feat: implement issue #18 — Scorecard: Pinned-Dependencies (6/10)#291
feat: implement issue #18 — Scorecard: Pinned-Dependencies (6/10)#291don-petry wants to merge 51 commits into
Conversation
|
Warning Review limit reached
More reviews will be available in 6 minutes and 32 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (9)
📝 WalkthroughWalkthroughThis PR hardens dependency resolution by pinning all external references to immutable identifiers: GitHub Actions reusable workflows are pinned to specific commit SHAs instead of version tags, container base images are pinned by digest hash, and a ChangesDependency Pinning
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request pins the Docker base images in apps/api/Dockerfile to specific SHA256 digests for improved security and build reproducibility. Additionally, it appends a duplicate .dev-lead/ entry to .gitignore. The review feedback correctly identifies that this new entry is redundant due to existing duplicates in the file.
There was a problem hiding this comment.
Pull request overview
Pins previously unpinned dependencies (container base images and reusable workflow references) to immutable digests/commit SHAs to improve supply-chain security posture and address OpenSSF Scorecard “Pinned-Dependencies”.
Changes:
- Pin
apps/api/Dockerfilebase images by digest (@sha256:...). - Pin reusable workflow callers to specific commit SHAs instead of mutable refs/tags.
- Add another
.dev-lead/ignore entry (introduces further duplication).
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| apps/api/Dockerfile | Pins builder/runtime base images by digest. |
| .gitignore | Adds an additional .dev-lead/ entry (duplicates existing entries). |
| .github/workflows/pr-review.yml | Pins reusable workflow ref from @main to a commit SHA. |
| .github/workflows/pr-review-mention.yml | Pins reusable workflow ref from @v2 to a commit SHA. |
| .github/workflows/pr-auto-review.yml | Pins reusable workflow ref from @v2 to a commit SHA. |
| .github/workflows/dependency-audit.yml | Pins reusable workflow ref from @v2 to a commit SHA. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Dev-Lead — fix-reviews (applied)Changes committed and pushed. |
Dev-Lead — waiting on PR blockers (intent: review-changes)PR: #291 |
|
Note I reviewed this PR and no code changes were needed, but it still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews), so I cannot mark it done yet. I'll re-check automatically. |
CI Failure: SonarCloud Code AnalysisStep: Quality Gate evaluation SonarCloud flagged both Suggested fix: Remove the named tag from the |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4e2526a481
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Dev-Lead — fix-bot-comment (applied)Changes committed and pushed. |
|
@dev-lead please process and advance this PR — fix any failing CI, resolve outstanding review threads, and enable auto-merge once it's green and approvable. |
|
Auto-rebase failed — merge conflict — this branch has conflicts with dev-lead will attempt to resolve this automatically. If it cannot, a follow-up comment will explain what needs manual attention. To resolve manually instead: |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2eec3b55cc
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Dev-Lead — review-changes (applied)Changes committed and pushed. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ccfbb64f2c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Dev-Lead — review-changes (applied)Changes committed and pushed. |
CI Failure: SonarCloud Code AnalysisStep: SonarCloud Code Analysis (external quality gate) SonarCloud is a static analysis quality gate that scans code for bugs, vulnerabilities, and code smells. Because the details URL ( Suggested fix: Open the SonarCloud dashboard for the |
CI Failure: SonarCloud Code AnalysisStep: SonarCloud Code Analysis (external quality gate) This PR contains only infrastructure changes (pinning Dockerfile base images to digest SHAs, pinning GitHub Actions workflow references to commit SHAs, and adding a Dependabot Docker config) — no application source code was modified. SonarCloud failing on a config-only PR typically indicates either the Suggested fix: Check the SonarCloud project dashboard to confirm whether the quality gate was already failing on the base branch before this PR was opened; if so, the failure is unrelated to these changes and the gate should be addressed separately. If the gate was passing on the base branch, verify that |
Dev-Lead Fix CI — appliedPR: #291 | SHA: |
* add check_run trigger to claude.yml * add auto-rebase.yml workflow
…workflow (#170) * fix: use explicit secrets and write permissions in dependabot-rebase workflow secrets: inherit + permissions: read causes startup_failure on reusable workflows. Use explicit APP_ID/APP_PRIVATE_KEY secrets and write permissions so the reusable workflow can update branches and approve PRs. * fix: pin reusable SHA, update header guidance, fix secrets comment Address Copilot review comments: - Pin uses: to commit SHA instead of mutable @v1 tag - Update header: 'SHA' → 'ref', remove ban on workflow_dispatch trigger - Update header: '(inherited)' → '(passed explicitly)' for secrets * fix: apply prettier formatting (single space before inline comments) * fix: apply prettier formatting to auto-rebase.yml (single space before inline comments)
Per the org-wide standard defined in petry-projects/.github (standards/codeowners-standard.md), replace individual user/bot listings with the @petry-projects/org-leads team. Closes the CODEOWNERS gap from pr-review-agent#27. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.2 to 4.35.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@95e58e9...e46ed2c) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: dependabot-automerge-petry[bot] <270452309+dependabot-automerge-petry[bot]@users.noreply.github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.3 to 4.35.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@e46ed2c...68bde55) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
ci: remove drift codeql.yml and enable GitHub-managed default setup Per org standard §2, CodeQL must use GitHub-managed default setup (Settings → Code security → Code scanning), not a per-repo workflow file. The existing codeql.yml was identified as drift by the compliance audit (issue #109). CodeQL default setup has been configured via the GitHub API: gh api -X PATCH repos/petry-projects/broodly/code-scanning/default-setup \ -F state=configured -F query_suite=default This removes the drift file and brings the repo into compliance with the codeql-default-setup-not-configured finding. Closes #109 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com>
Adds `*.pem` to .gitignore alongside existing key/cert patterns (`*.jks`, `*.p8`, `*.p12`, `*.key`) to satisfy the gitignore_secrets_block compliance check from the org push-protection standard. Closes #113 Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: don-petry <don-petry@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…210) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
…_patterns (#212) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
…audit.yml (#221) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
…st (#215) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
…564 (#231) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
…236) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
* rollout: deploy pr-review-mention standard workflow * fix(bot): address bot feedback [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
… sonarcloud.yml (#288) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
…ing on main (#290) * feat: implement issue #72 — fix: broodly CI 'Push API Image' job failing on main * fix(reviews): address review comments [skip ci-relay] --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…st (#305) * feat: implement issue #177 — Compliance: codeowners-org-leads-not-first * chore: apply manual instructions [skip ci-relay] * fix: remove duplicate shell-quote override from pnpm-lock.yaml The pnpm-lock.yaml contained both 'shell-quote' and 'shell-quote@<1.8.4' overrides, but package.json only specified the versioned variant. This mismatch caused pnpm install --frozen-lockfile to fail with ERR_PNPM_LOCKFILE_CONFIG_MISMATCH. Removed the duplicate unversioned entry. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com> --------- Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> Co-authored-by: Don Petry Bot <donpetry+bot@gmail.com>
#323) Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Pin all GitHub Actions reusable workflow refs to SHA digests, pin Docker base images in apps/api to digest-only refs, add docker ecosystem to dependabot.yml for automated digest bumps, add nonroot USER to Dockerfiles, and update CLAUDE.md coding standards section. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Dev-Lead — rebase (applied)Rebase completed and pushed. |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
Closes #18
Implemented by dev-lead agent. Please review.
Summary by CodeRabbit