chore: enforce semantic pr#13
Conversation
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 57 minutes and 35 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughA new GitHub Actions workflow file has been added to enforce semantic versioning conventions on pull requests, using the Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/semantic-pr.yml (1)
5-5: Consider addingreopenedto the trigger list.This keeps semantic-title checks consistent when a closed PR is reopened without further edits.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/semantic-pr.yml at line 5, Update the GitHub Actions workflow trigger by adding "reopened" to the types list so the semantic PR check runs when a previously closed PR is reopened; modify the existing types array (currently containing "opened", "edited", "synchronize") to include "reopened" to ensure consistency for the semantic-title check.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/semantic-pr.yml:
- Around line 14-16: The workflow currently references the third-party action as
amannn/action-semantic-pull-request@v5 (in the uses: line), which is mutable;
replace the tag with the corresponding immutable commit SHA for the v5 release
(e.g., amannn/action-semantic-pull-request@<commit-sha>) so the action is
pinned, and update the uses: entry accordingly; locate the uses:
amannn/action-semantic-pull-request@v5 string in the workflow and swap the tag
for the commit SHA obtained from the repo (ensure no other references to `@v5`
remain).
---
Nitpick comments:
In @.github/workflows/semantic-pr.yml:
- Line 5: Update the GitHub Actions workflow trigger by adding "reopened" to the
types list so the semantic PR check runs when a previously closed PR is
reopened; modify the existing types array (currently containing "opened",
"edited", "synchronize") to include "reopened" to ensure consistency for the
semantic-title check.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 500e7ad6-2602-4e44-85cc-c0cd7ade9743
📒 Files selected for processing (1)
.github/workflows/semantic-pr.yml
| - uses: amannn/action-semantic-pull-request@v5 | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "1) Find mutable action refs in workflows (tags like `@v5`):"
rg -n --glob '.github/workflows/*.yml' 'uses:\s*[^@]+@v?[0-9]+(\.[0-9]+)?$'
echo
echo "2) Resolve current object behind amannn/action-semantic-pull-request@v5:"
curl -fsSL https://api.github.com/repos/amannn/action-semantic-pull-request/git/ref/tags/v5 | jq -r '.object | "type=\(.type) sha=\(.sha)"'
echo
echo "If type=tag, resolve that tag object to the commit SHA before pinning."Repository: smnatale/coderabbit.nvim
Length of output: 291
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Exploring repository structure ==="
ls -la .github/ 2>/dev/null || echo ".github/ not found"
echo
echo "=== Check if .github/workflows/ exists ==="
ls -la .github/workflows/ 2>/dev/null || echo ".github/workflows/ not found"
echo
echo "=== List all files in the repository to understand structure ==="
git ls-files | head -30Repository: smnatale/coderabbit.nvim
Length of output: 1568
🏁 Script executed:
#!/bin/bash
cat -n .github/workflows/semantic-pr.ymlRepository: smnatale/coderabbit.nvim
Length of output: 981
🌐 Web query:
GitHub Actions security best practices mutable action tags pull_request_target
💡 Result:
GitHub Actions security best practices for mutable action tags and pull_request_target focus on preventing supply chain attacks and remote code execution (RCE). Key practices: 1. Pin actions to full-length commit SHAs for immutability: Avoid tags like @v1 or branches like @main, as they are mutable and can be hijacked. Use specific SHAs, e.g., uses: tj-actions/changed-files@abcdef1. This is the only way to ensure immutability. 2. For pull_request_target: Use only when necessary (e.g., labeling PRs needing write access). Never checkout untrusted PR code with actions/checkout using ref: ${{ github.event.pull_request.head.sha }}. This grants RCE with access to secrets and GITHUB_TOKEN (read/write by default). Instead, use pull_request for builds/tests (limited permissions), then workflow_run for privileged follow-ups after approval. 3. Additional mitigations: - Set explicit permissions: {contents: read} or job-level restrictions; default to read-only. - Avoid saving caches or artifacts in pull_request_target to prevent poisoning. - Require manual approval (e.g., 'safe to test' label) or restrict to same-repo PRs: if: github.event.pull_request.head.repo.full_name == github.repository. - Use verified creators from Marketplace; review/fork third-party actions. - Enable GitHub features: Dependabot for updates, CodeQL for scanning workflows, action allowlists. Recent changes (effective Dec 2025): pull_request_target always uses default branch for workflow source/ref, aligning with security model. Examples: Safe pull_request_target (labeling): on: pull_request_target permissions: pull-requests: write steps: - uses: actions/labeler@v4 # No checkout of PR head Unsafe (avoid): on: pull_request_target steps: - checkout: ref: ${{ github.event.pull_request.head.sha }} - run: npm install # Executes untrusted code with secrets
Citations:
- 1: https://docs.github.com/en/actions/how-tos/security-for-github-actions/security-guides/security-hardening-for-github-actions
- 2: https://docs.github.com/en/actions/reference/security/secure-use
- 3: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests
- 4: https://medium.com/@Ibraheemcisse/unraveling-cve-2025-30066-the-hidden-risk-of-mutable-version-tags-in-github-actions-c91a88197086
- 5: https://arctiq.com/blog/top-10-github-actions-security-pitfalls-the-ultimate-guide-to-bulletproof-workflows
- 6: https://paulserban.eu/blog/post/why-is-pullrequesttarget-so-dangerous-a-security-explainer/
- 7: https://orca.security/resources/blog/pull-request-nightmare-github-actions-rce/
- 8: https://github.blog/changelog/2025-11-07-actions-pull_request_target-and-environment-branch-protections-changes
Pin the third-party action to an immutable commit SHA.
This workflow uses pull_request_target (line 4), a privileged event that executes with access to secrets and tokens. The action reference on line 14 uses the mutable semantic version tag @v5, which could be compromised if the upstream maintainer's account is hijacked or a tag is force-pushed. Pin the action to a specific commit SHA for immutability and supply-chain security.
Suggested change
- - uses: amannn/action-semantic-pull-request@v5
+ - uses: amannn/action-semantic-pull-request@<FULL_COMMIT_SHA> # v5To find the commit SHA for v5, run: curl -s https://api.github.com/repos/amannn/action-semantic-pull-request/git/ref/tags/v5 | jq '.object.sha'
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/semantic-pr.yml around lines 14 - 16, The workflow
currently references the third-party action as
amannn/action-semantic-pull-request@v5 (in the uses: line), which is mutable;
replace the tag with the corresponding immutable commit SHA for the v5 release
(e.g., amannn/action-semantic-pull-request@<commit-sha>) so the action is
pinned, and update the uses: entry accordingly; locate the uses:
amannn/action-semantic-pull-request@v5 string in the workflow and swap the tag
for the commit SHA obtained from the repo (ensure no other references to `@v5`
remain).
1 participant
Description
add gh workflow enforcing semantic pr
Screenshots/Images
Summary by CodeRabbit