ci: add GitHub Actions workflow for Conventional Commits

[matheusandre1]

Closes: #107

references for review : https://github.com/webiny/action-conventional-commits

[coderabbitai]

Warning

Rate limit exceeded

@matheusandre1 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 38 minutes and 10 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 38 minutes and 10 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a0f6c28d-00d0-43ce-8956-e0ab75f14d9e

📥 Commits

Reviewing files that changed from the base of the PR and between 670434d and 3096dca.

📒 Files selected for processing (2)

• .github/workflows/conventional-commits.yaml
• CONTRIBUTING.md

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow is introduced that automatically validates pull request commit messages against conventional commit standards using the webiny/action-conventional-commits@v1.3.0 action, triggered on pull requests targeting the main branch.

Changes

Cohort / File(s)	Summary
Conventional Commits CI Workflow .github/workflows/conventional-commits.yaml	Added new GitHub Actions workflow that runs on pull requests to validate commit messages comply with conventional commit format standards.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A workflow so keen, checking commits pristine,
Conventional messages in every pull request scene,
Validate, validate—keep the git history clean,
The finest CI rabbit has ever seen! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title 'ci: add GitHub Actions workflow for Conventional Commits' clearly and accurately summarizes the main change: adding a CI workflow for commit validation.
Linked Issues check	✅ Passed	The PR adds a GitHub Actions workflow using webiny/action-conventional-commits@v1.3.0, which implements commit message validation as required by issue #107, though using a pre-built action rather than commitlint configuration.
Out of Scope Changes check	✅ Passed	The PR only adds a single workflow file for conventional commits validation, which is directly aligned with the stated objective of implementing commit message validation per issue #107.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/conventional-commits.yaml (1)

12-14: Consider pinning actions by commit SHA for stronger supply-chain integrity.

The workflow currently uses version tags (v3 and v1.3.0), which comply with the guideline allowing "commit SHA or tagged versions." However, tags are mutable and can be tampered with. Full-length commit SHA pinning provides cryptographic immutability and is the recommended approach, especially for third-party actions like webiny/action-conventional-commits. GitHub's official security guidance and 2025 policies favor SHA pinning to mitigate supply chain risks.

Example hardening pattern

-      - uses: actions/checkout@v3
+      - uses: actions/checkout@e2f00d665bcc5294bcadcd8cc6fa1ccd7bde0480 # v3.6.0

-      - uses: webiny/action-conventional-commits@v1.3.0
+      - uses: webiny/action-conventional-commits@<full_commit_sha_for_v1.3.0>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/conventional-commits.yaml around lines 12 - 14, Replace
mutable tag refs with full commit SHAs for the GitHub Actions used: change uses:
actions/checkout@v3 to the specific checkout commit SHA and change uses:
webiny/action-conventional-commits@v1.3.0 to the action's full commit SHA;
update the workflow so the two uses entries reference those full-length SHA
values (instead of v3 and v1.3.0) to ensure immutability and stronger
supply-chain integrity.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/conventional-commits.yaml:
- Line 12: Update the checkout action reference from actions/checkout@v3 to
actions/checkout@v4 to avoid the deprecated Node 16 runtime; locate the line
containing "uses: actions/checkout@v3" and replace it with "uses:
actions/checkout@v4" so this workflow matches the other repository workflows
already upgraded to v4.

---

Nitpick comments:
In @.github/workflows/conventional-commits.yaml:
- Around line 12-14: Replace mutable tag refs with full commit SHAs for the
GitHub Actions used: change uses: actions/checkout@v3 to the specific checkout
commit SHA and change uses: webiny/action-conventional-commits@v1.3.0 to the
action's full commit SHA; update the workflow so the two uses entries reference
those full-length SHA values (instead of v3 and v1.3.0) to ensure immutability
and stronger supply-chain integrity.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4c3110f4-6774-417c-bafc-530a2e83e5e9

📥 Commits

Reviewing files that changed from the base of the PR and between 9a73ebb and 670434d.

📒 Files selected for processing (1)

• .github/workflows/conventional-commits.yaml

[omatheusmesmo]

@matheusandre1 has exceeded the limit for the number of commits that can > be reviewed per hour. Please wait 38 minutes and 10 seconds before requesting another review.

LOL, are you a bot?! @matheusandre1

[omatheusmesmo]

LGTM.