Pin actions version to commit; force runner to use node 24#7685
Conversation
📝 WalkthroughWalkthroughThe CI workflow Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
| CARGO_PROFILE_DEV_DEBUG: 0 | ||
| CARGO_PROFILE_RELEASE_DEBUG: 0 | ||
| CARGO_TERM_COLOR: always | ||
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true' # TODO: Remove on 2026/06/02 |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/ci.yaml (1)
193-193: Optional: pin remaining third-party actions to commits for consistency with the PR intent.A few JS-based third-party actions are still on floating refs and would be flagged by zizmor's
unpinned-usesrule:
- L193:
nttld/setup-ndk@v1- L596:
wasmerio/setup-wasmer@v3- L447:
dtolnay/rust-toolchain@master(the@stableuses elsewhere are arguably idiomatic since rust-toolchain is a thin wrapper, but@masteron a CI path is the riskier one)Not blocking — feel free to defer to a follow-up if you'd rather keep this PR scoped to the Node 24 fixup.
Also applies to: 596-596, 447-447
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/ci.yaml at line 193, The workflow currently uses floating refs for third-party actions (nttld/setup-ndk@v1, wasmerio/setup-wasmer@v3, dtolnay/rust-toolchain@master); update each use to a pinned commit SHA (e.g., replace the `@v1/`@v3/@master tags with the specific commit hash from the action's repository) so the CI is deterministic and consistent with the PR intent — locate the three usages (nttld/setup-ndk, wasmerio/setup-wasmer, dtolnay/rust-toolchain) and change their refs to the latest appropriate commit SHAs.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/ci.yaml:
- Line 193: The workflow currently uses floating refs for third-party actions
(nttld/setup-ndk@v1, wasmerio/setup-wasmer@v3, dtolnay/rust-toolchain@master);
update each use to a pinned commit SHA (e.g., replace the `@v1/`@v3/@master tags
with the specific commit hash from the action's repository) so the CI is
deterministic and consistent with the PR intent — locate the three usages
(nttld/setup-ndk, wasmerio/setup-wasmer, dtolnay/rust-toolchain) and change
their refs to the latest appropriate commit SHAs.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: CHILL
Plan: Pro
Run ID: 7073a5fb-0bc6-41bd-83a0-914958db176b
📒 Files selected for processing (1)
.github/workflows/ci.yaml
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/ci.yaml (1)
596-596: Minor: pin comment uses minor tag instead of full semver.For consistency with the other pins in this file (
# v4.0.0,# v6.0.2,# v1.24.0), consider tightening the comment label here to the exact patch tag corresponding to the SHA (e.g.,# v3.1.x) so future bumps are easier to audit. Behavior unchanged.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/ci.yaml at line 596, The comment after the Wasmer setup action uses a loose minor tag; update the inline comment on the uses: wasmerio/setup-wasmer@24b15c95293d23f89c68bd40dac76338f773e924 line to match the exact patch tag format used elsewhere (e.g., change "# v3.1" to the exact patch comment like "# v3.1.x" or the specific patch "# v3.1.0" that corresponds to that SHA) so it is consistent with the other pinned comments.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/ci.yaml:
- Line 193: The workflow pins the GitHub Action "wasmerio/setup-wasmer" to tag
v3.1 which doesn't exist; update the action reference in the workflow (the uses
entry for wasmerio/setup-wasmer) to a valid tag or commit SHA from the
wasmerio/setup-wasmer upstream repo: look up the correct release tag or copy a
full commit SHA, replace "wasmerio/setup-wasmer@v3.1" with
"wasmerio/setup-wasmer@<valid-tag-or-sha>", and re-run verification to ensure
the pin resolves successfully.
---
Nitpick comments:
In @.github/workflows/ci.yaml:
- Line 596: The comment after the Wasmer setup action uses a loose minor tag;
update the inline comment on the uses:
wasmerio/setup-wasmer@24b15c95293d23f89c68bd40dac76338f773e924 line to match the
exact patch tag format used elsewhere (e.g., change "# v3.1" to the exact patch
comment like "# v3.1.x" or the specific patch "# v3.1.0" that corresponds to
that SHA) so it is consistent with the other pinned comments.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: CHILL
Plan: Pro
Run ID: 0f6c662e-4396-453c-8604-8d12a2d1c988
📒 Files selected for processing (1)
.github/workflows/ci.yaml
Summary by CodeRabbit