Pinning github actions to hashes#228
Conversation
📝 WalkthroughWalkthroughThe PR pins GitHub Action versions across all CI/CD workflows to specific commit SHAs instead of floating version tags, and updates the package version from pre-release to stable with minor devDependency version bumps. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #228 +/- ##
==========================================
+ Coverage 97.76% 97.90% +0.13%
==========================================
Files 58 58
Lines 2191 2191
Branches 577 577
==========================================
+ Hits 2142 2145 +3
+ Misses 12 10 -2
+ Partials 37 36 -1 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR aims to improve GitHub Actions supply-chain security by pinning workflow uses: references to immutable commit SHAs. Alongside that, it also updates several devDependencies (and the lockfile) and changes the package version to a stable release.
Changes:
- Pin GitHub Actions used across CI/release/deploy workflows to commit SHAs.
- Update various devDependencies (e.g., vite/knip/tsdown/oxlint-tsgolint) and refresh
pnpm-lock.yaml. - Change
package.jsonversion from6.0.0-next.2to6.0.0.
Reviewed changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
pnpm-lock.yaml |
Lockfile updates reflecting dependency bumps (not just action pinning). |
package.json |
Version change to stable release + devDependency bumps. |
.github/workflows/tests.yml |
Pin core actions + Codecov action (also bumps Codecov major). |
.github/workflows/size-limit.yml |
Pin checkout/pnpm/setup-node actions to SHAs. |
.github/workflows/release.yml |
Pin checkout/pnpm/setup-node actions to SHAs. |
.github/workflows/perf.yml |
Pin actions (also bumps github-script major). |
.github/workflows/lint.yml |
Pin checkout/pnpm/setup-node actions to SHAs. |
.github/workflows/deploy-demo.yml |
Pin actions (also bumps multiple Pages/artifact actions majors). |
.github/workflows/codeql.yml |
Pin checkout + CodeQL actions to SHAs. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "name": "react-mentions-ts", | ||
| "private": false, | ||
| "version": "6.0.0-next.2", | ||
| "version": "6.0.0", |
There was a problem hiding this comment.
This PR is titled as workflow action pinning, but it also changes the published package version from a prerelease (6.0.0-next.2) to a stable release (6.0.0). If this wasn’t intentional, please revert this version change; if it was intentional, it likely deserves its own release-focused PR (and any accompanying changelog/release notes).
| "knip": "^6.7.0", | ||
| "oxfmt": "^0.46.0", | ||
| "oxlint": "^1.61.0", | ||
| "oxlint-tsgolint": "^0.21.1", | ||
| "oxlint-tsgolint": "^0.22.0", | ||
| "playwright": "^1.59.1", | ||
| "publint": "^0.3.18", | ||
| "react": "19.2.5", | ||
| "react-dom": "19.2.5", | ||
| "rimraf": "^6.1.3", | ||
| "size-limit": "12.1.0", | ||
| "tailwind-merge": "^3.5.0", | ||
| "tsdown": "^0.21.9", | ||
| "tsdown": "^0.21.10", | ||
| "typescript": "^6.0.3", | ||
| "typescript-eslint": "^8.59.0", | ||
| "vite": "^8.0.9", | ||
| "vite": "^8.0.10", |
There was a problem hiding this comment.
This PR updates several devDependencies (e.g., knip/oxlint-tsgolint/tsdown/vite) and consequently the lockfile. For an “action pinning” PR, these dependency bumps add noise and upgrade risk; consider reverting them (or splitting into a separate dependency-update PR) unless they are required for the workflow changes.
| - name: Upload coverage to Codecov | ||
| uses: codecov/codecov-action@v5 | ||
| uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 |
There was a problem hiding this comment.
Pinning actions is good, but this change also upgrades Codecov Action from v5 to v6. Major-version bumps can include breaking changes; if the goal is only to pin, consider pinning the existing v5 release to its commit SHA instead (or document why the v6 upgrade is needed and verify the inputs/token behavior still match v6 expectations).
| uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 | ||
| continue-on-error: true |
There was a problem hiding this comment.
This pins actions/github-script, but it also upgrades from v8 to v9. If the intent is strictly pinning, consider pinning the v8 release to its commit SHA to avoid an unreviewed major upgrade (or otherwise document/validate the v9 behavior against the current script usage).
| - name: Archive build artifacts | ||
| uses: actions/upload-artifact@v4 | ||
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | ||
| with: |
There was a problem hiding this comment.
This change pins actions/upload-artifact, but it also upgrades from v4 to v7. If the goal is only to pin to SHAs, consider pinning the current v4 major to its commit SHA (or validate that v7’s behavior/inputs are compatible with how artifacts are consumed later in this workflow).
| - name: Setup Pages | ||
| uses: actions/configure-pages@v4 | ||
| uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0 | ||
|
|
||
| - name: Upload artifact | ||
| uses: actions/upload-pages-artifact@v4 | ||
| uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0 | ||
| with: | ||
| path: './demo/dist' |
There was a problem hiding this comment.
These steps are pinned, but they also bump Pages actions across major versions (configure-pages v4→v6 and upload-pages-artifact v4→v5). If the intent is only pinning, consider pinning the existing majors to their SHAs; otherwise, please confirm the new majors’ required permissions/inputs match this workflow.
| - name: Deploy to GitHub Pages | ||
| id: deployment | ||
| uses: actions/deploy-pages@v4 | ||
| uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 |
There was a problem hiding this comment.
This pins actions/deploy-pages, but it also upgrades from v4 to v5. If the goal is strictly pinning, consider pinning the existing v4 major to its commit SHA instead of taking a major upgrade in the same PR (or validate v5 compatibility explicitly).
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@package.json`:
- Line 171: The package.json currently specifies "vite": "^8.0.10" which has
known regressions; change the dependency entry for the "vite" key to pin a safe
version (e.g., "8.0.9") or, if you must use 8.0.10, run a full verification
(production builds, React.lazy usage, CJS interop, and plugin resolution such as
daisyUI `@plugin` resolving to JS) and only keep 8.0.10 if all checks pass; update
package.json accordingly and re-run CI/build to confirm no regressions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 267f7d6d-e477-4602-a69e-8475f3d1a9c3
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (8)
.github/workflows/codeql.yml.github/workflows/deploy-demo.yml.github/workflows/lint.yml.github/workflows/perf.yml.github/workflows/release.yml.github/workflows/size-limit.yml.github/workflows/tests.ymlpackage.json
| "typescript": "^6.0.3", | ||
| "typescript-eslint": "^8.59.0", | ||
| "vite": "^8.0.9", | ||
| "vite": "^8.0.10", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify vite version 8.0.10 exists on npm
# Check if version exists
npm view vite versions --json | jq -r '.[]' | grep "^8\.0\.10$"
npm view vite@8.0.10 version 2>/dev/null || echo "Version 8.0.10 not found"Repository: hbmartin/react-mentions-ts
Length of output: 84
🌐 Web query:
Are there any known issues or bugs with Vite 8.0.10?
💡 Result:
Yes, there are known issues with Vite 8.0.10, specifically regressions introduced compared to 8.0.9. Key reported bugs on GitHub issues (open as of 2026-04-26): - Production builds break with errors like "Class extends value undefined is not a constructor or null" or issues with React.lazy dynamic imports and CJS interop, potentially related to circular imports or Rolldown changes. Users reverted to 8.0.9 as a workaround. (Issue #22307, opened Apr 23, 2026) - Regression in resolving daisyUI @plugin: resolves to browser CSS entry (daisyui.css) instead of JS module (index.js), causing "Unknown file extension .css" error in Tailwind CSS. Workaround: explicitly use 'daisyui/index.js'. (Issue #22323, opened Apr 24, 2026) No dedicated changelog entry for 8.0.10 was found in searches (latest detailed is up to 8.0.9 or 8.0.8), suggesting it may be a minor patch, but these issues indicate recent regressions affecting production and plugin resolution. Vite 8 series has ongoing Vite 8-specific issues (e.g., dep optimization with special chars, code splitting behaviors), but the above are explicitly tied to the 8.0.9 -> 8.0.10 upgrade. Recommend checking GitHub issues for updates or pinning to 8.0.9 if affected.
Citations:
- 1: https://github.com/vitejs/vite/issues
- 2: [8.0.10] breaks production build vitejs/vite#22307
- 3: Vite 8.0.10 resolves daisyUI @plugin to browser CSS entry instead of JS module vitejs/vite#22323
- 4: https://github.com/vitejs/vite/blob/v8.0.8/packages/vite/CHANGELOG.md
- 5: https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md
- 6: https://github.com/vitejs/vite/releases/tag/v8.0.8
Do not upgrade to Vite 8.0.10 without investigation—multiple critical regressions are reported.
Vite 8.0.10 has known production build failures (including "Class extends value undefined" errors affecting React.lazy and CJS interop) and plugin resolution regressions (daisyUI @plugin resolves to CSS instead of JS). Users are reverting to 8.0.9. Either pin to 8.0.9 or verify these issues don't affect this project before upgrading.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@package.json` at line 171, The package.json currently specifies "vite":
"^8.0.10" which has known regressions; change the dependency entry for the
"vite" key to pin a safe version (e.g., "8.0.9") or, if you must use 8.0.10, run
a full verification (production builds, React.lazy usage, CJS interop, and
plugin resolution such as daisyUI `@plugin` resolving to JS) and only keep 8.0.10
if all checks pass; update package.json accordingly and re-run CI/build to
confirm no regressions.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request bumps the package version to 6.0.0 and updates several development dependencies, including knip, oxlint-tsgolint, tsdown, and vite. A compatibility issue was identified where the project's Node.js engine requirement is now broader than the requirements of the updated dependencies, which may cause installation warnings for users on specific Node.js 22 versions.
| "typescript": "^6.0.3", | ||
| "typescript-eslint": "^8.59.0", | ||
| "vite": "^8.0.9", | ||
| "vite": "^8.0.10", |
There was a problem hiding this comment.
The update to vite@^8.0.10 (and knip@^6.7.0) introduces stricter Node.js engine requirements (^20.19.0 || >=22.12.0 || >=24.0.0) as seen in the lockfile. However, the project's engines.node field is currently set to >=22. This discrepancy will cause installation warnings or errors for users on Node.js versions between 22.0.0 and 22.11.x. Consider updating the project's engines.node requirement to >=22.12.0 to maintain compatibility with its dependencies.
Summary by CodeRabbit
Release Notes
Note
Pin all GitHub Actions workflow steps to specific commit SHAs
Replaces floating version tags (e.g.
v4,v5,v6) with pinned commit SHAs across all workflows (codeql,deploy-demo,lint,perf,release,size-limit,tests). Also bumpspackage.jsonversion to6.0.0and updates several dev dependencies (knip,oxlint-tsgolson,tsdown,vite).Macroscope summarized 220b513.