feat(ci): add actionlint + pinact pre-commit hooks for workflow validation#728
Conversation
Flake lock file updates:
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/fdc7b8f7b30fdbedec91b71ed82f36e1637483ed?narHash=sha256-a%2B%2BtZ1RQsDb1I0NHrFwdGuRlR5TORvCEUksM459wKUA%3D' (2026-03-23)
→ 'github:NixOS/nixpkgs/d6df3513510aa548c83868fd22bfddd0a8c0a0d4?narHash=sha256-uJZs9Di8I6ciTp6jiojj0HzlNpBkud8ax5aT/O5aJkw%3D' (2026-06-15)
• Added input 'pre-commit':
'github:cachix/git-hooks.nix/61ab0e80d9c7ab14c256b5b453d8b3fb0189ba0a?narHash=sha256-kTwur1wV%2B01SdqskVMSo6JMEpg71ps3HpbFY2GsflKs%3D' (2026-05-11)
• Added input 'pre-commit/flake-compat':
'github:NixOS/flake-compat/5edf11c44bc78a0d334f6334cdaf7d60d732daab?narHash=sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns%3D' (2025-12-29)
• Added input 'pre-commit/gitignore':
'github:hercules-ci/gitignore.nix/637db329424fd7e46cf4185293b9cc8c88c95394?narHash=sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs%3D' (2024-02-28)
• Added input 'pre-commit/gitignore/nixpkgs':
follows 'pre-commit/nixpkgs'
• Added input 'pre-commit/nixpkgs':
follows 'nixpkgs'
…ation Adds two pre-commit hooks via cachix/git-hooks.nix: - actionlint: static YAML/expression/shell validation for workflow files - pinact: enforces SHA pinning and resolves each ref against GitHub API Also pins any previously unpinned third-party action refs to SHAs. Exports GITHUB_TOKEN in devshell shellHook for authenticated local runs. Adds .github/actionlint.yaml to register self-hosted runner label. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 8 minutes and 37 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (3)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
… shellHook Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…config validation Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
@copilot fix the failing workflow. |
Head branch was pushed to by a user without write access
Fixed in commit |
🔎 Trivy Security Report
|
Pins all remaining action refs to SHAs and adds actionlint + pinact pre-commit hooks via the flake.
Note: run after WIF migration PR merges so pinact --check passes on hopr-workflows refs.