Skip to content

[AAASM-3780] 🔧 (ci): Pin reusable workflow refs to commit SHA#186

Merged
Chisanan232 merged 2 commits into
masterfrom
v0.0.1/AAASM-3780/pin_reusable_workflow_shas
Jun 26, 2026
Merged

[AAASM-3780] 🔧 (ci): Pin reusable workflow refs to commit SHA#186
Chisanan232 merged 2 commits into
masterfrom
v0.0.1/AAASM-3780/pin_reusable_workflow_shas

Conversation

@Chisanan232

@Chisanan232 Chisanan232 commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Description

Pin the eight mutable @master references to the
Chisanan232/GitHub-Action_Reusable_Workflows-Python reusable workflows in
.github/workflows/rw_build_and_test.yaml to a full commit SHA, matching the
already-pinned rw_upload_test_cov_report style.

  • 3 × rw_uv_run_test.yaml@master
  • 5 × rw_organize_test_cov_reports.yaml@master

All eight now point at 4a6480470b90c0b6139e05489868585fa50aad6f (the reusable
repo's master HEAD as of 2026-05-26, the same SHA the upload-cov ref is pinned
to), with an inline # master @ 2026-05-26 comment. Commented-out reusable-workflow
references were intentionally left untouched.

Type of Change

  • 🔧 Bug fix

Breaking Changes

  • No

Related Issues

  • Related JIRA ticket: AAASM-3780
  • Closes AAASM-3780

Testing

  • Manual testing performed
  • No tests required (explain why)

Validation:

  • Confirmed both reusable-workflow files exist at the pinned SHA via the GitHub API.
  • python3 -c "import yaml; yaml.safe_load(...)" — YAML parses cleanly.
  • actionlint .github/workflows/rw_build_and_test.yaml — no findings.
  • Verified 8/8 active refs pinned and 0 active @master Chisanan refs remain.

Why

Mutable @master refs let an upstream force-push silently change CI behavior
(supply-chain risk). A full commit SHA makes the workflow reproducible and
auditable.

Checklist

  • Code follows project style guidelines
  • Self-review completed
  • Documentation updated if needed
  • All tests passing

🤖 Generated with Claude Code

Chisanan232 and others added 2 commits June 26, 2026 11:55
@Chisanan232 @claude
🔧 (ci): Pin rw_uv_run_test reusable workflow to commit SHA
0fa9ed4 
Replace the 3 mutable @master refs to rw_uv_run_test.yaml with the
full commit SHA 4a6480470b90c0b6139e05489868585fa50aad6f, mirroring the
existing pinned rw_upload_test_cov_report ref. Prevents supply-chain
drift from an upstream master force-push.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019mSz31RysZF6DYToUoBWLf
@Chisanan232 @claude
🔧 (ci): Pin rw_organize_test_cov_reports reusable workflow to SHA
cf6a8ee 
Replace the 5 mutable @master refs to rw_organize_test_cov_reports.yaml
with the full commit SHA 4a6480470b90c0b6139e05489868585fa50aad6f. All 8
reusable-workflow refs in rw_build_and_test.yaml are now SHA-pinned.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019mSz31RysZF6DYToUoBWLf
@codecov

codecov Bot commented Jun 26, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@sonarqubecloud

sonarqubecloud Bot commented Jun 26, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Chisanan232

Chisanan232 commented Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

🤖 Claude Code — PR Review (AAASM-3780)

Recommendation: ✅ Approve

Independent review of the SHA-pinning change to .github/workflows/rw_build_and_test.yaml.

CI

All required checks green (Analyze, CodeQL, pip-audit, SonarCloud, full build-and-test matrix, codecov). No failures.

Scope — verified against the ticket

  • 8/8 active refs pinned. The exact lines named in the ticket (24, 34, 45, 85, 97, 109, 138, 154) are now …@4a6480470b90c0b6139e05489868585fa50aad6f — 3× rw_uv_run_test.yaml, 5× rw_organize_test_cov_reports.yaml.
  • 0 active @master Chisanan refs remain. The only @master references left (lines 59, 70, 122) are commented-out blocks — correctly left untouched.
  • SHA is real and correct. 4a6480470b90c0b6139e05489868585fa50aad6f exists in Chisanan232/GitHub-Action_Reusable_Workflows-Python, committed 2026-05-26T06:16:03Z (matches the # master @ 2026-05-26 inline comment). Both rw_uv_run_test.yaml and rw_organize_test_cov_reports.yaml resolve at that SHA.

Side-effects — no behavior change, no drift

The already-trusted sibling ref rw_upload_test_cov_report.yaml (pinned earlier under AAASM-3686 in rw_run_all_test_and_record.yaml) points at the same SHA 4a6480470b90c0b6139e05489868585fa50aad6f. So this PR pins the 8 missed refs to exactly the workflow version the trusted ref already uses — no silent upgrade/downgrade. The PR's own green CI confirms the pinned workflows run identically.

Verdict

Completes the AAASM-3686 remediation that missed these 8 refs. Removes the mutable-@master supply-chain exposure (secrets e2e_test_api_token/CODECOV_TOKEN/SONAR_TOKEN flowing into these jobs). Clean, minimal, reproducible. Approve.

@Chisanan232 Chisanan232 marked this pull request as ready for review June 26, 2026 06:45
@Chisanan232 Chisanan232 merged commit 2f682ab into master Jun 26, 2026
21 checks passed
@Chisanan232 Chisanan232 deleted the v0.0.1/AAASM-3780/pin_reusable_workflow_shas branch June 26, 2026 07:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Chisanan232