Fix github action version by hash #38
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
There was a problem hiding this comment.
Pull Request Overview
This PR updates the GitHub Actions workflow files to use commit hashes instead of simple version tags for improved security and reproducibility. The key changes include:
- Updating the branch-names, checkout, and ruby/setup-ruby actions in test workflows.
- Pinning commit hashes for actions/checkout, ruby/setup-ruby, and rubygems/release-gem in the release workflow.
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/test.yml | Updated commit hashes for tj-actions/branch-names, actions/checkout, ruby/setup-ruby, and codeclimate-action to reflect secure, pinned versions. |
| .github/workflows/release-gem.yml | Updated commit hashes for actions/checkout, ruby/setup-ruby, and rubygems/release-gem for consistent version pinning. |
Comments suppressed due to low confidence (9)
.github/workflows/test.yml:27
- [nitpick] Confirm that the commit hash for tj-actions/branch-names accurately reflects the intended v7.0.7 release; consider adding a link or note to the source commit for clarity.
uses: tj-actions/branch-names@6c999acf206f5561e19f46301bb310e9e70d8815 # v7.0.7
.github/workflows/test.yml:60
- [nitpick] Verify that the commit hash for actions/checkout correctly corresponds to v3.6.0; adding a reference to the commit source could improve future traceability.
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
.github/workflows/test.yml:63
- [nitpick] Ensure the pinned commit hash for ruby/setup-ruby reflects the correct v1.243.0 release; consider including a comment with a reference URL for clarity.
uses: ruby/setup-ruby@c95ae3725f6ebdd095f2bd19caed7ebc14435ba5 # v1.243.0
.github/workflows/test.yml:47
- [nitpick] Confirm that the commit hash for paambaati/codeclimate-action is correctly pinned to the intended v2.7.5 release and consider adding a link to the commit details.
uses: paambaati/codeclimate-action@7bcf9e73c0ee77d178e72c0ec69f1a99c1afc1f3 # v2.7.5
.github/workflows/test.yml:60
- [nitpick] Verify that the commit hash for actions/checkout remains accurate for v3.6.0 in this context as well; a cross-reference comment might be helpful.
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
.github/workflows/test.yml:63
- [nitpick] Double-check that the commit hash for ruby/setup-ruby is properly aligned with the intended v1.243.0 release; adding additional commit context may aid future maintenance.
uses: ruby/setup-ruby@c95ae3725f6ebdd095f2bd19caed7ebc14435ba5 # v1.243.0
.github/workflows/release-gem.yml:16
- [nitpick] Ensure the commit hash for actions/checkout accurately represents v4.2.2; consider adding a link to the commit for easier verification.
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
.github/workflows/release-gem.yml:18
- [nitpick] Confirm that the commit hash for ruby/setup-ruby is correct for the intended v1.243.0 release and consider documenting the commit source.
uses: ruby/setup-ruby@c95ae3725f6ebdd095f2bd19caed7ebc14435ba5 # v1.243.0
.github/workflows/release-gem.yml:25
- [nitpick] Verify that the commit hash for rubygems/release-gem matches the desired v1.1.1 release; adding a reference to the commit details may improve transparency.
uses: rubygems/release-gem@a25424ba2ba8b387abc8ef40807c2c85b96cbe32 # v1.1.1
atm-snag2
force-pushed
the
use-hash-for-github-action
branch
3 times, most recently
from
a5118e4 to
04bc8fd
Compare
atm-snag2
force-pushed
the
use-hash-for-github-action
branch
from
50c47d4 to
e7348ca
Compare
tomoasleep
reviewed
Jun 2, 2025
graphql-kaminari_connection.gemspec
Outdated
| spec.add_development_dependency 'appraisal', '~> 2.5' | ||
| spec.add_development_dependency 'bundler', '~> 2.2' | ||
| spec.add_development_dependency 'codeclimate-test-reporter', '~> 1.0' | ||
| spec.add_development_dependency 'concurrent-ruby', '< 1.3.5' |
Member
There was a problem hiding this comment.
Why this version constraint added?
Contributor
Author
There was a problem hiding this comment.
I made a mistake
I removed the unrelated commits
atm-snag2
force-pushed
the
use-hash-for-github-action
branch
from
e7348ca to
db2a973
Compare
atm-snag2
force-pushed
the
use-hash-for-github-action
branch
from
db2a973 to
12c1d65
Compare
tomoasleep
approved these changes
Jun 13, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What
Close #41
Refs