Copy link
Contributor

Proposed change

Closes: #2343
Added commit SHAs instead of versions in workflow files.

Type of change

  • New country/market holidays support (thank you!)
  • Supported country/market holidays update (calendar discrepancy fix, localization)
  • Existing code/documentation/test/process quality improvement (best practice, cleanup, refactoring, optimization)
  • Dependency update (version deprecation/pin/upgrade)
  • Bugfix (non-breaking change which fixes an issue)
  • Breaking change (a code change causing existing functionality to break)
  • New feature (new holidays functionality in general)

Checklist

@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 28, 2025
edited
Loading

Summary by CodeRabbit

  • Chores

    • Updated multiple GitHub Actions workflows to use fixed commit references for improved stability and reliability.

  • Documentation

    • Enhanced the contribution guidelines by adding a section that requires the use of commit SHAs for all GitHub Actions updates.

Walkthrough

This pull request updates several GitHub Actions workflow files by replacing version tags with specific commit SHAs. The changes span multiple workflow files, updating actions such as checkout, setup-python, pre-commit, codeql, codecov, cache, upload/download artifact, labeler, sigstore, and create-pull-request. Additionally, the contributing guidelines are enhanced to mandate the use of commit SHAs for any new GitHub Actions.

Changes

File(s) Change Summary
.github/workflows/ci-cd.yml, .github/workflows/update-snapshots.yml, .github/workflows/pre-commit-autoupdate.yml, .github/workflows/prl-labeler.yml Updated all GitHub Actions references from version tags (e.g., v4, v5) to specific commit SHAs for actions including checkout, setup-python, pre-commit, codeql, codecov, cache, labeler, upload/download artifact, sigstore, and create-pull-request.
CONTRIBUTING.md Added a new "GitHub Actions" section with guidelines that require using commit SHAs instead of version tags, including illustrative examples.

Assessment against linked issues

Objective Addressed Explanation
Pin GitHub actions to specific commit SHAs instead of versions (#2343)
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai plan to trigger planning for file edits and PR creation.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@github-actions github-actions bot added the ci label Mar 28, 2025
coderabbitai[bot]
coderabbitai bot reviewed Mar 28, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9b4a3bc and 4b1e2f2.

📒 Files selected for processing (5)
  • .github/workflows/ci-cd.yml (14 hunks)
  • .github/workflows/pre-commit-autoupdate.yml (3 hunks)
  • .github/workflows/prl-labeler.yml (1 hunks)
  • .github/workflows/update-snapshots.yml (2 hunks)
  • CONTRIBUTING.md (1 hunks)
🧰 Additional context used
🪛 markdownlint-cli2 (0.17.2)
CONTRIBUTING.md

110-110: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

111-111: Fenced code blocks should be surrounded by blank lines
null

(MD031, blanks-around-fences)

111-111: Fenced code blocks should have a language specified
null

(MD040, fenced-code-language)

117-117: Fenced code blocks should be surrounded by blank lines
null

(MD031, blanks-around-fences)

🔇 Additional comments (25)
.github/workflows/prl-labeler.yml (1)

13-13: Updated Labeler Action to Commit SHA
Replacing the version tag with commit SHA 8558fd74291d67161a8a78ce36a881fa63b766a9 is clear and consistent with our new dependency guidelines.

.github/workflows/update-snapshots.yml (3)

19-19: Checkout Action Updated to Commit SHA
The change to use commit SHA 11bd71901bbe5b1630ceea73d27597364c9af683 for the checkout step helps stabilize the workflow.

22-22: Setup Python Action Now Uses a Fixed Commit SHA
Updating to commit SHA 8d9ed9ac5c53483de85588cdf95a591a75ab9f55 ensures that the Python environment setup is reproducible.

41-41: Create Pull Request Action Updated
Locking the version of peter-evans/create-pull-request to commit SHA 271a8d0340265f705b14b6d32b9829c1cb33d45e aligns well with our new dependency update strategy.

.github/workflows/pre-commit-autoupdate.yml (3)

20-22: Checkout and Setup-Python Actions Updated
The transitions for both actions/checkout (to SHA 11bd71901bbe5b1630ceea73d27597364c9af683) and actions/setup-python (to SHA 8d9ed9ac5c53483de85588cdf95a591a75ab9f55) ensure that the workflow remains locked to known good states.

32-32: Cache Action Updated to a Fixed Commit
Using commit SHA 5a3ec84eff668545956fd18022155c47e93e2684 for caching enhances reproducibility when working with pre-commit dependencies.

43-43: Pull Request Creation Action Aligned with Guidelines
The update to use commit SHA 271a8d0340265f705b14b6d32b9829c1cb33d45e keeps this workflow consistent with other files.

.github/workflows/ci-cd.yml (18)

38-39: Checkout Action in Pre-commit Job Updated
Using commit SHA 11bd71901bbe5b1630ceea73d27597364c9af683 for checking out the repository ensures a fixed code base state across workflow runs.

40-42: Setup Python Action in Pre-commit Job Updated
The updated actions/setup-python with commit SHA 8d9ed9ac5c53483de85588cdf95a591a75ab9f55 adds consistency across jobs while ensuring a reproducible Python environment.

47-47: Pre-commit Action Now Uses a Commit SHA
Locking the version of the pre-commit action (commit SHA 2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd) promotes stability in our automated checks.

58-58: Checkout in CodeQL Job Updated
The CodeQL job now uses the same fixed commit SHA for actions/checkout, reinforcing consistency across the workflows.

61-61: CodeQL Initialization Action Updated to Fixed SHA
Using commit SHA 70df9def86d22bf0ea4e7f8b956e7b92e7c1ea22 for initializing CodeQL ensures that the analysis is performed under repeatable conditions.

66-66: CodeQL Analyze Action Locked to Specific Commit
The update to commit SHA for the CodeQL analysis step helps maintain a known, stable state for security scanning.

88-88: Checkout Action in Test Job Updated
The test job now consistently uses the fixed commit SHA for checking out the repository, which enhances reproducibility.

92-92: Setup Python in Test Job Now Uses a Commit SHA
Updating to commit SHA 8d9ed9ac5c53483de85588cdf95a591a75ab9f55 ensures we have a reproducible Python environment during tests.

113-113: Codecov Upload Action Updated to a Commit SHA
Locking the codecov/codecov-action to commit SHA 0565863a31f2c772f9f0395002a31e3f06189574 improves the traceability of our coverage reports.

123-123: Checkout Action in Build Job Updated
Using the fixed commit SHA for checking out in the build job ensures consistency with earlier steps.

126-126: Setup Python in Build Job Updated
The update to commit SHA for the Python setup in the build job keeps our build environment consistent and reproducible.

178-178: Checkout Action in Test-Build Job Updated
The fixed commit SHA for repository checkout in the test-build job reinforces consistency with other parts of the CI/CD pipeline.

180-180: Setup Python in Test-Build Job Updated
Locking the setup Python action to the specified commit SHA ensures that the testing environment remains stable and predictable.

145-145: Upload Artifact Action in Build Job Updated
Using commit SHA ea165f8d65b6e75b540449e92b4886f43607fa02 for uploading artifacts helps lock down the behavior of this step.

277-277: Sigstore Action Updated to Commit SHA
The update to commit SHA f514d46b907ebcd5bedc05145c03b69c1edd8b46 for the Sigstore action strengthens our security posture by ensuring a known action state.

285-285: Upload Artifact in Sign-artifacts Job Updated
Using the fixed commit SHA for the upload action in the sign-artifacts job ensures reliable artifact handling.

298-298: Download Artifact Action in Release Update Job Updated
Locking the download-artifact action to commit SHA 95815c38cf2ff2164869cbab79da8d1f422bc89e promotes consistency for artifact retrieval during GitHub release updates.

303-303: Second Instance of Download Artifact Action Updated
Ensuring that both usages of the download-artifact action are fixed to commit SHA guarantees uniform behavior when updating GitHub releases.

arkid15r
arkid15r reviewed Mar 28, 2025
View reviewed changes
@codecov Codecov
Copy link

codecov bot commented Mar 28, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (9b4a3bc) to head (60844b0).
Report is 1 commits behind head on dev.

Additional details and impacted files 
@@            Coverage Diff            @@
##               dev     #2384   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files          204       204           
  Lines        12999     12999           
  Branches      1861      1861           
=========================================
  Hits         12999     12999

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@samyak003 samyak003 requested a review from arkid15r March 28, 2025 02:48
KJhellico
KJhellico reviewed Mar 28, 2025
View reviewed changes
@KJhellico
Copy link
Collaborator

I used following script to check:

Script 
#!/bin/bash

if [ -z "$1" ]; then
    echo "Usage: $0 <workflow.yml>"
    exit 1
fi

WORKFLOW_FILE="$1"

if [ ! -f "$WORKFLOW_FILE" ]; then
    echo "Error: $WORKFLOW_FILE not found!"
    exit 1
fi

OUTPUT_FILE="updated_$WORKFLOW_FILE"
> "$OUTPUT_FILE"  # Clear the output file

while IFS= read -r line; do
    if [[ "$line" =~ uses:\ (.*)@(.*) ]]; then
        action="${BASH_REMATCH[1]}"
        ref="${BASH_REMATCH[2]}"

        if [[ "$action" == *"/"* ]]; then
            repo=$(echo "$action" | cut -d'/' -f1,2)
        else
            repo="$action"
        fi

        response=$(gh api repos/${repo}/git/ref/tags/$ref 2>&1)

        if [[ $? -ne 0 ]]; then
            response=$(gh api repos/${repo}/git/refs/heads/${ref} 2>/dev/null)
        fi

        sha=$(echo "$response" | jq -r '.object.sha' 2>/dev/null)
        type=$(echo "$response" | jq -r '.object.type' 2>/dev/null)

        if [ "$type" == "tag" ]; then
            response=$(gh api repos/${repo}/git/tags/$sha)
            sha=$(echo "$response" | jq -r '.object.sha' 2>/dev/null)
            type=$(echo "$response" | jq -r '.object.type' 2>/dev/null)
        fi

        if [ "$type" != "commit" ]; then
            echo "Error: no commit info for $action"
            sha=""
        fi

        if [ -n "$sha" ] && [ "$sha" != "null" ]; then
            line=$(echo "$line" | sed "s|$ref|$sha|")
            echo "Updated line: $line"
        else
            echo "Error: SHA not found for $action"
        fi
    fi
    
    echo "$line" >> "$OUTPUT_FILE"

done < "$WORKFLOW_FILE"

@arkid15r
Copy link
Collaborator

I used following script to check:
Script

#!/bin/bash

if [ -z "$1" ]; then
    echo "Usage: $0 <workflow.yml>"
    exit 1
fi

WORKFLOW_FILE="$1"

if [ ! -f "$WORKFLOW_FILE" ]; then
    echo "Error: $WORKFLOW_FILE not found!"
    exit 1
fi

OUTPUT_FILE="updated_$WORKFLOW_FILE"
> "$OUTPUT_FILE"  # Clear the output file

while IFS= read -r line; do
    if [[ "$line" =~ uses:\ (.*)@(.*) ]]; then
        action="${BASH_REMATCH[1]}"
        ref="${BASH_REMATCH[2]}"

        if [[ "$action" == *"/"* ]]; then
            repo=$(echo "$action" | cut -d'/' -f1,2)
        else
            repo="$action"
        fi

        response=$(gh api repos/${repo}/git/ref/tags/$ref 2>&1)

        if [[ $? -ne 0 ]]; then
            response=$(gh api repos/${repo}/git/refs/heads/${ref} 2>/dev/null)
        fi

        sha=$(echo "$response" | jq -r '.object.sha' 2>/dev/null)
        type=$(echo "$response" | jq -r '.object.type' 2>/dev/null)

        if [ "$type" == "tag" ]; then
            response=$(gh api repos/${repo}/git/tags/$sha)
            sha=$(echo "$response" | jq -r '.object.sha' 2>/dev/null)
            type=$(echo "$response" | jq -r '.object.type' 2>/dev/null)
        fi

        if [ "$type" != "commit" ]; then
            echo "Error: no commit info for $action"
            sha=""
        fi

        if [ -n "$sha" ] && [ "$sha" != "null" ]; then
            line=$(echo "$line" | sed "s|$ref|$sha|")
            echo "Updated line: $line"
        else
            echo "Error: SHA not found for $action"
        fi
    fi
    
    echo "$line" >> "$OUTPUT_FILE"

done < "$WORKFLOW_FILE"

@coderabbitai can you verify the PR migration to SHA commits using either @KJhellico's script or similar code of your own?

@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 28, 2025

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

@arkid15r I've run a verification script to check if all GitHub Actions in the workflow files have been properly migrated from version tags to commit SHAs. The script examines each workflow file in the .github/workflows/ directory and checks if all GitHub Action references use 40-character hexadecimal commit SHAs instead of version tags.

The results will show whether the PR has successfully completed the migration as intended for issue #2343.

🏁 Script executed:

#!/bin/bash

# Find all workflow files in the .github/workflows directory
workflow_files=$(find .github/workflows -name "*.yml")

echo "Checking workflow files for GitHub Action references..."
echo ""

# Function to check if a string is a SHA commit (40-character hexadecimal string)
is_commit_sha() {
  [[ $1 =~ ^[0-9a-f]{40}$ ]]
}

# Flag to track if all references use commit SHAs
all_using_commit_shas=true

# Check each workflow file
for file in $workflow_files; do
  echo "Examining file: $file"
  
  # Find all GitHub Action references (uses: xxx@yyy)
  while IFS= read -r line; do
    if [[ $line =~ uses:[[:space:]]+(.*)/(.*)@(.*) ]]; then
      action="${BASH_REMATCH[1]}/${BASH_REMATCH[2]}"
      ref="${BASH_REMATCH[3]}"
      
      echo "  Action: $action@$ref"
      
      # Check if the reference is a commit SHA
      if is_commit_sha "$ref"; then
        echo "    ✅ Using commit SHA"
      else
        echo "    ❌ Not using commit SHA: $ref"
        all_using_commit_shas=false
      fi
    fi
  done < "$file"
  
  echo ""
done

# Summary
if $all_using_commit_shas; then
  echo "✅ VERIFICATION SUCCESSFUL: All GitHub Action references use commit SHAs"
else
  echo "❌ VERIFICATION FAILED: Some GitHub Action references are not using commit SHAs"
fi

Length of output: 54912

@arkid15r I've verified the migration to commit SHAs and can confirm that all GitHub Actions references have been successfully updated. The verification script examined all workflow files in the `.github/workflows/` directory and found that every single GitHub Action reference now uses a 40-character hexadecimal commit SHA instead of version tags.

The migration is complete and consistent across all workflow files:

  • ci-cd.yml
  • pre-commit-autoupdate.yml
  • prl-labeler.yml
  • update-snapshots.yml

This successfully addresses the requirements in issue #2343 for pinning GitHub Actions to specific commit SHAs instead of version tags.

Code Analysis Tools

Tool Analysis Results

CodeRabbit ran static analysis tools on your files and found the following:

No specific issues were found in your files. You can proceed with your changes.

arkid15r and others added 3 commits March 28, 2025 11:35
@arkid15r @KJhellico
Update .github/workflows/ci-cd.yml
27914e5 
Co-authored-by: ~Jhellico <KJhellico@users.noreply.github.com>
Signed-off-by: Arkadii Yakovets <2201626+arkid15r@users.noreply.github.com>
@arkid15r @KJhellico
Update .github/workflows/ci-cd.yml
d3313e3 
Co-authored-by: ~Jhellico <KJhellico@users.noreply.github.com>
Signed-off-by: Arkadii Yakovets <2201626+arkid15r@users.noreply.github.com>
@arkid15r
Update code
60844b0
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@arkid15r arkid15r requested a review from KJhellico March 28, 2025 18:49
coderabbitai[bot]
coderabbitai bot reviewed Mar 28, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

♻️ Duplicate comments (1)
CONTRIBUTING.md (1)

106-123: 🧹 Nitpick (assertive)

Enhance Markdown Formatting in the New GitHub Actions Section
The new "GitHub Actions" section clearly communicates the updated guidelines. For improved markdown compliance and readability, please consider adding blank lines before and after headings if not already present. The fenced code blocks look good with the language specified.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9f47b0b and 60844b0.

📒 Files selected for processing (2)
  • .github/workflows/ci-cd.yml (14 hunks)
  • CONTRIBUTING.md (1 hunks)
🧰 Additional context used
🧠 Learnings (1)
📓 Common learnings 
Learnt from: arkid15r
PR: vacanza/holidays#2384
File: .github/workflows/ci-cd.yml:66-66
Timestamp: 2025-03-28T18:28:33.584Z
Learning: When replacing GitHub Actions version tags with commit SHAs, always ensure the SHA corresponds to the latest released version of that action, not an arbitrary or outdated commit. Check the GitHub repository releases page to verify the correct SHA.
⏰ Context from checks skipped due to timeout of 300000ms (1)
  • GitHub Check: Test build on windows-latest
🔇 Additional comments (3)
.github/workflows/ci-cd.yml (3)

38-47: Consistent Use of Commit SHA for Checkout and Pre-commit Actions
The pre-commit job correctly uses the specific commit SHA for both actions/checkout and actions/setup-python, as well as for the pre-commit/action. This consistency supports the overall goal of pinning dependencies to fixed, verifiable commits.

57-69: Verification Requested: CodeQL Action Commit SHA
The CodeQL job uses github/codeql-action/init and github/codeql-action/analyze with commit SHA 1b549b9259bda1cb5ddde3b41741a82a2d15a841. Please verify that these SHAs correspond to the latest stable release versions for the CodeQL actions to ensure optimal security and functionality.

32-314: Overall Workflow Consistency and Alignment
Across the CI/CD workflow file, the use of fixed commit SHAs for actions like actions/checkout, actions/setup-python, and others is consistent and in line with the new contributing guidelines. With the exception of the Codecov and PyPI publish actions that need updating, the changes enhance reliability and traceability in the workflow.

@arkid15r arkid15r enabled auto-merge March 28, 2025 18:58
@arkid15r arkid15r added this pull request to the merge queue Mar 28, 2025
Merged via the queue into vacanza:dev with commit 8a486bf Mar 28, 2025
33 checks passed
@arkid15r arkid15r mentioned this pull request Apr 7, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@arkid15r arkid15r arkid15r approved these changes

@PPsyrius PPsyrius Awaiting requested review from PPsyrius PPsyrius is a code owner

@KJhellico KJhellico Awaiting requested review from KJhellico KJhellico is a code owner

Assignees
No one assigned
Labels
ci codepeak 25
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Pin GitHub actions to specific commit SHAs instead of versions
3 participants
@samyak003 @KJhellico @arkid15r
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载