Skip to content

docs: add content about action commit SHA pinning to docs#165

Open
brynary wants to merge 1 commit into
mainfrom
bh-docs-pinning
Open

docs: add content about action commit SHA pinning to docs#165
brynary wants to merge 1 commit into
mainfrom
bh-docs-pinning

Conversation

@brynary

@brynary brynary commented Nov 29, 2025

Copy link
Copy Markdown
Member

No description provided.

Copilot AI review requested due to automatic review settings November 29, 2025 08:24
@qltysh

qltysh Bot commented Nov 29, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Diff Coverage: Not applicable. There was no coverage data reported for the files in this diff.

Total Coverage: This PR will not change total coverage.

🛟 Help

  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

@qltysh

qltysh Bot commented Nov 29, 2025

Copy link
Copy Markdown
Contributor

❌ 2 blocking issues (8 total)

Tool Category Rule Count
prettier Style Incorrect formatting, autoformat by running qlty fmt. 4
markdownlint Style Fenced code blocks should be surrounded by blank lines 4

@qltysh one-click actions:

  • Auto-fix formatting (qlty fmt && git push)

Copilot AI reviewed Nov 29, 2025
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds documentation about pinning GitHub Actions to specific commit SHAs for enhanced security. The tip boxes direct users to GitHub's official security hardening documentation and provide example syntax for SHA-based pinning.

Key changes:

  • Added security tip boxes to both the main README and coverage-specific README
  • Included example YAML syntax showing how to pin actions to commit SHAs

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
coverage/README.md Added TIP callout box with SHA pinning guidance in the Quick Start section
README.md Added TIP callout box with SHA pinning guidance after the actions table

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread README.md
Comment on lines +42 to +44
> For additional security, you can pin actions to a specific commit SHA instead of a tag:
> ```yaml
> uses: qltysh/qlty-action/coverage@a1b2c3d4e5f6...

Copilot AI Nov 29, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The example specifically shows the /coverage action, but the tip applies to all three actions listed in the table above (coverage, install, and fmt). Consider using a more generic example like qltysh/qlty-action/<action>@a1b2c3d4e5f6... or explicitly mentioning that this is just one example and the pattern applies to all actions.

Suggested change
> For additional security, you can pin actions to a specific commit SHA instead of a tag:
> ```yaml
> uses: qltysh/qlty-action/coverage@a1b2c3d4e5f6...
> For additional security, you can pin actions to a specific commit SHA instead of a tag. This applies to all actions listed above:
> ```yaml
> uses: qltysh/qlty-action/<action>@a1b2c3d4e5f6...

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brynary