fix(ci): Make breaking changes checks compare against the merge-base

[kensimon]

For both the proto-breaking-changes and openapi-breaking-changes checks, they currently compare against main for breaking changes, but that means if new fields/etc were added to main since the branch was created, they incorrectly show them as being removed in the PR branch. This updates it to check against $(git merge-base HEAD origin/main) so that it only sees the actual diffs introduced in this branch since it started.

Related issues

#2923

Type of Change

• Add - New feature or capability
• Change - Changes in existing functionality
• Fix - Bug fixes
• Remove - Removed features or deprecated functionality
• Internal - Internal changes (refactoring, tests, docs, etc.)

Breaking Changes

• This PR contains breaking changes

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• No testing required (docs, internal refactor, etc.)

Additional Notes

[coderabbitai]

Walkthrough

The CI workflows update protobuf and OpenAPI breaking-change checks to compare against a computed merge-base with origin/main instead of the branch tip.

Changes

Workflow comparison base updates

Layer / File(s)	Summary
Proto merge-base comparison .github/workflows/ci.yaml	The protobuf breaking-changes job now fetches origin/main, computes a merge-base, archives crates/rpc/proto from that commit into a temporary directory, and compares buf breaking against that local base. The checkout comment and shell handling are updated.
OpenAPI merge-base comparison .github/workflows/rest-lint-and-test.yml	The OpenAPI breaking check now resolves a merge-base with origin/main and passes that commit to oasdiff-action/breaking as the comparison base.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• breaking-changes checks incorrectly flags out-of-date branches #2923 — The protobuf breaking-change workflow now compares against a computed merge-base with origin/main, matching the issue’s out-of-date branch comparison objective.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly states the CI breaking-change checks now compare against the merge-base.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The description accurately explains the CI comparison-base change for proto and OpenAPI breaking-change checks.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yaml:
- Around line 994-997: The checkout step currently leaves the GitHub token
persisted in the workspace, which unnecessarily exposes credentials to later
steps. Update the existing actions/checkout usage in the CI workflow to disable
persisted credentials for this job, and keep authentication limited to the
explicit git fetch that follows if the repository is private. Locate the
Checkout code step in the workflow and apply the fix there, preserving the
current fetch-depth behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 89b0a22c-3240-4ba4-a31d-b2ae345a55b6

📥 Commits

Reviewing files that changed from the base of the PR and between c4c4d09 and 52adf7e.

📒 Files selected for processing (1)

• .github/workflows/ci.yaml

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable persistent checkout credentials for this job.

actions/checkout writes the repo token into .git/config by default. This job only needs credentials for the explicit git fetch, so leaving the token available to every later step unnecessarily widens the exfiltration surface. Set persist-credentials: false here, and if the repo is private, scope authentication to the single fetch command instead of the whole workspace.

Suggested change

       - name: Checkout code
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0 # Required to compute the merge-base against main

As per path instructions, GitHub Actions workflow reviews should cover secret handling; zizmor also flags this checkout step for persisted credentials.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0 # Required: Buf needs the history to compare against main
	fetch-depth: 0 # Required to compute the merge-base against main
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	persist-credentials: false
	fetch-depth: 0 # Required to compute the merge-base against main

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 994-997: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 995-995: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yaml around lines 994 - 997, The checkout step
currently leaves the GitHub token persisted in the workspace, which
unnecessarily exposes credentials to later steps. Update the existing
actions/checkout usage in the CI workflow to disable persisted credentials for
this job, and keep authentication limited to the explicit git fetch that follows
if the repository is private. Locate the Checkout code step in the workflow and
apply the fix there, preserving the current fetch-depth behavior.

Sources: Path instructions, Linters/SAST tools

[kensimon]

Filed #2925 for this, out of scope for this PR.

[github-actions]

🔐 TruffleHog Secret Scan

✅ No secrets or credentials found!

Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉

🔗 View scan details

_{🕐 Last updated: 2026-06-26 17:42:23 UTC | Commit: 78b27e9}

[github-actions]

🔍 Container Scan Summary

Service	Total	Critical	High	Medium	Low	Other
boot-artifacts-aarch64	3	0	0	3	0	0
boot-artifacts-x86_64	3	0	0	3	0	0
forge-admin-cli-x86_64	285	6	26	102	7	144
machine-validation-runner	744	32	188	267	36	221
machine_validation	744	32	188	267	36	221
machine_validation-aarch64	744	32	188	267	36	221
nvmetal-carbide	744	32	188	267	36	221
TOTAL	3267	134	778	1176	151	1028

Per-CVE detail lives in the per-service grype-* artifacts (JSON + SARIF). Severity counts only — no CVE IDs published here.