feat(ci): rename build.yaml to pr.yaml, add zizmor and PR validation#722
Merged
Teebor-Choka merged 14 commits intomainfrom Mar 31, 2026
Merged
feat(ci): rename build.yaml to pr.yaml, add zizmor and PR validation#722Teebor-Choka merged 14 commits intomainfrom
Teebor-Choka merged 14 commits intomainfrom
Conversation
- Rename build.yaml to pr.yaml with inline validate-pr-title and label jobs - Pin actions/checkout to SHA (v6.0.2) - Add checks-zizmor.yaml thin caller for shared zizmor workflow - Add .github/labeler.yml for Node.js project labels - Add .#ci devShell with zizmor to flake.nix Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 9 minutes and 20 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughAdds two new GitHub workflows ( Changes
Sequence Diagram(s)sequenceDiagram
participant Dev as Developer
participant GH as GitHub
participant Actions as GitHub Actions
participant Reusable as External Reusable Workflow
participant Secrets as Secret Providers
Dev->>GH: Open / update PR
GH->>Actions: Trigger `pr.yaml` (PR events)
Actions->>Actions: validate-pr-title, apply labels
Actions->>Actions: run Node build matrix (self-hosted runners)
Actions->>Reusable: invoke reusable Docker build workflow (source_branch, matrix, inputs)
Secrets->>Reusable: provide CACHIX / GCP secrets via workflow inputs
GH->>Actions: If `.github/**` changed -> trigger `checks-zizmor.yaml`
Actions->>Reusable: invoke Zizmor reusable checks (with CACHIX token)
Actions-->>GH: Report statuses / labels back to PR
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🔎 Trivy Security Report
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/labeler.yml (1)
1-11: LGTM!The labeler configuration appropriately categorizes:
toolchain: Nix and CI configuration changesdependencies: Package manager filesMinor consistency note: Line 6 (
.github/**) is unquoted while other patterns are quoted. While YAML accepts both, consistent quoting improves readability.Optional: consistent quoting
toolchain: - changed-files: - any-glob-to-any-file: - "flake.*" - "*.nix" - - .github/** + - ".github/**"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/labeler.yml around lines 1 - 11, The .github/** glob in the labeler config is unquoted while other patterns are quoted; update the labeler.yml so the pattern under the toolchain section (currently .github/**) is quoted (" .github/** " without spaces) to match the quoting style used for "flake.*" and "*.nix", ensuring consistent YAML style for the toolchain and dependencies entries.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/pr.yaml:
- Around line 74-99: The build job is missing the security hardening present in
the label job; update the build job (job name "build") to add an explicit
permissions block with least privilege, add the "harden-runner" step (same
action and inputs used in the label job) before any steps that use credentials,
and modify the "Checkout repository" step (the actions/checkout usage) to
include persist-credentials: false so the runner does not expose GITHUB_TOKEN;
ensure ordering matches the label job (harden-runner runs early) and that the
permissions scope is restrictive.
---
Nitpick comments:
In @.github/labeler.yml:
- Around line 1-11: The .github/** glob in the labeler config is unquoted while
other patterns are quoted; update the labeler.yml so the pattern under the
toolchain section (currently .github/**) is quoted (" .github/** " without
spaces) to match the quoting style used for "flake.*" and "*.nix", ensuring
consistent YAML style for the toolchain and dependencies entries.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: ddd90296-d6fd-4b88-82a6-017054951fb9
📒 Files selected for processing (5)
.github/labeler.yml.github/workflows/build.yaml.github/workflows/checks-zizmor.yaml.github/workflows/pr.yamlflake.nix
💤 Files with no reviewable changes (1)
- .github/workflows/build.yaml
There was a problem hiding this comment.
♻️ Duplicate comments (3)
.github/workflows/pr.yaml (3)
104-104:⚠️ Potential issue | 🟠 MajorPin reusable workflow reference to a commit SHA.
Line 104 uses
@build-docker-v1(mutable). Reusable workflows should also be SHA-pinned for integrity and reproducibility.Suggested patch
- uses: hoprnet/hopr-workflows/.github/workflows/build-docker.yaml@build-docker-v1 + uses: hoprnet/hopr-workflows/.github/workflows/build-docker.yaml@<FULL_COMMIT_SHA>🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr.yaml at line 104, Replace the mutable reusable workflow ref "hoprnet/hopr-workflows/.github/workflows/build-docker.yaml@build-docker-v1" with a SHA-pinned reference (e.g., "...@<commit-sha>"); update the uses line so the reusable workflow is referenced by its exact commit SHA to ensure immutability and reproducible CI runs.
87-87:⚠️ Potential issue | 🟠 MajorPin
setup-node-jsaction reference to a commit SHA.Line 87 uses a mutable tag (
@setup-node-js-v1). Please pin to an immutable commit SHA to prevent supply-chain drift.Suggested patch
- - name: Setup Node.js - uses: hoprnet/hopr-workflows/actions/setup-node-js@setup-node-js-v1 + - name: Setup Node.js + uses: hoprnet/hopr-workflows/actions/setup-node-js@<FULL_COMMIT_SHA>🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr.yaml at line 87, The workflow uses a mutable tag for the setup-node-js action ("uses: hoprnet/hopr-workflows/actions/setup-node-js@setup-node-js-v1"); replace that tag with the action's immutable commit SHA (e.g., @<commit-sha>) to pin the dependency, updating the "uses" entry in the workflow where setup-node-js is referenced (and any other occurrences) so the action is fixed to a specific commit SHA.
76-84:⚠️ Potential issue | 🟠 MajorHarden the
buildjob to match the security baseline used elsewhere.Line 76-84 regresses security posture versus the
labeljob: no explicitpermissions, no runner hardening, and checkout still persists credentials.Suggested patch
build: name: Build runs-on: self-hosted-hoprnet-small + permissions: + contents: read strategy: matrix: node-version: [22.x, 24.x] steps: + - name: Harden Runner + uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + disable-sudo: true + egress-policy: audit - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/pr.yaml around lines 76 - 84, The build job currently lacks explicit permissions and runner hardening and uses actions/checkout that leaves credentials persisted; update the build job (the "build" matrix job and its "Checkout repository" step that uses actions/checkout@de0fac2e...) to match the security baseline used by the label job: add an explicit permissions block (minimum required, e.g., contents: read and any specific scopes your workflow needs), harden the runner by disabling credential persistence on checkout (set persist-credentials: false in the Checkout repository step) and apply the same runner-hardening defaults you use elsewhere (the same permission/profile and any runner-level hardening settings from the label job).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In @.github/workflows/pr.yaml:
- Line 104: Replace the mutable reusable workflow ref
"hoprnet/hopr-workflows/.github/workflows/build-docker.yaml@build-docker-v1"
with a SHA-pinned reference (e.g., "...@<commit-sha>"); update the uses line so
the reusable workflow is referenced by its exact commit SHA to ensure
immutability and reproducible CI runs.
- Line 87: The workflow uses a mutable tag for the setup-node-js action ("uses:
hoprnet/hopr-workflows/actions/setup-node-js@setup-node-js-v1"); replace that
tag with the action's immutable commit SHA (e.g., @<commit-sha>) to pin the
dependency, updating the "uses" entry in the workflow where setup-node-js is
referenced (and any other occurrences) so the action is fixed to a specific
commit SHA.
- Around line 76-84: The build job currently lacks explicit permissions and
runner hardening and uses actions/checkout that leaves credentials persisted;
update the build job (the "build" matrix job and its "Checkout repository" step
that uses actions/checkout@de0fac2e...) to match the security baseline used by
the label job: add an explicit permissions block (minimum required, e.g.,
contents: read and any specific scopes your workflow needs), harden the runner
by disabling credential persistence on checkout (set persist-credentials: false
in the Checkout repository step) and apply the same runner-hardening defaults
you use elsewhere (the same permission/profile and any runner-level hardening
settings from the label job).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 2c0c8a2c-8d4a-4790-8896-cb7dc0b15d8b
📒 Files selected for processing (3)
.github/labeler.yml.github/workflows/checks-zizmor.yaml.github/workflows/pr.yaml
✅ Files skipped from review due to trivial changes (1)
- .github/workflows/checks-zizmor.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/labeler.yml
…s, persist-credentials: false - Pin setup-node-js and build-docker to commit SHAs - Add permissions: contents: read to build job - Add persist-credentials: false to checkout in build job
…-v1, workflow-tests-v1, workflow-checks-zizmor-v1)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rename build.yaml to pr.yaml, add PR title validation, labeling, and zizmor scanning. Pin unpinned actions to SHA.
🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Chores