ci: SHA-pin publish.yml GitHub Actions (config-only, no version bump)#4
Conversation
Pin actions/checkout, actions/setup-java, actions/setup-node to immutable commit SHAs (value-only, no version bump; @v4 behavior preserved). Config-only pin, provably unreachable-to-publish (28-02 C1-C6 PASS). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 36 minutes and 46 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
1 participant
Summary
Pins the 3 GitHub Actions in
.github/workflows/publish.yml(actions/checkout,actions/setup-java,actions/setup-node) to immutable commit SHAs. This is a value-only change — the@v4behavior is preserved, there is no@v4→@v5version bump. Config-only pin (SEC-06), provably unreachable-to-publish.actions/checkout@v434e114876b0b11c390a56381ad16ebd13914f8d5# v4 (v4.3.1)actions/setup-java@v4c1e323688fd81a25caa38c78aa6df2d33d3e20d9# v4 (v4.8.0)actions/setup-node@v449933ea5288caeca8642d1e84afbd3f7d6820020# v4 (v4.4.0)Changed files
.github/workflows/publish.yml— 3 lines (3 insertions, 3 deletions), uses-line SHA tokens only.C1 diff verdict
git diff origin/master -- .github/workflows/publish.yml= exactly 3 uses-line SHA changes only (L22 checkout, L27 setup-java, L94 setup-node). Noon:/trigger, noif:, nowith:, noenv:, noneeds:, no step/job logic touched.EXISTS=true evidence
gh release view v1.0.0 --repo UltiKits/UltiBackup→ exit0, releasev1.0.0found (published, not draft, not prerelease) → EXISTS=true.Side effects
This PR does NOT merge and does NOT trigger publish.
publish.ymlfires only onpush: branches: [master]+workflow_dispatch, and every publish step is gatedif: steps.check.outputs.EXISTS == 'false'. WithEXISTS=true(release v1.0.0 already published), all publish steps short-circuit. Opening a PR triggers no publish.No-Release Proof — UltiBackup (SEC-06, Archetype C) — C1–C6 PASS
(D-05 double-key — copied verbatim from
28-02-no-release-proof-verdicts.md)uses:lines re-confirmed@v4onorigin/masterthis plan — L22actions/checkout@v4, L27actions/setup-java@v4, L94actions/setup-node@v4— plus an optional trailing# v4 (vX.Y.Z)comment, pasting the 26-02 §2c pin strings verbatim. It MUST add/remove/modify noon:/trigger, noif:, nowith:, noenv:, noneeds:, and no step ordering or job logic. Pre-state (the three current@v4lines onorigin/master):22: - uses: actions/checkout@v4/27: uses: actions/setup-java@v4/94: uses: actions/setup-node@v4. (Re-verified againstgit diff origin/masterin Task 3, gated behind the Task 2 token.)on: push: branches: [master](withpaths-ignorefor**.md,.gitignore,LICENSE) +workflow_dispatch(optionalversioninput). Neither event is produced by the pin edit itself: a SHA-pin commit on a feature branch targetingmastervia PR does not trigger thepush: branches: [master]path until merge, and at merge the existing-version guard (C5) intercepts before any publish step. Nopull_requesttrigger (26-01 §0 — the condition forcing the config-only method).release-and-publish(permissions: contents: write). Stepcheck(Check if release exists, L48) runsif gh release view "v${{ steps.version.outputs.VERSION }}" > /dev/null 2>&1; then EXISTS=true ... else EXISTS=false(L53–57). Every subsequent publish step is gatedif: steps.check.outputs.EXISTS == 'false'(L61, L76, L80, L84, L93, L99, L104).EXISTSguard (C3/C5) are byte-identical pre/post pin. The set of conditions under which any publish step runs is therefore unchanged. The pin cannot alterpom.xml<version>nor the release state, so it cannot flipEXISTS.${VERSION}=1.0.0(fromgit show origin/master:pom.xmlproject<version>, L9 — read-only, no Maven build).gh release view "v1.0.0" --repo UltiKits/UltiBackup→ exit0; payload{"createdAt":"2026-02-15T01:52:27Z","isDraft":false,"isPrerelease":false,"name":"v1.0.0","tagName":"v1.0.0"}.EXISTS=true— releasev1.0.0is published (not draft, not prerelease). TheEXISTS=truebranch short-circuits every publish step unconditionally; a SHA-only pin on a feature branch cannot flipEXISTS.PASS — config-only pin, unreachable-to-publish. Master base refc54269116c7258dd840e71aa80b533e3928f8809;publish.ymlmaster sha25636728f8498b903237d1fdb3ee4d84c5e8f0cd6c3e6a3254f0a743d70f0d85998(pre == post; master fingerprint re-captured this plan on theorigin/masterbase, D-03). Shares the 28-01 seed sha256 (byte-identical publish.yml).