feat: add pinact-action to automate GitHub Actions SHA pinning (do not merge) #802
Conversation
- Add required Poe tasks: install, gh-ci-check, gh-ci-fix to pyproject.toml - Create gh-ci-fix-command.yml workflow using poe-command-processor for slash commands - Create validate-pinned-actions.yml workflow for CI validation using poe gh-ci-check - Update slash_command_dispatch.yml to include gh-ci-fix command - Update CONTRIBUTING.md with comprehensive pinact CLI examples and slash command usage This implements automated SHA pinning for GitHub Actions using the Poe task runner and poe-command-processor action, providing both slash command and CI validation. Co-Authored-By: AJ Steers <[email protected]>
- Fix gh-ci-check task to use --check flag instead of --dry-run - Use full path /home/ubuntu/go/bin/pinact for Poe tasks to ensure accessibility - Pin aaronsteers/poe-command-processor@v1 to SHA hash for security - Verify both poe gh-ci-check and poe gh-ci-fix tasks work correctly Co-Authored-By: AJ Steers <[email protected]>
Original prompt from AJ Steers |
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
|
||
| permissions: | ||
| contents: write | ||
| workflows: write |
There was a problem hiding this comment.
🚫 [actionlint] reported by reviewdog 🐶
unknown permission scope "workflows". all available permission scopes are "actions", "attestations", "checks", "contents", "deployments", "discussions", "id-token", "issues", "packages", "pages", "pull-requests", "repository-projects", "security-events", "statuses" [permissions]
👋 Greetings, Airbyte Team Member!Here are some helpful tips and reminders for your convenience. Testing This PyAirbyte VersionYou can test this version of PyAirbyte using the following: # Run PyAirbyte CLI from this branch:
uvx --from 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1758749777-add-pinact-automation' pyairbyte --help
# Install PyAirbyte from this branch for development:
pip install 'git+https://github.com/airbytehq/PyAirbyte.git@devin/1758749777-add-pinact-automation'Helpful ResourcesPR Slash CommandsAirbyte Maintainers can execute the following slash commands on your PR:
Community SupportQuestions? Join the #pyairbyte channel in our Slack workspace. |
📝 WalkthroughWalkthroughAdds an on-demand GitHub Actions pin-fix workflow triggered via slash command, a PR-triggered validator ensuring actions are SHA-pinned, updates slash-command dispatch to include gh-ci-fix, documents local pinning via pinact, and adds Poetry scripts for check/fix commands plus MCP-related scripts. Changes
Sequence Diagram(s)sequenceDiagram
autonumber
actor Dev as Developer
participant GH as GitHub (PR/Comments)
participant SCD as Slash Command Dispatch
participant GWF as gh-ci-fix-command.yml
participant GApp as GitHub App Token
participant Poe as Poe Command Processor
participant Pin as pinact
Dev->>GH: Comment "/gh-ci-fix"
GH-->>SCD: Trigger workflow
SCD->>GWF: workflow_dispatch(pr, comment-id)
GWF->>GApp: actions/create-github-app-token
GApp-->>GWF: installation_token
GWF->>Poe: poe gh-ci-fix (with token, pr, comment-id)
Poe->>Pin: pin actions (SHA-pin)
Pin-->>GH: Commit/PR updates (if any)
sequenceDiagram
autonumber
participant GH as GitHub (PR)
participant VPA as validate-pinned-actions.yml
participant CI as Runner
participant Py as Poetry/poe
participant Pin as pinact
GH-->>VPA: PR touches .github/** or **/action.yml
VPA->>CI: Start job
CI->>Py: poetry install
CI->>Pin: pinact check (via poe gh-ci-check)
alt Check fails
Pin-->>CI: non-zero exit
CI-->>VPA: Fail job with instructions
else Check passes
Pin-->>CI: zero exit
CI-->>VPA: Succeed job
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Would you like to add a brief note in the validator job output linking to the new gh-ci-fix workflow run for quick navigation, wdyt? Pre-merge checks and finishing touches❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✨ Finishing touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (5)
.github/workflows/gh-ci-fix-command.yml(1 hunks).github/workflows/slash_command_dispatch.yml(1 hunks).github/workflows/validate-pinned-actions.yml(1 hunks)docs/CONTRIBUTING.md(1 hunks)pyproject.toml(1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)
- GitHub Check: Pytest (All, Python 3.11, Windows)
- GitHub Check: Pytest (All, Python 3.10, Ubuntu)
- GitHub Check: Pytest (All, Python 3.11, Ubuntu)
- GitHub Check: Pytest (All, Python 3.10, Windows)
- GitHub Check: Pytest (No Creds)
- GitHub Check: Pytest (Fast)
| permissions: | ||
| contents: write | ||
| workflows: write | ||
| pull-requests: write |
There was a problem hiding this comment.
Invalid permission scope prevents workflow linting
workflows: write isn’t a recognized permission (actionlint is already failing this). Could we drop or replace it with a valid scope (likely just rely on contents: write) so the workflow passes lint and can run, wdyt?
🤖 Prompt for AI Agents
.github/workflows/gh-ci-fix-command.yml lines 15-18: the permissions block
contains an invalid scope "workflows: write" which causes actionlint to fail;
remove the "workflows: write" entry (or replace it with a valid permission if
you explicitly need one) and keep "contents: write" (and "pull-requests: write"
if required) so the YAML is valid and the workflow lints and runs.
| # GitHub Actions CI tasks | ||
| install = { shell = "poetry install" } | ||
| gh-ci-check = { shell = "$HOME/go/bin/pinact run --check", help = "Check if GitHub Actions are pinned to SHA hashes" } | ||
| gh-ci-fix = { shell = "$HOME/go/bin/pinact run", help = "Pin GitHub Actions to their SHA hashes" } | ||
|
|
There was a problem hiding this comment.
Hard-coded $HOME path breaks on Windows runners
These Poe tasks invoke $HOME/go/bin/pinact, but on Windows cmd won’t expand $HOME, so poe gh-ci-check/gh-ci-fix will fail for contributors on that platform. Could we switch to a PATH-based invocation (e.g., cmd = "pinact run --check" / cmd = "pinact run") so it works cross-platform, wdyt?
🤖 Prompt for AI Agents
In pyproject.toml around lines 202-206 the poe tasks hard-code
$HOME/go/bin/pinact which won’t expand on Windows; replace the shell invocations
that use the $HOME path with PATH-based invocations (e.g., use cmd = "pinact run
--check" for gh-ci-check and cmd = "pinact run" for gh-ci-fix, or set shell to
simply "pinact run..." without $HOME) so the tasks run cross-platform; ensure
the task definitions no longer reference $HOME and rely on pinact being
available on PATH.
2 participants
feat: add pinact-action to automate GitHub Actions SHA pinning (do not merge)
This PR targets the following PR:
Summary
Adds automated SHA pinning for GitHub Actions using a Poe-based approach with the following components:
/gh-ci-fixslash command: Usesaaronsteers/poe-command-processorto automatically pin actions to SHA hashespoe gh-ci-checkon PRs to ensure all actions are pinnedgh-ci-check(validation) andgh-ci-fix(pinning) tasks topyproject.tomlCONTRIBUTING.mdwith comprehensive pinact CLI examples and slash command usageReview & Testing Checklist for Human
/gh-ci-fixslash command end-to-end: Create a test PR with unpinned actions and verify the slash command works correctly, commits changes, and pins actions properlyvalidate-pinned-actions.ymlworkflow correctly fails when actions are unpinned and passes when they are pinnedpoetry run poe gh-ci-checkandpoetry run poe gh-ci-fixto ensure they work correctly andpinactis accessible at the hardcoded pathcontents: write,workflows: write) work correctly without security risksNotes
$HOME/go/bin/pinactassumes global Go installation - may need adjustment for different environmentsaaronsteers/[email protected]action - verify this version works reliablypinactviago installwhich requires Go runtime in CILink to Devin run: https://app.devin.ai/sessions/d8971a7395d14f9ba0cbdab06515a121
Requested by: @aaronsteers
Summary by CodeRabbit
New Features
Documentation
Chores