Skip to content

fix(github): pin release-please-action to commit SHA#85

Merged
yordis merged 1 commit intomainfrom
yordis/fix-pin-release-please-action
Apr 16, 2026
Merged

fix(github): pin release-please-action to commit SHA#85
yordis merged 1 commit intomainfrom
yordis/fix-pin-release-please-action

Conversation

@yordis
Copy link
Copy Markdown
Member

@yordis yordis commented Apr 16, 2026

  • The org-level Actions policy requires all actions to be pinned to a full-length commit SHA; using a tag like v4.2.0 caused the workflow to be blocked

@yordis
fix(github): pin release-please-action to commit SHA
97bb3fc 
Signed-off-by: Yordis Prieto <yordis.prieto@gmail.com>
@cursor
Copy link
Copy Markdown

cursor bot commented Apr 16, 2026
edited
Loading

PR Summary

Low Risk
Workflow-only change that preserves the same action version (v4.2.0) while improving supply-chain/policy compliance.

Overview
Pins the googleapis/release-please-action used by the Release GitHub Actions workflow from the v4.2.0 tag to its full commit SHA to satisfy org policy and avoid blocked runs.

Reviewed by Cursor Bugbot for commit 97bb3fc. Bugbot is set up for automated code reviews on this repo. Configure here.

@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Apr 16, 2026
edited
Loading

Walkthrough

The workflow's Release step pins googleapis/release-please-action to a specific commit SHA instead of using the floating tag v4.2.0. All other step configuration remains unchanged.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow
.github/workflows/release-please.yml		 Pinned release-please-action from floating tag v4.2.0 to fixed commit SHA a02a34c4d625f9be7cb89156071d8567266a2445.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

Poem

🐰 A commit so precise, pinned tight with care,
No floating tags causing a scare,
Release-please locked down, steady and true,
Automation that's solid, through and through! 🚀

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: pinning release-please-action to a commit SHA instead of a tag.
Description check ✅ Passed The description clearly explains the reason for the change and relates directly to the changeset: org-level Actions policy requires commit SHA pinning.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch yordis/fix-pin-release-please-action

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/release-please.yml (1)

20-20: Consider updating to a newer version; v4.4.1 is now available.

The commit SHA a02a34c4d625f9be7cb89156071d8567266a2445 correctly corresponds to v4.2.0. However, newer releases are available: v4.4.1 (April 2026), v4.4.0, and v4.3.0. No security advisories are present, but updating to v4.4.1 or v4.4.0 may bring feature improvements and bug fixes.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release-please.yml at line 20, Update the release-please
action reference on the uses line (currently "uses:
googleapis/release-please-action@a02a34c4d625f9be7cb89156071d8567266a2445") to a
newer released tag such as "v4.4.1" (or "v4.4.0" if preferred); replace the
pinned commit SHA with the tag to pick up bug fixes/features, commit the
workflow change, and run the CI/workflow to verify there are no compatibility
regressions.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/release-please.yml:
- Line 20: Update the release-please action reference on the uses line
(currently "uses:
googleapis/release-please-action@a02a34c4d625f9be7cb89156071d8567266a2445") to a
newer released tag such as "v4.4.1" (or "v4.4.0" if preferred); replace the
pinned commit SHA with the tag to pick up bug fixes/features, commit the
workflow change, and run the CI/workflow to verify there are no compatibility
regressions.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e2f01c73-ae8b-4032-9468-ebf4fd81baba

📥 Commits

Reviewing files that changed from the base of the PR and between e4b49a7 and 97bb3fc.

📒 Files selected for processing (1)
  • .github/workflows/release-please.yml

@yordis yordis merged commit 15bbdc5 into main Apr 16, 2026
3 checks passed
@yordis yordis deleted the yordis/fix-pin-release-please-action branch April 16, 2026 20:47
@sht-bot sht-bot mentioned this pull request Apr 16, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yordis