feat: add pinact-action to automate GitHub Actions SHA pinning (do not merge)

[aaronsteers]

feat: add pinact-action to automate GitHub Actions SHA pinning (do not merge)

This PR targets the following PR:

• feat: pin sha for github actions #801

---

Summary

Adds automated SHA pinning for GitHub Actions using a Poe-based approach with the following components:

• /gh-ci-fix slash command: Uses aaronsteers/poe-command-processor to automatically pin actions to SHA hashes
• CI validation workflow: Runs poe gh-ci-check on PRs to ensure all actions are pinned
• Poe tasks: Added gh-ci-check (validation) and gh-ci-fix (pinning) tasks to pyproject.toml
• Documentation: Updated CONTRIBUTING.md with comprehensive pinact CLI examples and slash command usage

Review & Testing Checklist for Human

• Test /gh-ci-fix slash command end-to-end: Create a test PR with unpinned actions and verify the slash command works correctly, commits changes, and pins actions properly
• Verify CI validation workflow: Check that the validate-pinned-actions.yml workflow correctly fails when actions are unpinned and passes when they are pinned
• Test Poe tasks locally: Run poetry run poe gh-ci-check and poetry run poe gh-ci-fix to ensure they work correctly and pinact is accessible at the hardcoded path
• Verify workflow permissions: Ensure the GitHub App authentication and elevated permissions (contents: write, workflows: write) work correctly without security risks

Notes

• Uses GitHub App authentication pattern consistent with other repo workflows (OCTAVIA_BOT_APP_ID/PRIVATE_KEY)
• Hardcoded path $HOME/go/bin/pinact assumes global Go installation - may need adjustment for different environments
• Third-party dependency on aaronsteers/[email protected] action - verify this version works reliably
• CI validation workflow installs pinact via go install which requires Go runtime in CI

Link to Devin run: https://app.devin.ai/sessions/d8971a7395d14f9ba0cbdab06515a121
Requested by: @aaronsteers

Summary by CodeRabbit

• New Features

  • Added an on-demand “gh-ci-fix” slash command and workflow to automatically pin GitHub Actions in pull requests.
  • Introduced local scripts to check and fix GitHub Actions pinning via project tooling.
  • Added MCP utility scripts for server start, inspection, and tool testing.

• Documentation

  • Expanded contributing guide with instructions for using pinact and the /gh-ci-fix command, including per-file and dry-run examples.

• Chores

  • Implemented a PR workflow that validates all GitHub Actions are SHA-pinned and provides guidance on fixing failures.

[devin-ai-integration]

Original prompt from AJ Steers

Received message in Slack channel #ask-devin-ai:

@Devin - Is there a `pinact` reviewdog action in the github marketplace? If yes, can you stack that on top of this PR: <https://github.com/airbytehq/PyAirbyte/pull/801>
Thread URL: https://airbytehq-team.slack.com/archives/C08BHPUMEPJ/p1758741769036909?thread_ts=1758741769.036909

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

🚫 [actionlint] _{reported by reviewdog 🐶}
unknown permission scope "workflows". all available permission scopes are "actions", "attestations", "checks", "contents", "deployments", "discussions", "id-token", "issues", "packages", "pages", "pull-requests", "repository-projects", "security-events", "statuses" [permissions]

[github-actions]

👋 Greetings, Airbyte Team Member!

Here are some helpful tips and reminders for your convenience.

Testing This PyAirbyte Version

You can test this version of PyAirbyte using the following:

# Run PyAirbyte CLI from this branch:
uvx --from 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1758749777-add-pinact-automation' pyairbyte --help

# Install PyAirbyte from this branch for development:
pip install 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1758749777-add-pinact-automation'

Helpful Resources

• PyAirbyte Documentation
• API Reference

PR Slash Commands

Airbyte Maintainers can execute the following slash commands on your PR:

• /fix-pr - Fixes most formatting and linting issues
• /poetry-lock - Updates poetry.lock file
• /test-pr - Runs tests with the updated PyAirbyte

Community Support

Questions? Join the #pyairbyte channel in our Slack workspace.

📝 Edit this welcome message.

[github-actions]

PyTest Results (Fast Tests Only, No Creds)

304 tests  ±0   304 ✅ ±0   4m 31s ⏱️ +5s
  1 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit e5126a2. ± Comparison against base commit 3617a93.

♻️ This comment has been updated with latest results.

[github-actions]

PyTest Results (Full)

367 tests  ±0   351 ✅ ±0   19m 42s ⏱️ +49s
  1 suites ±0    16 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit e5126a2. ± Comparison against base commit 3617a93.

♻️ This comment has been updated with latest results.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds an on-demand GitHub Actions pin-fix workflow triggered via slash command, a PR-triggered validator ensuring actions are SHA-pinned, updates slash-command dispatch to include gh-ci-fix, documents local pinning via pinact, and adds Poetry scripts for check/fix commands plus MCP-related scripts.

Changes

Cohort / File(s)	Summary
CI workflows: pinning & slash command .github/workflows/gh-ci-fix-command.yml, .github/workflows/slash_command_dispatch.yml, .github/workflows/validate-pinned-actions.yml	New workflow to run pin fixes on demand via workflow_dispatch using GitHub App token and Poe command; adds "gh-ci-fix" to slash commands; introduces PR validator that checks all actions are SHA-pinned and fails with guidance if not.
Docs docs/CONTRIBUTING.md	Documents installing and using pinact, including per-file and dry-run usage; notes the /gh-ci-fix PR slash command.
Tooling config pyproject.toml	Adds Poetry scripts: install, gh-ci-check (pinact check), gh-ci-fix (pinact pin), and MCP utility scripts (mcp-serve-sse, mcp-inspect, mcp-tool-test).

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub (PR/Comments)
  participant SCD as Slash Command Dispatch
  participant GWF as gh-ci-fix-command.yml
  participant GApp as GitHub App Token
  participant Poe as Poe Command Processor
  participant Pin as pinact

  Dev->>GH: Comment "/gh-ci-fix"
  GH-->>SCD: Trigger workflow
  SCD->>GWF: workflow_dispatch(pr, comment-id)
  GWF->>GApp: actions/create-github-app-token
  GApp-->>GWF: installation_token
  GWF->>Poe: poe gh-ci-fix (with token, pr, comment-id)
  Poe->>Pin: pin actions (SHA-pin)
  Pin-->>GH: Commit/PR updates (if any)

Loading

sequenceDiagram
  autonumber
  participant GH as GitHub (PR)
  participant VPA as validate-pinned-actions.yml
  participant CI as Runner
  participant Py as Poetry/poe
  participant Pin as pinact

  GH-->>VPA: PR touches .github/** or **/action.yml
  VPA->>CI: Start job
  CI->>Py: poetry install
  CI->>Pin: pinact check (via poe gh-ci-check)
  alt Check fails
    Pin-->>CI: non-zero exit
    CI-->>VPA: Fail job with instructions
  else Check passes
    Pin-->>CI: zero exit
    CI-->>VPA: Succeed job
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: pin sha for github actions #801 — Also updates workflows for SHA-pinning and adds "gh-ci-fix" to slash_command_dispatch, overlapping with this PR’s command additions.
• chore: replace maintenance PATs with octavia-bot GitHub App authentication #773 — Similar use of actions/create-github-app-token (Octavia bot) for workflow authentication, aligning with the new gh-ci-fix flow.
• chore(mcp): add mcp-tool-test Poe task #789 — Introduces the same MCP-related Poetry scripts referenced here, indicating shared scripting changes.

Would you like to add a brief note in the validator job output linking to the new gh-ci-fix workflow run for quick navigation, wdyt?

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title Check	⚠️ Warning	The current title accurately reflects the main feature—adding pinact-action to automate GitHub Actions SHA pinning—but it includes the extraneous draft marker “(do not merge)”, which adds noise and isn’t needed in a concise PR title.	Could you remove the “(do not merge)” marker and simplify the title to something like “feat: automate GitHub Actions SHA pinning with pinact-action” to keep it concise and focused, wdyt?

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch devin/1758749777-add-pinact-automation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3617a93 and e5126a2.

📒 Files selected for processing (5)

• .github/workflows/gh-ci-fix-command.yml (1 hunks)
• .github/workflows/slash_command_dispatch.yml (1 hunks)
• .github/workflows/validate-pinned-actions.yml (1 hunks)
• docs/CONTRIBUTING.md (1 hunks)
• pyproject.toml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Pytest (All, Python 3.11, Windows)
• GitHub Check: Pytest (All, Python 3.10, Ubuntu)
• GitHub Check: Pytest (All, Python 3.11, Ubuntu)
• GitHub Check: Pytest (All, Python 3.10, Windows)
• GitHub Check: Pytest (No Creds)
• GitHub Check: Pytest (Fast)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Invalid permission scope prevents workflow linting
workflows: write isn’t a recognized permission (actionlint is already failing this). Could we drop or replace it with a valid scope (likely just rely on contents: write) so the workflow passes lint and can run, wdyt?

🤖 Prompt for AI Agents

.github/workflows/gh-ci-fix-command.yml lines 15-18: the permissions block
contains an invalid scope "workflows: write" which causes actionlint to fail;
remove the "workflows: write" entry (or replace it with a valid permission if
you explicitly need one) and keep "contents: write" (and "pull-requests: write"
if required) so the YAML is valid and the workflow lints and runs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Hard-coded $HOME path breaks on Windows runners
These Poe tasks invoke $HOME/go/bin/pinact, but on Windows cmd won’t expand $HOME, so poe gh-ci-check/gh-ci-fix will fail for contributors on that platform. Could we switch to a PATH-based invocation (e.g., cmd = "pinact run --check" / cmd = "pinact run") so it works cross-platform, wdyt?

🤖 Prompt for AI Agents

In pyproject.toml around lines 202-206 the poe tasks hard-code
$HOME/go/bin/pinact which won’t expand on Windows; replace the shell invocations
that use the $HOME path with PATH-based invocations (e.g., use cmd = "pinact run
--check" for gh-ci-check and cmd = "pinact run" for gh-ci-fix, or set shell to
simply "pinact run..." without $HOME) so the tasks run cross-platform; ensure
the task definitions no longer reference $HOME and rely on pinact being
available on PATH.