feat: pin sha for github actions

[wennergr]

Pin GitHub actions to their SHA to reduce the risk of supply chain attacks.

The tool pinact was used to create this diff

Summary by CodeRabbit

• New Features
  • Added a new GitHub slash command: gh-ci-fix.
• Documentation
  • Updated contributing guide with guidance on SHA-pinning GitHub Actions, including a recommended tool and example.
• Chores
  • Pinned all GitHub Actions across CI workflows to specific commit SHAs for improved reliability and security.
  • Standardized action versions for checkout, Python/Poetry setup, artifact handling, release drafting, semantic PR checks, and publishing.
  • Minor workflow tweak: simplified a condition for a success comment step in one workflow.

Important

Auto-merge enabled.

This PR is set to merge automatically when all requirements are met.

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

Testing This PyAirbyte Version

You can test this version of PyAirbyte using the following:

# Run PyAirbyte CLI from this branch:
uvx --from 'git+https://github.com/airbytehq/PyAirbyte.git@wennergr/pin-shas' pyairbyte --help

# Install PyAirbyte from this branch for development:
pip install 'git+https://github.com/airbytehq/PyAirbyte.git@wennergr/pin-shas'

Helpful Resources

• PyAirbyte Documentation
• API Reference

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

• /fix-pr - Fixes most formatting and linting issues
• /poetry-lock - Updates poetry.lock file
• /test-pr - Runs tests with the updated PyAirbyte

Community Support

Questions? Join the #pyairbyte channel in our Slack workspace.

📝 Edit this welcome message.

[coderabbitai]

📝 Walkthrough

Walkthrough

Most GitHub Actions workflows pin external actions from version tags to specific commit SHAs. One workflow adds a new slash command. Another adjusts a conditional for a success comment. Documentation adds guidance on SHA-pinning and a CLI example.

Changes

Cohort / File(s)	Summary
Workflow pinning to SHAs .github/workflows/actionlint.yml, .github/workflows/auto_merge_notification.yml, .github/workflows/autofix.yml, .github/workflows/fix-pr-command.yml, .github/workflows/pydoc_preview.yml, .github/workflows/pydoc_publish.yml, .github/workflows/pypi_publish.yml, .github/workflows/python_lint.yml, .github/workflows/python_pytest.yml, .github/workflows/release_drafter.yml, .github/workflows/semantic_pr_check.yml, .github/workflows/test-pr-command.yml, .github/workflows/welcome-message.yml	Replace action version tags with pinned commit SHAs; add inline comments noting original tags. No logic changes.
Slash command update .github/workflows/slash_command_dispatch.yml	Pin actions to SHAs and add new slash command gh-ci-fix.
Poetry lock condition tweak .github/workflows/poetry-lock-command.yml	Pin actions to SHAs and simplify a condition: the “Append success comment (no-op)” step now checks only git-diff.
Docs: Action pinning docs/CONTRIBUTING.md	Add “GitHub Action Workflows” section explaining SHA-pinning, recommend pinact, include minimal CLI example.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User as Maintainer
  participant GH as GitHub
  participant WF as Workflow: slash_command_dispatch.yml
  participant Bot as Comment Action

  User->>GH: Comment "/gh-ci-fix"
  GH-->>WF: Trigger workflow (issue_comment)
  rect rgba(220,240,255,0.5)
    note right of WF: New command handling
    WF->>WF: Parse slash command list (incl. gh-ci-fix)
    WF->>Bot: create-or-update-comment (pinned SHA)
  end
  Bot-->>GH: Post acknowledgement/status

Loading

sequenceDiagram
  autonumber
  participant GH as GitHub
  participant WF as Workflow: poetry-lock-command.yml

  GH-->>WF: Trigger workflow
  WF->>WF: Run steps (checkout, setup, lock, diff)
  alt git-diff == "true"
    WF->>GH: Append success comment (no-op) [condition simplified]
  else git-diff == "false"
    WF->>GH: Append alternative comment/skip
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• ci: Add GitHub action linting workflow #774 — Also updates .github/workflows/actionlint.yml with similar action pinning, indicating a related maintenance pattern.
• ci: update checks-action to post status to the Airbyte repository #685 — Modifies checks-action usage in test-pr-command.yml; this PR pins that action to a SHA, making them closely related.
• ci: Use GitHub App token for CI workflow #687 — Touches create-github-app-token in test-pr-command.yml; this PR pins that action, aligning with the same workflow area.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title succinctly captures the main change of the pull request by indicating that GitHub Actions are being pinned to specific SHAs. This aligns directly with the PR’s objective of improving security and determinism through commit-based pinning. It follows the conventional commit format and avoids extraneous details, making it clear and focused.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch wennergr/pin-shas

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8f87ad5 and 8495a2e.

📒 Files selected for processing (1)

• docs/CONTRIBUTING.md (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• docs/CONTRIBUTING.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Pytest (All, Python 3.10, Windows)
• GitHub Check: Pytest (All, Python 3.11, Ubuntu)
• GitHub Check: Pytest (All, Python 3.11, Windows)
• GitHub Check: Pytest (All, Python 3.10, Ubuntu)
• GitHub Check: Pytest (No Creds)
• GitHub Check: Pytest (Fast)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/python_pytest.yml (1)

29-29: Outstanding security overhaul across all test workflows! 🚀

This is a comprehensive implementation of SHA pinning across all three pytest jobs and the dependency analysis job. The main trade-off is the manual effort required to periodically update pinned SHAs to incorporate bug fixes and security updates, but that's where automation tools like Dependabot can help.

One small observation - there are duplicate "Set up Poetry" steps in some jobs (lines 31 and 39 in pytest-fast, lines 96 and 104 in pytest-no-creds). Is this intentional or would you like to clean that up, wdyt?

Also applies to: 31-31, 35-35, 39-39, 66-66, 73-73, 79-79, 94-94, 96-96, 100-100, 104-104, 133-133, 140-140, 172-172, 174-174, 178-178, 218-218, 225-225, 231-231, 245-245, 247-247, 251-251

.github/workflows/autofix.yml (1)

16-16: Excellent security improvement with SHA pinning! 🔐

This change pins Actions to specific commit SHAs and preserves the original tags in comments for maintainability.

Consider automating SHA updates on Dependabot PRs—e.g. add a workflow (using gha-update or dependabot-sha-comment-action) that resolves action tags to their commit SHAs and commits the change back. Would you like a ready GitHub Actions workflow example or a step-by-step config? wdyt?

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1b341de and 362a8ec.

📒 Files selected for processing (15)

• .github/workflows/actionlint.yml (1 hunks)
• .github/workflows/auto_merge_notification.yml (2 hunks)
• .github/workflows/autofix.yml (2 hunks)
• .github/workflows/fix-pr-command.yml (5 hunks)
• .github/workflows/poetry-lock-command.yml (6 hunks)
• .github/workflows/pydoc_preview.yml (2 hunks)
• .github/workflows/pydoc_publish.yml (2 hunks)
• .github/workflows/pypi_publish.yml (3 hunks)
• .github/workflows/python_lint.yml (3 hunks)
• .github/workflows/python_pytest.yml (7 hunks)
• .github/workflows/release_drafter.yml (1 hunks)
• .github/workflows/semantic_pr_check.yml (2 hunks)
• .github/workflows/slash_command_dispatch.yml (3 hunks)
• .github/workflows/test-pr-command.yml (9 hunks)
• .github/workflows/welcome-message.yml (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Pytest (All, Python 3.11, Windows)
• GitHub Check: Pytest (Fast)
• GitHub Check: Pytest (All, Python 3.11, Ubuntu)
• GitHub Check: Pytest (All, Python 3.10, Ubuntu)
• GitHub Check: Pytest (All, Python 3.10, Windows)
• GitHub Check: Pytest (No Creds)

🔇 Additional comments (13)

.github/workflows/actionlint.yml (1)

18-18: Great job on implementing SHA pinning for security hardening! 🛡️

These changes follow GitHub's recommendation to pin dependency versions to specific commit SHAs, which will prevent malicious code added to new or updated branches/tags from being automatically used. The inline version comments make it easy to track what versions these SHAs correspond to.

Also applies to: 20-20

.github/workflows/release_drafter.yml (1)

22-22: Perfect implementation of SHA pinning! ✅

This properly pins the action to a full-length commit SHA, which is currently the only way to use an action as an immutable release. The inline comment preserving the original version tag (v6.1.0) is excellent for future reference.

.github/workflows/welcome-message.yml (1)

30-30: Solid security enhancement across all actions! 🔒

All four actions have been properly pinned to their commit SHAs with clear version comments. This small change yields enormous security benefits by guaranteeing that only the code you've approved ever runs in your CI, closing the door on tag-tampering attacks.

Also applies to: 34-34, 38-38, 47-47

.github/workflows/pydoc_preview.yml (1)

18-18: Excellent work implementing comprehensive SHA pinning! 🎯

All four actions are now properly secured with commit SHA pinning. This protects against scenarios where attackers gain access to action publisher accounts and update Git tags to point to malicious commits - like the March 2025 attack on tj-actions/changed-files that affected over 23,000 repositories.

Also applies to: 20-20, 24-24, 36-36

.github/workflows/auto_merge_notification.yml (1)

17-17: Nice security hardening with consistent SHA pinning! 🛡️

Both instances of the bcgov action are now properly pinned to the same commit SHA. Pinning to a full-length commit SHA is currently the only way to use an action as an immutable release and helps mitigate the risk of backdoors being added to the action's repository.

Also applies to: 27-27

.github/workflows/pydoc_publish.yml (1)

35-35: Comprehensive security improvement with full SHA pinning! 🔐

All six actions in this workflow are now properly secured with commit SHA references. This means referencing specific commit SHAs instead of tags like @v1 or @main, so the code you execute will always be the same. The documentation deployment workflow is now well-protected against supply chain attacks.

Also applies to: 37-37, 41-41, 45-45, 55-55, 62-62

.github/workflows/semantic_pr_check.yml (1)

22-22: SHA pin looks good.

Thanks for locking the semantic PR action to a concrete commit; everything here checks out.

.github/workflows/fix-pr-command.yml (1)

39-39: Nice consistency on the pin set.

Appreciate how all of the actions in this workflow are now pinned to explicit SHAs—this aligns perfectly with the supply-chain-hardening goal.

.github/workflows/test-pr-command.yml (1)

34-34: Great job locking these down.

Everything here is pinned to the expected commits, so the on-demand test workflow should remain deterministic.

.github/workflows/slash_command_dispatch.yml (1)

18-18: Thumbs up on the action pin.

The slash-command workflow now follows the same SHA-pinning pattern; looks solid.

.github/workflows/poetry-lock-command.yml (1)

36-36: Pinning matches the target tag.

Everything is locked to vetted commits here as well—thanks for keeping this workflow aligned with the rest.

.github/workflows/python_lint.yml (1)

19-19: Consistency win.

The lint workflow now mirrors the pinned actions used elsewhere; looks great.

.github/workflows/pypi_publish.yml (1)

15-15: Publish flow pins look correct.

Both the build and publish jobs now rely on fixed SHAs, which is exactly what we wanted.

[github-actions]

PyTest Results (Fast Tests Only, No Creds)

304 tests  ±0   304 ✅ ±0   4m 23s ⏱️ +4s
  1 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit 8495a2e. ± Comparison against base commit f5f0f47.

♻️ This comment has been updated with latest results.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9df63fc and b83d68e.

📒 Files selected for processing (1)

• docs/CONTRIBUTING.md (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Pytest (All, Python 3.10, Windows)
• GitHub Check: Pytest (All, Python 3.10, Ubuntu)
• GitHub Check: Pytest (All, Python 3.11, Ubuntu)
• GitHub Check: Pytest (Fast)
• GitHub Check: Pytest (All, Python 3.11, Windows)
• GitHub Check: Pytest (No Creds)

[github-actions]

PyTest Results (Full)

367 tests  ±0   351 ✅ +1   19m 32s ⏱️ +15s
  1 suites ±0    16 💤 ±0 
  1 files   ±0     0 ❌  - 1 

Results for commit 8495a2e. ± Comparison against base commit f5f0f47.

♻️ This comment has been updated with latest results.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b83d68e and 1a0c230.

📒 Files selected for processing (1)

• docs/CONTRIBUTING.md (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Pytest (All, Python 3.10, Windows)
• GitHub Check: Pytest (All, Python 3.10, Ubuntu)
• GitHub Check: Pytest (All, Python 3.11, Windows)
• GitHub Check: Pytest (All, Python 3.11, Ubuntu)
• GitHub Check: Pytest (Fast)
• GitHub Check: Pytest (No Creds)

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1a0c230 and 3e67129.

📒 Files selected for processing (5)

• .github/workflows/gh-ci-fix-command.yml (1 hunks)
• .github/workflows/slash_command_dispatch.yml (4 hunks)
• .github/workflows/validate-pinned-actions.yml (1 hunks)
• docs/CONTRIBUTING.md (1 hunks)
• pyproject.toml (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• docs/CONTRIBUTING.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Pytest (All, Python 3.11, Ubuntu)
• GitHub Check: Pytest (All, Python 3.11, Windows)
• GitHub Check: Pytest (Fast)
• GitHub Check: Pytest (No Creds)
• GitHub Check: Pytest (All, Python 3.10, Ubuntu)
• GitHub Check: Pytest (All, Python 3.10, Windows)

🔇 Additional comments (1)

.github/workflows/slash_command_dispatch.yml (1)

17-48: SHA pins look solid

Thanks for locking these steps down to immutable SHAs and wiring in the new gh-ci-fix command—this keeps the workflow deterministic and aligns with the new fixer pipeline. Looks good to me.