Pin `setup-node` action to a commit hash by ShaharNaveh · Pull Request #7495 · RustPython/RustPython

github-advanced-security

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: f64d73a3-d1e9-4b20-94f7-cb2d59a4a001

📥 Commits

Reviewing files that changed from the base of the PR and between 0270247 and 4aaa661.

📒 Files selected for processing (1)

.github/workflows/ci.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

.github/workflows/ci.yaml

📝 Walkthrough

Walkthrough

A GitHub Actions step in the wasm job is updated to pin the Node.js setup action from a floating version tag (v6) to a specific commit hash (53b83947a5a98c8d113130e565377fae1a50d02f, corresponding to v6.3.0), ensuring reproducible and consistent workflow behavior.

Changes

Cohort / File(s)	Summary
GitHub Actions Version Pinning `.github/workflows/ci.yaml`	Node.js setup action pinned to specific commit hash in `wasm` job for improved reproducibility and security.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

Pin setup-python action to a commit hash - part 1 #7492: Pins actions/setup-python in the same CI workflow file as part of a broader pattern of hardening GitHub Actions dependencies.

Suggested reviewers

youknowone

Poem

🐰 A version floated in the air so free,
Now pinned to commit—precise as can be!
Reproducible runs, no surprises in sight,
Our workflows are locked and forever so tight! 🔒

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: pinning the `setup-node` action to a commit hash, which matches the actual modification in `.github/workflows/ci.yaml`.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}