pin GitHub Actions

[shogo82148]

Summary by CodeRabbit

• Chores
  • Improved automated workflows for code analysis, review, and testing by locking dependencies to specific versions. This update enhances the stability and consistency of our continuous integration processes, ensuring a smoother overall experience for users.

[coderabbitai]

Walkthrough

This pull request updates several GitHub Actions workflow files to reference specific commit hashes instead of version tags. The changes span three workflow configurations for code analysis, review, and testing. In each file, updates target actions such as checkout, CodeQL (init, autobuild, analyze), reviewdog linting, Go setup, and goveralls. These modifications lock the workflows to fixed commit states to potentially enhance reproducibility and stability.

Changes

File(s)	Change Summary
.github/.../codeql-analysis.yml	Updated actions/checkout from v4 to commit 11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2); Updated github/codeql-action/init, autobuild, and analyze from v3 to commit 1b549b9259bda1cb5ddde3b41741a82a2d15a841 (v3.28.13)
.github/.../reviewdog.yml	Updated actions/checkout from v4 to commit 11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2); Updated reviewdog/action-golangci-lint from v2 to commit f9bba13753278f6a73b27a56a3ffb1bfda90ed71 (v2.8.0)
.github/.../test.yml	Updated actions/checkout from v4 to commit 11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2); Updated actions/setup-go from v5 to commit 0aaccfd150d50ccaeb58ebd88d36e91967a5f35b (v5.4.0); Updated shogo82148/actions-goveralls from v1 to commit e6875f831db61e6abffbd8df91a2eb6cd24b46c9 (v1.9.1)

Poem

I'm a bunny with a skip so light,
Updating commits through day and night.
My YAML burrow now stands secure,
With fixed hashes, stability is pure.
I hop with joy as workflows glow,
In a garden of code where fixes grow!

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3773769 and 40a9b3a.

📒 Files selected for processing (3)

• .github/workflows/codeql-analysis.yml (3 hunks)
• .github/workflows/reviewdog.yml (1 hunks)
• .github/workflows/test.yml (2 hunks)

🔇 Additional comments (10)

.github/workflows/reviewdog.yml (2)

12-12: Pinning actions/checkout Version

The checkout action is now locked to commit 11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2). This explicit pinning enhances reproducibility and aligns with updates in other workflows.

---

14-14: Pinning reviewdog/action-golangci-lint Version

The reviewdog action is now set to commit f9bba13753278f6a73b27a56a3ffb1bfda90ed71 (v2.8.0). This change helps ensure stability and consistency with CI checks.

.github/workflows/test.yml (4)

28-28: Pinning actions/checkout Version in Test Workflow

The checkout step is updated to commit 11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2). This ensures consistency across all workflows.

---

30-31: Pinning actions/setup-go Version

The Setup Go step now uses commit 0aaccfd150d50ccaeb58ebd88d36e91967a5f35b (v5.4.0). This pinning should improve reproducibility. Please verify this commit works smoothly with all matrix versions.
[approve_code_changes, request_verification]

---

38-42: Pinning shogo82148/actions-goveralls in Test Step

The goveralls action for reporting test coverage is now pinned to commit e6875f831db61e6abffbd8df91a2eb6cd24b46c9 (v1.9.1). This enhances consistency in your CI reporting.

---

49-52: Consistent Pinning for Goveralls in Finish Job

The finish job reuses the goveralls action with the same commit hash. Maintaining consistency across different jobs further assures reproducibility.

.github/workflows/codeql-analysis.yml (4)

40-41: Pinning actions/checkout in CodeQL Workflow

The checkout step in the CodeQL workflow is now fixed to commit 11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2), aligning with the rest of the repository’s workflows.

🧰 Tools

🪛 YAMLlint (1.35.1)

[warning] 40-40: wrong indentation: expected 6 but found 4

(indentation)

---

44-46: Pinning github/codeql-action/init Version

The CodeQL initialization step now uses commit 1b549b9259bda1cb5ddde3b41741a82a2d15a841 (v3.28.13). This explicit commit pinning supports stability in security scanning.

---

58-59: Pinning github/codeql-action/autobuild Version

The autobuild step is updated to use commit 1b549b9259bda1cb5ddde3b41741a82a2d15a841 (v3.28.13). Please confirm that this commit works reliably with your build process.
[approve_code_changes, request_verification]

---

71-72: Pinning github/codeql-action/analyze Version

The analysis step now uses commit 1b549b9259bda1cb5ddde3b41741a82a2d15a841 (v3.28.13) for CodeQL analysis. This change improves consistency and predictability in the scanning process.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai plan to trigger planning for file edits and PR creation.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[Copilot]

Pull Request Overview

This pull request pins various GitHub Actions to specific commit hashes to improve workflow consistency and security.

• Update of checkout, setup-go, and goveralls actions in test.yml
• Update of checkout and golangci-lint actions in reviewdog.yml
• Update of checkout, CodeQL initialization, autobuild, and analyze actions in codeql-analysis.yml

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
.github/workflows/test.yml	Pinning checkout, setup-go, and goveralls actions to commit hashes
.github/workflows/reviewdog.yml	Pinning checkout and golangci-lint actions
.github/workflows/codeql-analysis.yml	Pinning CodeQL actions (checkout, init, autobuild, analyze)

Comments suppressed due to low confidence (1)

.github/workflows/reviewdog.yml:13

• [nitpick] The step name 'mark' is ambiguous. Consider renaming it to something more descriptive, such as 'Run golangci-lint with reviewdog', to clarify its purpose.

- name: mark

[coveralls]

Pull Request Test Coverage Report for Build 14078880485

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 78.75%

---

Totals
Change from base Build 14078838454:	0.0%
Covered Lines:	378
Relevant Lines:	480

---

💛 - Coveralls