Skip to content

ci: pin GitHub Actions to full-length commit SHAs #101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
maxandersen merged 1 commit into from
May 19, 2026
Merged

ci: pin GitHub Actions to full-length commit SHAs #101

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions .github/workflows/CI.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,14 @@ jobs:
os: [windows-latest, macOS-latest, ubuntu-latest]

steps:
- uses: actions/checkout@v5
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
- name: Set up JDK 21
uses: actions/setup-java@v5
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify actions/setup-java SHA corresponds to v5

echo "Checking actions/setup-java SHA..."
gh api repos/actions/setup-java/commits/be666c2fcd27ec809703dec50e508c2fdc7f6654 --jq '{sha: .sha, message: .commit.message}' || echo "SHA not found"

echo -e "\nChecking v5 tag..."
gh api repos/actions/setup-java/git/ref/tags/v5 --jq '.object.sha' || echo "v5 tag not found"

Repository: jbangdev/jbang-eclipse

Length of output: 348

The SHA pin corresponds to a v6 commit, not v5.

The SHA be666c2fcd27ec809703dec50e508c2fdc7f6654 is tagged as v5 in the actions/setup-java repository, but its commit message explicitly states "Chore: Version Update and Checkout Update to v6 (#973)". Either the tag is incorrect, the comment should reference v6, or the pinned commit should be updated to the actual v5 release commit.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/CI.yml at line 15, The workflow pins actions/setup-java to
the commit SHA be666c2fcd27ec809703dec50e508c2fdc7f6654 which is actually a v6
update despite the comment saying v5; fix by making the pin and comment
consistent: either update the action reference to the v6 tag (e.g.,
actions/setup-java@v6 or the correct v6 SHA) or replace the SHA with the true v5
release commit and adjust the comment, ensuring the
actions/setup-java@be666c2f... reference and its accompanying comment both match
the intended major version.

with:
java-version: '21'
distribution: 'temurin'
- name: Cache local Maven repository
uses: actions/cache@v4
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: |
~/.m2/repository
Expand All @@ -29,15 +29,15 @@ jobs:
run: ./mvnw --batch-mode --update-snapshots verify -Pflat-repo

- name: Upload p2 update site
uses: actions/upload-artifact@v5
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5
if: runner.os == 'Linux'
with:
name: jbang.eclipse
path: dev.jbang.eclipse.site/target/repository/*

- name: Deploy p2 update site
if: github.ref == 'refs/heads/main' && runner.os == 'Linux'
uses: marvinpinto/action-automatic-releases@latest
uses: marvinpinto/action-automatic-releases@d68defdd11f9dcc7f52f35c1b7c236ee7513bcc1 # latest
with:
repo_token: "${{secrets.GITHUB_TOKEN}}"
automatic_release_tag: "latest"
Expand All @@ -46,7 +46,7 @@ jobs:
files: |
dev.jbang.eclipse.site/target/flat-repository/*
- name: Upload code coverage
uses: codecov/codecov-action@v5-beta
uses: codecov/codecov-action@bb7467c2bce05781760a0964d48e35e96ee59505 # v5-beta
if: runner.os == 'Linux'
with:
files: ./coverage/target/site/jacoco-aggregate/jacoco.xml
Expand Down
Loading