Skip to content

fix(ci): Make breaking changes checks compare against the merge-base #2924

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kensimon merged 2 commits into from
Jun 29, 2026
+24 −3
Merged

fix(ci): Make breaking changes checks compare against the merge-base #2924

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
52adf7e
fix(ci): Make proto-breaking-changes compare against the merge-base
kensimon Jun 26, 2026
78b27e9
Fix for the openapi check too
kensimon Jun 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -994,7 +994,7 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Required: Buf needs the history to compare against main
fetch-depth: 0 # Required to compute the merge-base against main
Comment on lines 994 to +997

@coderabbitai coderabbitai Bot Jun 26, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable persistent checkout credentials for this job.

actions/checkout writes the repo token into .git/config by default. This job only needs credentials for the explicit git fetch, so leaving the token available to every later step unnecessarily widens the exfiltration surface. Set persist-credentials: false here, and if the repo is private, scope authentication to the single fetch command instead of the whole workspace.

Suggested change 
       - name: Checkout code
         uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-depth: 0 # Required to compute the merge-base against main

As per path instructions, GitHub Actions workflow reviews should cover secret handling; zizmor also flags this checkout step for persisted credentials.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Required: Buf needs the history to compare against main
fetch-depth: 0 # Required to compute the merge-base against main
- name: Checkout code
uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0 # Required to compute the merge-base against main
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 994-997: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

[error] 995-995: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yaml around lines 994 - 997, The checkout step
currently leaves the GitHub token persisted in the workspace, which
unnecessarily exposes credentials to later steps. Update the existing
actions/checkout usage in the CI workflow to disable persisted credentials for
this job, and keep authentication limited to the explicit git fetch that follows
if the repository is private. Locate the Checkout code step in the workflow and
apply the fix there, preserving the current fetch-depth behavior.

Sources: Path instructions, Linters/SAST tools

@kensimon kensimon Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Filed #2925 for this, out of scope for this PR.


- name: Install Buf CLI
run: |
Expand All @@ -1004,8 +1004,18 @@ jobs:

- name: Check for Breaking Changes
run: |
set -euo pipefail

git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
MERGE_BASE="$(git merge-base HEAD origin/main)"
BASE_PROTO_DIR="$(mktemp -d)"
trap 'rm -rf "${BASE_PROTO_DIR}"' EXIT

echo "Comparing protobuf changes against merge-base ${MERGE_BASE}"
git archive "${MERGE_BASE}" crates/rpc/proto | tar -x -C "${BASE_PROTO_DIR}"

buf breaking crates/rpc/proto \
--against 'https://github.com/${{ github.repository }}.git#branch=main,subdir=crates/rpc/proto' \
--against "${BASE_PROTO_DIR}/crates/rpc/proto" \
--error-format=github-actions

lint-police:
Expand Down
13 changes: 12 additions & 1 deletion .github/workflows/rest-lint-and-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,10 +107,21 @@ jobs:
with:
fetch-depth: 0

- name: Resolve OpenAPI comparison base
id: openapi-base
run: |
set -euo pipefail

git fetch --no-tags origin +refs/heads/main:refs/remotes/origin/main
MERGE_BASE="$(git merge-base HEAD origin/main)"

echo "merge_base=${MERGE_BASE}" >> "${GITHUB_OUTPUT}"
echo "Comparing OpenAPI changes against merge-base ${MERGE_BASE}"

- name: Check OpenAPI breaking changes
uses: oasdiff/oasdiff-action/breaking@a8c7f0e5649d20d623edb5b38446d3ab3d82d43c
with:
base: 'origin/main:rest-api/openapi/spec.yaml'
base: '${{ steps.openapi-base.outputs.merge_base }}:rest-api/openapi/spec.yaml'
revision: ':rest-api/openapi/spec.yaml'
fail-on: ERR
# Allowlist the intentional one-time rename of the BMC credential
Expand Down
Loading