chore: add ratchet tooling for automated SHA pinning enforcement

[LordMelkor]

Summary

Introduces automated tooling (ratchet) and a new CI workflow to enforce that all GitHub Actions workflow dependencies remain pinned to specific commit SHAs. This will prevent regressions and ensure ongoing adherence to security best practices.

Changes

• Added ratchet.json: Configuration file for the ratchet tool, specifying that all files in ./.github/workflows should be checked in strict mode.
• Added .github/workflows/ratchet-verify.yml: A new GitHub Actions workflow that:
  • Triggers on pull requests that modify files within the .github/workflows/ directory.
  • Checks out the code using a pinned actions/checkout reference.
  • Installs the sethvargo/ratchet CLI tool.
  • Runs ratchet lint .github/workflows to verify that all action uses: statements are pinned to full SHAs.
  • The CI job will fail if any unpinned actions are detected, blocking PR merge.

Files Added

• ratchet.json
• .github/workflows/ratchet-verify.yml

How It Works

This new CI check acts as a safeguard. If a future Pull Request attempts to introduce a GitHub Action referenced by a mutable tag (e.g., @v4, @main) instead of a specific commit SHA, the ratchet-verify workflow will fail, alerting maintainers and preventing the merge until the action is correctly pinned.

Dependencies

• The enforcement workflow utilizes the sethvargo/ratchet tool.
• The installation of ratchet is handled within the workflow by downloading the latest release binary.

Important Note on Merge Order

This Pull Request is dependent on the changes in PR #651, which pins existing GitHub Actions to SHAs. It is recommended that PR #651 be reviewed and merged first. This PR then provides the continuous enforcement mechanism for those security improvements.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

This update introduces commit SHA pinning for all GitHub Actions across multiple workflow files to enhance determinism and security. It also adds a new workflow and configuration for enforcing SHA pinning using the Ratchet tool. No changes were made to workflow logic, steps, or exported entities.

Changes

File(s)	Change Summary
.github/workflows/ci.yml .github/workflows/codeql.yml .github/workflows/docker.yml .github/workflows/pack-repository.yml .github/workflows/test-action.yml .github/workflows/claude.yml	All GitHub Actions references updated from version tags to specific commit SHAs. Minor formatting adjustments in triggers and indentation. No logic changes.
.github/workflows/homebrew.yml	Homebrew-related actions pinned from master to a specific commit SHA.
.github/workflows/ratchet-verify.yml	New workflow added to verify that workflow files have pinned SHAs using the Ratchet tool.
ratchet.json	New configuration file added to enforce strict SHA pinning for .github/workflows/.

Sequence Diagram(s)

sequenceDiagram
    participant Developer
    participant GitHub
    participant Ratchet
    participant Workflow

    Developer->>GitHub: Open PR modifying .github/workflows/
    GitHub->>Ratchet: Trigger "Ratchet verify" workflow
    Ratchet->>GitHub: Checkout code
    Ratchet->>GitHub: Install ratchet tool
    Ratchet->>GitHub: Run ratchet lint on workflows
    Ratchet->>Developer: Report pass/fail on SHA pinning
    Note over Workflow: All other workflows now use pinned SHAs for actions

Loading

Possibly related PRs

• Use official actionlint image in CI #156: Also modifies .github/workflows/ci.yml, but focuses on replacing the actionlint step and adding a new lint-renovate-config job, whereas this PR focuses on pinning actions to specific SHAs.

✨ Finishing Touches

🧪 Generate Unit Tests

• Create PR with Unit Tests
• Commit Unit Tests in branch chore/add-ratchet-check
• Post Copyable Unit Tests in Comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai auto-generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[gemini-code-assist]

Summary of Changes

Hello @LordMelkor, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a new automated check in the CI pipeline to ensure that all GitHub Actions dependencies are explicitly pinned to full commit SHAs. This enhances the security posture by preventing unexpected behavior or supply chain risks from mutable action tags. A new workflow is added to run this check on relevant pull requests, and a configuration file specifies which files are subject to the check.

Highlights

• Automated Enforcement: Introduces the sethvargo/ratchet tool and a new CI workflow to automatically enforce that all GitHub Actions used in workflows are pinned to specific commit SHAs.
• New CI Workflow: Adds a new GitHub Actions workflow (ratchet-verify.yml) that triggers on pull requests modifying workflow files and runs the ratchet check.
• Configuration: Adds a ratchet.json configuration file specifying that files in the ./.github/workflows directory should be checked in strict mode.
• Security Improvement: This check prevents regressions and ensures ongoing adherence to security best practices by blocking PRs that introduce unpinned actions.
• Dependency: Notes that this PR is dependent on PR #651, which handles the initial pinning of existing actions.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configureGemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a ratchet.json configuration file to enforce SHA pinning for GitHub Actions workflows, enhancing security by preventing the use of mutable tags. The configuration specifies that all files in the ./.github/workflows directory should be checked in strict mode.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/ratchet-verify.yml (1)

16-16: Add newline at end of file
YAMLlint flags a missing newline at EOF; please ensure the file ends with a newline.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 16-16: no new line character at the end of file

(new-line-at-end-of-file)

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0d0f20e and 395ef78.

📒 Files selected for processing (9)

• .github/workflows/ci.yml (4 hunks)
• .github/workflows/claude.yml (1 hunks)
• .github/workflows/codeql.yml (2 hunks)
• .github/workflows/docker.yml (2 hunks)
• .github/workflows/homebrew.yml (1 hunks)
• .github/workflows/pack-repository.yml (1 hunks)
• .github/workflows/ratchet-verify.yml (1 hunks)
• .github/workflows/test-action.yml (2 hunks)
• ratchet.json (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/ratchet-verify.yml

[error] 16-16: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (36)

ratchet.json (1)

1-4: Configuration appears correct for strict enforcement.

The paths targeting ./.github/workflows and mode: "strict" will ensure Ratchet lints all workflow files under that directory.

.github/workflows/homebrew.yml (1)

13-21: Actions are correctly pinned to immutable SHAs.

Each uses: line now references a fixed commit and retains the # ratchet: annotation for the original tag. This aligns with the enforcement policy.

.github/workflows/claude.yml (1)

28-34: Consistent SHA pinning applied.

Both actions/checkout and anthropics/claude-code-action are now tied to exact commit SHAs with ratchet comments, ensuring reproducibility.

.github/workflows/test-action.yml (1)

24-53: Checkout and artifact upload steps pinned correctly.

The actions/checkout and actions/upload-artifact references are now fixed to specific SHAs, matching the new security standard.

.github/workflows/docker.yml (1)

30-62: All core and Docker Actions pinned to commit SHAs.

The actions/checkout, docker/metadata-action, docker/setup-qemu-action, docker/setup-buildx-action, docker/login-action, and docker/build-push-action steps now use immutable commit references with ratchet annotations.

.github/workflows/pack-repository.yml (5)

6-6: Standardize branch trigger format
Removing extra spaces inside the branch array yields consistent syntax across workflows.

---

8-8: Standardize branch trigger format
Consistent branch specification for pull_request triggers.

---

15-15: Pin actions/checkout to a specific SHA
The use of a full commit SHA ensures immutability and aligns with the ratchet enforcement.

---

18-18: Pin Repomix action to a specific SHA
Replacing the mutable @main reference with a fixed commit enhances reproducibility.

---

23-23: Pin actions/upload-artifact to a specific SHA
Immutable pinning reduces the risk of unexpected behavior from tag updates.

.github/workflows/codeql.yml (6)

5-5: Standardize branch trigger format
Using ["main"] without extra spaces aligns with other workflows.

---

7-7: Standardize branch trigger format
Consistent formatting for pull_request triggers.

---

25-26: Normalize matrix include formatting
The adjusted indentation and consistent syntax improve readability and maintain alignment with other workflows.

---

28-29: Pin actions/checkout to a specific SHA
Ensures workflow immutability and matches the ratchet configuration.

---

33-33: Pin CodeQL init action to a specific SHA
Replacing the version tag with a full commit SHA enhances stability.

---

49-49: Pin CodeQL analyze action to a specific SHA
Immutable reference prevents future tag-related regressions.

.github/workflows/ci.yml (16)

5-5: Standardize branch trigger format
Removing extraneous spaces in the branch array yields uniform syntax across workflows.

---

7-7: Standardize branch trigger format
Consistent branch specification for pull_request triggers.

---

16-17: Pin checkout and setup-node in Lint Biome job
Locking actions/checkout and actions/setup-node to specific SHAs ensures deterministic CI behavior.

---

29-30: Pin checkout and setup-node in Lint TypeScript job
Immutable references reduce drift in linting environments.

---

42-43: Pin checkout and setup-node in Lint Secretlint job
Stability is improved by fixing these actions to exact commit SHAs.

---

55-56: Pin checkout and setup-node in Lint Website Client job
Ensures consistent dependency resolution for the website client.

---

75-76: Pin checkout and setup-node in Lint Website Server job
Immutable references prevent unexpected updates in server linting.

---

93-94: Pin checkout and setup-node in Lint Browser Extension job
Locking these actions maintains a stable lint environment for the extension.

---

111-112: Pin checkout and actionlint in Lint GitHub Actions job
Both actions/checkout and rhysd/actionlint are now fixed to SHAs, ensuring consistency.

---

120-121: Pin checkout and typos action in Check Typos job
Immutable references prevent drift in typo-checking tools.

---

131-133: Pin checkout and setup-node in Test job
Locking runner setup to specific SHAs strengthens repeatability across OS and Node versions.

---

145-146: Pin checkout and setup-node in Test Coverage job
Fixed SHAs ensure deterministic coverage generation.

---

154-158: Pin upload-artifact and codecov actions in Test Coverage job
Both artifact upload and coverage reporting are now using immutable SHAs.

---

170-171: Pin checkout and setup-node in Test Browser Extension job
Ensuring consistent dependencies for browser tests by locking to SHAs.

---

192-194: Pin checkout and setup-node in Build and Run job
Locking these actions to commit SHAs safeguards against upstream changes.

---

205-205: Pin upload-artifact in Build and Run job
Artifact step is now referencing a fixed commit SHA.

.github/workflows/ratchet-verify.yml (4)

4-4: Scope verification to workflow directory
Using paths: ['.github/workflows/**'] correctly restricts checks to relevant files.

---

9-9: Pin actions/checkout to a specific SHA
Immutable checkout reference aligns with ratchet enforcement.

---

12-14: Install and verify Ratchet CLI
Downloading the latest binary and confirming its version ensures the enforcement tool is available.

---

16-16: Run Ratchet lint for SHA pin verification
Enforces the pinning policy across all GitHub workflow files.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 16-16: no new line character at the end of file

(new-line-at-end-of-file)

[Copilot]

Pull Request Overview

This PR adds automated enforcement for pinning GitHub Actions workflow dependencies to specific commit SHAs using the ratchet tool.

• Introduces a CI workflow (ratchet-verify.yml) that fails if any uses: statements in .github/workflows are not pinned.
• Updates existing workflows to reference each action by full SHA instead of mutable tags.
• (As described) Adds a ratchet.json config to drive strict mode checks on the workflows directory.

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/test-action.yml	Pinned actions/checkout and actions/upload-artifact steps to SHAs
.github/workflows/ratchet-verify.yml	New workflow to run ratchet lint on all workflow files
.github/workflows/pack-repository.yml	Pinned checkout, Repomix action, and upload-artifact steps to SHAs
.github/workflows/homebrew.yml	Pinned Homebrew actions (setup-homebrew, git-user-config, bump-packages) to SHAs
.github/workflows/docker.yml	Pinned Docker action steps to SHAs (metadata-action, setup-qemu-action, build-push-action, etc.)
.github/workflows/codeql.yml	Pinned CodeQL init and analyze steps to SHAs
.github/workflows/claude.yml	Pinned anthropics/claude-code-action to a SHA
.github/workflows/ci.yml	Pinned checkout, setup-node, actionlint, typos, codecov, upload-artifact steps to SHAs

Comments suppressed due to low confidence (3)

.github/workflows/homebrew.yml:18

• The SHA used here is the same as for setup-homebrew but comes from a different repository. Please pin git-user-config to its own correct commit SHA.

uses: Homebrew/actions/git-user-config@74f356bb4e3aee7d859d8e514ed57922710e0995 # ratchet:Homebrew/actions/git-user-config@master

ratchet.json:1

• The ratchet.json configuration file is not present in this PR. Ensure it's committed so the ratchet-verify workflow can enforce strict mode on your workflows.

<missing>

.github/workflows/ratchet-verify.yml:18

• [nitpick] The glob only matches top-level .yml files. Consider using **/*.yml or adding *.yaml to include nested workflows or alternate extensions.

run: ratchet lint .github/workflows/*.yml

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 90.41%. Comparing base (068ae91) to head (ee4e8a3).
Report is 7 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #652   +/-   ##
=======================================
  Coverage   90.41%   90.41%           
=======================================
  Files          99       99           
  Lines        5529     5529           
  Branches     1180     1180           
=======================================
  Hits         4999     4999           
  Misses        530      530           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[yamadashy]

Hi, @LordMelkor !
Thank you for this PR as well!

I've made a change to use go install for installing in the CI.

Also, I couldn't find ratchet.json in the ratchet documentation or code, so I decided it was unnecessary and removed it.
What do you think?
https://github.com/sethvargo/ratchet

[LordMelkor]

Hi, @LordMelkor ! Thank you for this PR as well!

I've made a change to use go install for installing in the CI.

Also, I couldn't find ratchet.json in the ratchet documentation or code, so I decided it was unnecessary and removed it. What do you think? https://github.com/sethvargo/ratchet

Hi @yamadashy,

Thanks for the review and the improvements!

1. Re: go install for ratchet:
   You're right, go install is a clean way to handle this. It's listed as one of the standard installation methods in the ratchet documentation. Your change looks good.

2. Re: ratchet.json removal:
   Good call on ratchet.json. After checking their docs again, it's clear it isn't a standard config file for ratchet. My aim for "mode": "strict" was to ensure full SHA pinning, but ratchet lint <path> (which I understand maps to ratchet check <path> for its core logic) should achieve this by default by verifying against a full 40-character SHA. So, removing the JSON file is perfectly fine.

Appreciate the cleanup!

[yamadashy]

@LordMelkor
Thank you for confirming!
It looks good, so I'll go ahead and merge it.
Thanks again for your assistance with this!