ci: pin workflow actions and limit push runs#35
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughWalkthroughGitHub Actions CIワークフローのトリガーを ChangesCI設定の更新
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/ci.yml (1)
17-19: Deno 本体のバージョンを固定してCI再現性を担保してください。Line 19 の
deno-version: latestのままでは、日によって CI 結果が変わる可能性があります。Action SHA 固定と同様に、Deno 実行環境も特定のバージョン(例:v2.1.x)や SemVer 範囲指定に変更することで、CI の再現性と安定性が向上します。🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml around lines 17 - 19, The deno-version parameter in the setup-deno action is set to "latest" which causes non-deterministic CI behavior as different versions may be used on different run dates. Change the deno-version value from "latest" to a specific pinned version (such as "v2.1.x" or another appropriate SemVer constraint) to ensure consistent and reproducible CI results across all workflow runs.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 13-14: The actions/checkout action on line 14 is not explicitly
disabling credential persistence, which leaves the GITHUB_TOKEN accessible in
the Git configuration for subsequent steps and artifacts. Add the
`persist-credentials: false` parameter to the checkout action to prevent the
GITHUB_TOKEN from being stored in the Git configuration, reducing the security
exposure surface.
---
Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 17-19: The deno-version parameter in the setup-deno action is set
to "latest" which causes non-deterministic CI behavior as different versions may
be used on different run dates. Change the deno-version value from "latest" to a
specific pinned version (such as "v2.1.x" or another appropriate SemVer
constraint) to ensure consistent and reproducible CI results across all workflow
runs.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: b8a703dd-60da-49ec-93d0-c2d24d616357
📒 Files selected for processing (1)
.github/workflows/ci.yml
📜 Review details
🧰 Additional context used
🪛 zizmor (1.25.2)
.github/workflows/ci.yml
[warning] 13-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🔇 Additional comments (1)
.github/workflows/ci.yml (1)
2-6: LGTM!Also applies to: 17-17
Summary by CodeRabbit