Skip to content

feat: add pinact-action to automate GitHub Actions SHA pinning (do not merge) #802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
+115 −0
Draft

feat: add pinact-action to automate GitHub Actions SHA pinning (do not merge) #802

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
362a8ec
feat: pin sha for github actions
wennergr Sep 24, 2025
9df63fc
Apply suggestion from @aaronsteers
aaronsteers Sep 24, 2025
b83d68e
docs: add blub to CONTRIBUTING.md
aaronsteers Sep 24, 2025
1a0c230
added pinact example
wennergr Sep 24, 2025
3e67129
feat: add poe-based pinact automation for GitHub Actions SHA pinning
devin-ai-integration[bot] Sep 24, 2025
8f87ad5
fix: update pinact CLI flags and pin poe-command-processor action
devin-ai-integration[bot] Sep 24, 2025
e5126a2
Merge branch 'main' into devin/1758749777-add-pinact-automation
aaronsteers Oct 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/actionlint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
- name: Run actionlint
uses: reviewdog/[email protected]
uses: reviewdog/action-actionlint@95395aac8c053577d0bc67eb7b74936c660c6f66 # v1.67.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
reporter: github-pr-review
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/auto_merge_notification.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
steps:
- name: Add Auto-Merge Notice
if: github.event.action == 'auto_merge_enabled'
uses: bcgov/[email protected]
uses: bcgov/action-pr-description-add@14338bfe0278ead273b3c1189e5aa286ff6709c4 # v2.0.0
with:
add_markdown: |
> [!IMPORTANT]
Expand All @@ -24,7 +24,7 @@ jobs:

- name: Remove Auto-Merge Notice
if: github.event.action == 'auto_merge_disabled'
uses: bcgov/[email protected]
uses: bcgov/action-pr-description-add@14338bfe0278ead273b3c1189e5aa286ff6709c4 # v2.0.0
with:
add_markdown: |
> [!NOTE]
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/autofix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,13 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v5
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: 3.10
- name: Set up Poetry
uses: Gr1N/setup-poetry@v9
uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9
with:
poetry-version: "2.2.0"

Expand All @@ -37,6 +37,6 @@ jobs:
git diff-index --quiet HEAD || git commit -m "Format code with black"

- name: Push changes
uses: ad-m/github-push-action@master
uses: ad-m/github-push-action@77c5b412c50b723d2a4fbc6d71fb5723bcd439aa # v1.0.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
20 changes: 10 additions & 10 deletions .github/workflows/fix-pr-command.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,32 +36,32 @@ jobs:

# Custom steps to fetch the PR and checkout the code:
- name: Authenticate as GitHub App
uses: actions/create-github-app-token@v2
uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
id: get-app-token
with:
owner: "airbytehq"
repositories: "PyAirbyte"
app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}
- name: Checkout Airbyte
uses: actions/checkout@v5
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
# Important that this is set so that CI checks are triggered again
# Without this we would be forever waiting on required checks to pass
token: ${{ steps.get-app-token.outputs.token }}

- name: Checkout PR (${{ github.event.inputs.pr }})
uses: dawidd6/action-checkout-pr@v1
uses: dawidd6/action-checkout-pr@a7598e18433a763b784f17d666372913d8bd4205 # v1.2.0
with:
pr: ${{ github.event.inputs.pr }}

- name: Resolve workflow variables
id: vars
uses: aaronsteers/resolve-ci-vars-action@v0
uses: aaronsteers/resolve-ci-vars-action@2e56afab0344bbe03c047dfa39bae559d0291472 # v0.1.6

- name: Append comment with job run link
id: first-comment-action
uses: peter-evans/create-or-update-comment@v4
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
comment-id: ${{ github.event.inputs.comment-id }}
issue-number: ${{ github.event.inputs.pr }}
Expand All @@ -77,11 +77,11 @@ jobs:
[1]: ${{ steps.vars.outputs.run-url }}

- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: ${{ matrix.python-version }}
- name: Set up Poetry
uses: Gr1N/setup-poetry@v9
uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9
with:
poetry-version: "2.2.0"
- name: Install dependencies
Expand Down Expand Up @@ -150,7 +150,7 @@ jobs:
git push contributor HEAD:${{ steps.vars.outputs.pr-source-git-branch }}

- name: Append success comment
uses: peter-evans/create-or-update-comment@v4
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
if: steps.git-diff.outputs.changes == 'true' || steps.git-diff-2.outputs.changes == 'true'
with:
comment-id: ${{ steps.first-comment-action.outputs.comment-id }}
Expand All @@ -159,7 +159,7 @@ jobs:
> ✅ Changes applied successfully.

- name: Append success comment (no-op)
uses: peter-evans/create-or-update-comment@v4
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
if: steps.git-diff.outputs.changes != 'true' && steps.git-diff-2.outputs.changes != 'true'
with:
comment-id: ${{ steps.first-comment-action.outputs.comment-id }}
Expand All @@ -168,7 +168,7 @@ jobs:
> 🟦 Job completed successfully (no changes).

- name: Append failure comment
uses: peter-evans/create-or-update-comment@v4
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
if: failure()
with:
comment-id: ${{ steps.first-comment-action.outputs.comment-id }}
Expand Down
43 changes: 43 additions & 0 deletions .github/workflows/gh-ci-fix-command.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
name: On-Demand GitHub Actions Pin Fix

on:
workflow_dispatch:
inputs:
pr:
description: 'PR Number'
type: string
required: true
comment-id:
description: 'Comment ID (Optional)'
type: string
required: false

permissions:
contents: write
workflows: write
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [actionlint] reported by reviewdog 🐶
unknown permission scope "workflows". all available permission scopes are "actions", "attestations", "checks", "contents", "deployments", "discussions", "id-token", "issues", "packages", "pages", "pull-requests", "repository-projects", "security-events", "statuses" [permissions]

pull-requests: write
Comment on lines +15 to +18
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Invalid permission scope prevents workflow linting
workflows: write isn’t a recognized permission (actionlint is already failing this). Could we drop or replace it with a valid scope (likely just rely on contents: write) so the workflow passes lint and can run, wdyt?

🤖 Prompt for AI Agents 
.github/workflows/gh-ci-fix-command.yml lines 15-18: the permissions block
contains an invalid scope "workflows: write" which causes actionlint to fail;
remove the "workflows: write" entry (or replace it with a valid permission if
you explicitly need one) and keep "contents: write" (and "pull-requests: write"
if required) so the YAML is valid and the workflow lints and runs.


env:
AIRBYTE_ANALYTICS_ID: ${{ vars.AIRBYTE_ANALYTICS_ID }}

jobs:
gh-ci-fix:
name: Pin GitHub Actions
runs-on: ubuntu-latest
steps:
- name: Authenticate as GitHub App
uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
id: get-app-token
with:
owner: "airbytehq"
repositories: "PyAirbyte"
app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}

- name: Run Poe Command
uses: aaronsteers/poe-command-processor@04330aa7047b6b182ff280a962cbbcd99d6eb683 # v1.3.0
with:
command: "gh-ci-fix"
github-token: ${{ steps.get-app-token.outputs.token }}
pr: ${{ github.event.inputs.pr }}
comment-id: ${{ github.event.inputs.comment-id }}
22 changes: 11 additions & 11 deletions .github/workflows/poetry-lock-command.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,22 +33,22 @@ jobs:

# Custom steps to fetch the PR and checkout the code:
- name: Authenticate as GitHub App
uses: actions/create-github-app-token@v2
uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
id: get-app-token
with:
owner: "airbytehq"
repositories: "PyAirbyte"
app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}
- name: Checkout Airbyte
uses: actions/checkout@v5
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
# Important that this is set so that CI checks are triggered again
# Without this we would be forever waiting on required checks to pass
token: ${{ steps.get-app-token.outputs.token }}

- name: Checkout PR (${{ github.event.inputs.pr }})
uses: dawidd6/action-checkout-pr@v1
uses: dawidd6/action-checkout-pr@a7598e18433a763b784f17d666372913d8bd4205 # v1.2.0
with:
pr: ${{ github.event.inputs.pr }}

Expand All @@ -65,11 +65,11 @@ jobs:

- name: Resolve workflow variables
id: vars
uses: aaronsteers/resolve-ci-vars-action@v0
uses: aaronsteers/resolve-ci-vars-action@2e56afab0344bbe03c047dfa39bae559d0291472 # v0.1.6

- name: Append comment with job run link
id: first-comment-action
uses: peter-evans/create-or-update-comment@v4
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
comment-id: ${{ github.event.inputs.comment-id }}
issue-number: ${{ github.event.inputs.pr }}
Expand All @@ -80,11 +80,11 @@ jobs:
[1]: ${{ steps.vars.outputs.run-url }}

- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: ${{ matrix.python-version }}
- name: Set up Poetry
uses: Gr1N/setup-poetry@v9
uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9
with:
poetry-version: "2.2.0"

Expand Down Expand Up @@ -118,7 +118,7 @@ jobs:
git push contributor HEAD:${{ steps.vars.outputs.pr-source-git-branch }}

- name: Append success comment
uses: peter-evans/create-or-update-comment@v4
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
if: steps.git-diff.outputs.changes == 'true'
with:
comment-id: ${{ steps.first-comment-action.outputs.comment-id }}
Expand All @@ -127,16 +127,16 @@ jobs:
> ✅ `poetry lock` applied successfully.

- name: Append success comment (no-op)
uses: peter-evans/create-or-update-comment@v4
if: steps.git-diff.outputs.changes != 'true' && steps.git-diff-2.outputs.changes != 'true'
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
if: steps.git-diff.outputs.changes != 'true'
with:
comment-id: ${{ steps.first-comment-action.outputs.comment-id }}
reactions: "+1"
body: |
> 🟦 Job completed successfully (no changes).

- name: Append failure comment
uses: peter-evans/create-or-update-comment@v4
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
if: failure()
with:
comment-id: ${{ steps.first-comment-action.outputs.comment-id }}
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/pydoc_preview.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,13 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v5
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: '3.10'
- name: Set up Poetry
uses: Gr1N/setup-poetry@v9
uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9
with:
poetry-version: "2.2.0"

Expand All @@ -33,7 +33,7 @@ jobs:
poetry run poe docs-generate

- name: Upload artifact
uses: actions/upload-pages-artifact@v4
uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
with:
# Upload entire repository
path: 'docs/generated'
12 changes: 6 additions & 6 deletions .github/workflows/pydoc_publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,17 +32,17 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v5
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up Python
uses: actions/setup-python@v5
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: '3.10'
- name: Set up Poetry
uses: Gr1N/setup-poetry@v9
uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9
with:
poetry-version: "2.2.0"
- name: Setup Pages
uses: actions/configure-pages@v5
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0

- name: Install dependencies
run: poetry install
Expand All @@ -52,11 +52,11 @@ jobs:
poetry run poe docs-generate

- name: Upload artifact
uses: actions/upload-pages-artifact@v4
uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
with:
# Upload entire repository
path: 'docs/generated'

- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
10 changes: 5 additions & 5 deletions .github/workflows/pypi_publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,10 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
- uses: hynek/build-and-inspect-python-package@v2
- uses: hynek/build-and-inspect-python-package@c52c3a4710070b50470d903818a7b25115dcd076 # v2.13.0

publish:
name: Publish to PyPI
Expand All @@ -29,12 +29,12 @@ jobs:
url: https://pypi.org/p/airbyte
if: startsWith(github.ref, 'refs/tags/')
steps:
- uses: actions/download-artifact@v4
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: Packages
path: dist
- name: Upload wheel to release
uses: svenstaro/upload-release-action@v2
uses: svenstaro/upload-release-action@81c65b7cd4de9b2570615ce3aad67a41de5b1a13 # latest
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: dist/*.whl
Expand All @@ -43,4 +43,4 @@ jobs:
file_glob: true

- name: Publish
uses: pypa/[email protected]
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
Loading
Loading