Skip to content

Pin checkout to commit. Don't persist creds if not needed#7430

Open
ShaharNaveh wants to merge 1 commit intoRustPython:mainfrom
ShaharNaveh:ci-checkout-persist-creds
Open

Pin checkout to commit. Don't persist creds if not needed#7430
ShaharNaveh wants to merge 1 commit intoRustPython:mainfrom
ShaharNaveh:ci-checkout-persist-creds

Conversation

@ShaharNaveh
Copy link
Contributor

@ShaharNaveh ShaharNaveh commented Mar 14, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Chores
    • Enhanced CI/CD pipeline security by pinning GitHub Actions versions and updating credential handling configurations across workflow jobs.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 14, 2026
edited
Loading

📝 Walkthrough

Walkthrough

GitHub Actions workflows across six configuration files are updated to pin the checkout action to a specific commit hash (v6.0.2) instead of using the floating v6 tag, while adding or modifying persist-credentials configuration to control credential handling.

Changes

Cohort / File(s) Summary
GitHub Actions Checkout Pinning (persist-credentials: false)
.github/workflows/ci.yaml, .github/workflows/cron-ci.yaml, .github/workflows/lib-deps-check.yaml, .github/workflows/pr-format.yaml, .github/workflows/release.yml		 Replaces actions/checkout@v6 with pinned commit actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 and adds with: persist-credentials: false to disable credential persistence across multiple workflow jobs.
Checkout Version Bump (persist-credentials: true)
.github/workflows/update-doc-db.yml		 Updates checkout action from v6.0.1 to v6.0.2 with pinned commit hash and adds with: persist-credentials: true in both generate and merge jobs to enable credential persistence.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A checkout pin, so precise and tight,
Credentials guarded left and right,
Workflows locked to v-six-point-two,
Security measures fresh and new!

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main changes: pinning the checkout action to a specific commit hash across all workflows and disabling credential persistence where unnecessary.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Mar 14, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/cron-ci.yaml (1)

59-61: Consider using persist-credentials: false for these jobs.

The testdata, whatsleft, and benchmark jobs push to a different repository (rustpython.github.io) that's cloned separately via SSH deploy keys. The credentials from the main checkout aren't used for those push operations, so persist-credentials: true is unnecessary here.

This is a minor optimization—the current configuration works correctly but leaves credentials persisted when they're not needed.

♻️ Optional: Use persist-credentials: false 
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
-          persist-credentials: true
+          persist-credentials: false

Also applies to: 94-96, 155-157

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cron-ci.yaml around lines 59 - 61, Change the checkout
steps that run in the testdata, whatsleft, and benchmark jobs to stop persisting
the main repo credentials: locate the actions/checkout@... steps that currently
have persist-credentials: true (the ones used in those three jobs) and set
persist-credentials: false so the main checkout does not leave credentials
available when pushes use the separately cloned rustpython.github.io SSH deploy
key.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/cron-ci.yaml:
- Around line 59-61: Change the checkout steps that run in the testdata,
whatsleft, and benchmark jobs to stop persisting the main repo credentials:
locate the actions/checkout@... steps that currently have persist-credentials:
true (the ones used in those three jobs) and set persist-credentials: false so
the main checkout does not leave credentials available when pushes use the
separately cloned rustpython.github.io SSH deploy key.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: ae4406d0-a2f6-43aa-9be8-cbde3abac473

📥 Commits

Reviewing files that changed from the base of the PR and between 430eb5f and c2f99f9.

📒 Files selected for processing (6)
  • .github/workflows/ci.yaml
  • .github/workflows/cron-ci.yaml
  • .github/workflows/lib-deps-check.yaml
  • .github/workflows/pr-format.yaml
  • .github/workflows/release.yml
  • .github/workflows/update-doc-db.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ShaharNaveh