Skip to content

ci: pin split-score workflow to published v1.0.0 action#41

Merged
vitali87 merged 1 commit into
mainfrom
ci/pin-split-score-action
Mar 28, 2026
Merged

ci: pin split-score workflow to published v1.0.0 action#41
vitali87 merged 1 commit into
mainfrom
ci/pin-split-score-action

Conversation

@vitali87

@vitali87 vitali87 commented Mar 28, 2026

Copy link
Copy Markdown
Owner

Summary

  • Reference the published vitali87/pr-split@v1.0.0 action instead of local ./
  • Add contents: read permission required by checkout

Test plan

  • Verify the action runs on this PR

@gemini-code-assist

gemini-code-assist Bot commented Mar 28, 2026

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@greptile-apps

greptile-apps Bot commented Mar 28, 2026

Copy link
Copy Markdown

Greptile Summary

This PR makes two small but meaningful CI improvements to the split-score workflow: it switches the action reference from the local ./ (live working tree) to the published vitali87/pr-split@v1.0.0 release, and explicitly adds the contents: read permission required by actions/checkout.

Key changes:

  • Replacing uses: ./ with uses: vitali87/pr-split@v1.0.0 closes a potential supply-chain risk where a PR author could modify the local action code and have it executed with pull-requests: write permissions under the pull_request event.
  • Adding contents: read brings the permissions block in line with the principle of least privilege and ensures compatibility with stricter repository permission settings.
  • A name: field was added to the action step, improving log readability.

Confidence Score: 5/5

Safe to merge — changes are a straightforward CI hardening with no functional regressions.

The only open finding (P2) is a best-practice suggestion to pin the action to an immutable commit SHA rather than the v1.0.0 tag. This does not block merge.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/split-score.yml Pins the action reference from the local ./ to the published vitali87/pr-split@v1.0.0 tag and adds the contents: read permission required by actions/checkout.

Sequence Diagram

sequenceDiagram
    participant PR as Pull Request Event
    participant GH as GitHub Actions Runner
    participant Checkout as actions/checkout@v4
    participant Action as vitali87/pr-split@v1.0.0
    participant Script as score_pr.py
    participant API as GitHub REST API

    PR->>GH: trigger (pull_request → main)
    GH->>Checkout: fetch full history (fetch-depth: 0)<br/>permissions: contents: read
    Checkout-->>GH: repository cloned
    GH->>Action: run with max-loc, partition-strategy, threshold-groups
    Action->>Script: execute scoring logic
    Script-->>Action: outputs (total-loc, should-split, comment_path)
    alt should-split == true
        Action->>API: post/update PR comment<br/>permissions: pull-requests: write
    end
Loading
Prompt To Fix All With AI 
This is a comment left during a code review.
Path: .github/workflows/split-score.yml
Line: 20

Comment:
**Consider pinning to a commit SHA instead of a mutable tag**

`vitali87/pr-split@v1.0.0` is pinned to a tag, which is a mutable reference — the tag could be force-pushed to a different commit without changing this workflow file. GitHub's own security hardening guide recommends pinning third-party actions to a full commit SHA for supply-chain integrity.

```suggestion
        uses: vitali87/pr-split@<full-commit-sha-of-v1.0.0>
```

You can find the SHA by running `git ls-remote https://github.com/vitali87/pr-split refs/tags/v1.0.0` and using the dereferenced (`^{}`) object SHA.

How can I resolve this? If you propose a fix, please make it concise.

Reviews (1): Last reviewed commit: "ci: pin split-score workflow to publishe..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Mar 28, 2026
View reviewed changes
Comment thread .github/workflows/split-score.yml

- uses: ./
- name: pr-split score
uses: vitali87/pr-split@v1.0.0

@greptile-apps greptile-apps Bot Mar 28, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Consider pinning to a commit SHA instead of a mutable tag

vitali87/pr-split@v1.0.0 is pinned to a tag, which is a mutable reference — the tag could be force-pushed to a different commit without changing this workflow file. GitHub's own security hardening guide recommends pinning third-party actions to a full commit SHA for supply-chain integrity.

Suggested change
uses: vitali87/pr-split@v1.0.0
uses: vitali87/pr-split@<full-commit-sha-of-v1.0.0>

You can find the SHA by running git ls-remote https://github.com/vitali87/pr-split refs/tags/v1.0.0 and using the dereferenced (^{}) object SHA.

Prompt To Fix With AI 
This is a comment left during a code review.
Path: .github/workflows/split-score.yml
Line: 20

Comment:
**Consider pinning to a commit SHA instead of a mutable tag**

`vitali87/pr-split@v1.0.0` is pinned to a tag, which is a mutable reference — the tag could be force-pushed to a different commit without changing this workflow file. GitHub's own security hardening guide recommends pinning third-party actions to a full commit SHA for supply-chain integrity.

```suggestion
        uses: vitali87/pr-split@<full-commit-sha-of-v1.0.0>
```

You can find the SHA by running `git ls-remote https://github.com/vitali87/pr-split refs/tags/v1.0.0` and using the dereferenced (`^{}`) object SHA.

How can I resolve this? If you propose a fix, please make it concise.

@vitali87 vitali87 merged commit 2686464 into main Mar 28, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vitali87