PyAirbyte icon indicating copy to clipboard operation
PyAirbyte copied to clipboard

Published 20 hours ago verified publisher icon airbytehq

feat: add pinact-action to automate GitHub Actions SHA pinning (do not merge)

Open aaronsteers opened this issue 2 months ago • 6 comments

feat: add pinact-action to automate GitHub Actions SHA pinning (do not merge)

This PR targets the following PR:

  • #801

Summary

Adds automated SHA pinning for GitHub Actions using a Poe-based approach with the following components:

  • /gh-ci-fix slash command: Uses aaronsteers/poe-command-processor to automatically pin actions to SHA hashes
  • CI validation workflow: Runs poe gh-ci-check on PRs to ensure all actions are pinned
  • Poe tasks: Added gh-ci-check (validation) and gh-ci-fix (pinning) tasks to pyproject.toml
  • Documentation: Updated CONTRIBUTING.md with comprehensive pinact CLI examples and slash command usage

Review & Testing Checklist for Human

  • [ ] Test /gh-ci-fix slash command end-to-end: Create a test PR with unpinned actions and verify the slash command works correctly, commits changes, and pins actions properly
  • [ ] Verify CI validation workflow: Check that the validate-pinned-actions.yml workflow correctly fails when actions are unpinned and passes when they are pinned
  • [ ] Test Poe tasks locally: Run poetry run poe gh-ci-check and poetry run poe gh-ci-fix to ensure they work correctly and pinact is accessible at the hardcoded path
  • [ ] Verify workflow permissions: Ensure the GitHub App authentication and elevated permissions (contents: write, workflows: write) work correctly without security risks

Notes

  • Uses GitHub App authentication pattern consistent with other repo workflows (OCTAVIA_BOT_APP_ID/PRIVATE_KEY)
  • Hardcoded path $HOME/go/bin/pinact assumes global Go installation - may need adjustment for different environments
  • Third-party dependency on aaronsteers/[email protected] action - verify this version works reliably
  • CI validation workflow installs pinact via go install which requires Go runtime in CI

Link to Devin run: https://app.devin.ai/sessions/d8971a7395d14f9ba0cbdab06515a121 Requested by: @aaronsteers

Summary by CodeRabbit

  • New Features

    • Added an on-demand “gh-ci-fix” slash command and workflow to automatically pin GitHub Actions in pull requests.
    • Introduced local scripts to check and fix GitHub Actions pinning via project tooling.
    • Added MCP utility scripts for server start, inspection, and tool testing.

  • Documentation

    • Expanded contributing guide with instructions for using pinact and the /gh-ci-fix command, including per-file and dry-run examples.

  • Chores

    • Implemented a PR workflow that validates all GitHub Actions are SHA-pinned and provides guidance on fixing failures.

aaronsteers avatar Sep 24 '25 21:09 aaronsteers