Skip to content

ci: pin workflow actions and limit push runs#35

Merged
Yusuke4869 merged 2 commits into
mainfrom
ci/pin-workflow-actions
Jun 16, 2026
Merged

ci: pin workflow actions and limit push runs#35
Yusuke4869 merged 2 commits into
mainfrom
ci/pin-workflow-actions

Conversation

@Yusuke4869

@Yusuke4869 Yusuke4869 commented Jun 16, 2026

Copy link
Copy Markdown
Owner

Summary by CodeRabbit

  • Chores
    • CI ワークフローのトリガーを、より厳密に指定するよう更新しました(main への push と pull_request を明示)。
    • 継続的統合で使用するアクションのバージョンを固定し、安定した実行環境を確保するよう更新しました。

@coderabbitai

coderabbitai Bot commented Jun 16, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f55fe3c3-814d-4891-9dd7-750b7ace1f0e

📥 Commits

Reviewing files that changed from the base of the PR and between fe2dacd and 7cc120e.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
✅ Files skipped from review due to trivial changes (1)
  • .github/workflows/ci.yml

📝 Walkthrough

Walkthrough

GitHub Actions CIワークフローのトリガーを on: [push, pull_request] から pushmain ブランチ限定・pull_request は明示指定に変更。actions/checkoutdenoland/setup-deno のバージョン指定をタグからコミットハッシュ固定に更新。

Changes

CI設定の更新

Layer / File(s) Summary
CIトリガーとアクションバージョンの更新
.github/workflows/ci.yml
on トリガーの pushmain ブランチのみに限定し、pull_request を明示的に設定。actions/checkout および denoland/setup-denouses 指定をタグ(@v6/@v2)からコミットハッシュへ変更。

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 ウサギがコードのうさぎ道を走る、
ブランチは main だけに絞って、
ハッシュで固めた安全な扉、
タグよりも確かなコミットの印。
ぴょんぴょん跳ねて、CIも安心! 🌿

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed プルリクエストのタイトルは、変更内容の主要な2つの側面(ワークフローアクションのピン留めとpushランの制限)を簡潔に説明しており、実際の変更内容と完全に一致しています。
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/pin-workflow-actions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.github/workflows/ci.yml (1)

17-19: Deno 本体のバージョンを固定してCI再現性を担保してください。

Line 19 の deno-version: latest のままでは、日によって CI 結果が変わる可能性があります。Action SHA 固定と同様に、Deno 実行環境も特定のバージョン(例:v2.1.x)や SemVer 範囲指定に変更することで、CI の再現性と安定性が向上します。

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 17 - 19, The deno-version parameter in
the setup-deno action is set to "latest" which causes non-deterministic CI
behavior as different versions may be used on different run dates. Change the
deno-version value from "latest" to a specific pinned version (such as "v2.1.x"
or another appropriate SemVer constraint) to ensure consistent and reproducible
CI results across all workflow runs.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 13-14: The actions/checkout action on line 14 is not explicitly
disabling credential persistence, which leaves the GITHUB_TOKEN accessible in
the Git configuration for subsequent steps and artifacts. Add the
`persist-credentials: false` parameter to the checkout action to prevent the
GITHUB_TOKEN from being stored in the Git configuration, reducing the security
exposure surface.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 17-19: The deno-version parameter in the setup-deno action is set
to "latest" which causes non-deterministic CI behavior as different versions may
be used on different run dates. Change the deno-version value from "latest" to a
specific pinned version (such as "v2.1.x" or another appropriate SemVer
constraint) to ensure consistent and reproducible CI results across all workflow
runs.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b8a703dd-60da-49ec-93d0-c2d24d616357

📥 Commits

Reviewing files that changed from the base of the PR and between f715d1f and fe2dacd.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
📜 Review details
🧰 Additional context used
🪛 zizmor (1.25.2)
.github/workflows/ci.yml

[warning] 13-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🔇 Additional comments (1)
.github/workflows/ci.yml (1)

2-6: LGTM!

Also applies to: 17-17

Comment thread .github/workflows/ci.yml
@Yusuke4869 Yusuke4869 merged commit 4cfce8a into main Jun 16, 2026
5 checks passed
@Yusuke4869 Yusuke4869 deleted the ci/pin-workflow-actions branch June 16, 2026 05:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant