pin actions, disable cache#8210
Conversation
✅ Docs preview has no changesThe preview was not built because there were no changes. Build ID: 7330e5f8d9741624915d3b8c ✅ AI Style Review — No Changes DetectedNo MDX files were changed in this pull request. Review Log: View detailed log
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughConfigure Mise to require a locked environment and change Codecov tool source; CircleCI pins Mise to v2026.5.5 and sets MISE_LOCKED; GitHub Actions release workflow disables mise-action caching, sets MISE_LOCKED, and removes the separate actions/setup-node step so ChangesCI & Mise configuration
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
This pull request is automatically built and testable in CodeSandbox. To see build info of the built libraries, click here or the icon next to each commit SHA. |
phryneas
force-pushed
the
pr/pin-actions-disable-cache
branch
from
4f4159d to
e172aaf
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release-pr.yml:
- Around line 25-27: The workflow step using the jdx/mise-action (name "Install
Node with Mise") leaves caching enabled by default; update that step to disable
the Mise cache by adding a with configuration setting cache: false on the
jdx/mise-action invocation so the privileged release-pr job does not reuse
cached artifacts (i.e., modify the "Install Node with Mise" step to include
with.cache: false).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 59e67eaf-b503-4681-8f9f-ae318c032577
📒 Files selected for processing (1)
.github/workflows/release-pr.yml
📜 Review details
🔇 Additional comments (1)
.github/workflows/release-pr.yml (1)
20-20: LGTM!Also applies to: 32-32
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.config/mise/config.toml:
- Around line 13-14: The config enables lockfiles but no lock exists: run the
Mise locking command to generate and commit the actual lockfile; specifically,
with the current setting lockfile = true run the CLI command mise lock to
produce a mise.lock, verify the file captures pinned tool versions, and
add/commit mise.lock to the repo so versions are truly pinned.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 25120525-41cc-4ee6-8d18-674740a499f3
⛔ Files ignored due to path filters (1)
.config/mise/mise.lockis excluded by!**/*.lock
📒 Files selected for processing (2)
.config/mise/config.toml.github/workflows/release-pr.yml
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/release-pr.yml
glasser
left a comment
glasser
left a comment
There was a problem hiding this comment.
FWIW we're not really vulnerable to these attacks right now because we run PR CI in CircleCI and release CD in GitHub Actions, but that could change.
| env: | ||
| MISE_LOCKED: "1" | ||
|
|
||
| # deliberately not using a cache for action with elevated permissions, see https://tanstack.com/blog/npm-supply-chain-compromise-postmortem |
There was a problem hiding this comment.
I think this comment implies that the cache: false above relates to the npm cache, but really you're just saying that you're not using something like setup-node that does npm cache caching — probably worth being explicit
There was a problem hiding this comment.
Tbh., the comment is here primarily so nobody (= no helpful agent) gets the idea of adding a cached npm install or cached anything else - if you have better wording for it, please go for it :)
There was a problem hiding this comment.
Also, the diff is weird here - I did put the comment in the place where previously this code was found:
# Because Mise installs Node, this action mostly just caches node_modules.
- name: Setup Node.js
uses: actions/setup-node@v4
with:
cache: 'npm'
There was a problem hiding this comment.
Understood, but I only understood that because I saw the now-deleted comments :)
| steps: | ||
| - name: Checkout Repo | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd |
There was a problem hiding this comment.
Did you do this manually? I think it would be better to configure Renovate to do pinning for GHA (https://docs.renovatebot.com/modules/manager/github-actions/#digest-pinning-and-updating) instead of doing it manually; it will leave in an appropriate comment which will allow it to create update PRs which we can hypothetically evaluate.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.config/mise/config.toml:
- Around line 13-14: The repository has mise lockfile support enabled via the
settings key lockfile = true but the actual mise.lock is missing; run the mise
lock command locally (mise lock) to generate mise.lock, verify the generated
file, add and commit mise.lock to the repo so the lockfile setting takes effect
and tool versions are pinned.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 7bee136a-290d-49e9-a4a8-14158198bfa0
⛔ Files ignored due to path filters (1)
.config/mise/mise.lockis excluded by!**/*.lock
📒 Files selected for processing (3)
.circleci/config.yml.config/mise/config.toml.github/workflows/release-pr.yml
✅ Files skipped from review due to trivial changes (1)
- .circleci/config.yml
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/release-pr.yml
📜 Review details
🔇 Additional comments (2)
.config/mise/config.toml (2)
15-16: ⚖️ Poor tradeoffClarify the purpose of disabling GitHub attestations and SLSA verification.
These are valid Mise security features (enabled by default), but the git history indicates this PR explicitly does not pin action SHAs. Confirm whether these settings are disabled because:
- The
codecov-clitool doesn't support these verification mechanisms- There's a known incompatibility requiring this workaround
- Another specific reason
If this config is for local development tools rather than GitHub Actions, the disabled verification settings may be appropriate.
7-7: ⚡ Quick winCodecov-cli configuration is correctly configured.
The
github:prefix is valid Mise syntax for GitHub-sourced tools (documented in Mise's GitHub backend), and the version 10.4.0 is appropriately pinned. Version 11.2.8 is now available as the latest release, but no security vulnerabilities were found in 10.4.0, so the current pin is acceptable.
| [settings] | ||
| lockfile = true |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check if mise.lock exists
if [ -f "mise.lock" ]; then
echo "✓ mise.lock exists"
echo "Lock file content:"
cat mise.lock
else
echo "✗ mise.lock NOT FOUND - lockfile setting will have no effect"
exit 1
fiRepository: apollographql/apollo-server
Length of output: 132
Generate and commit the mise.lock file to pin tool versions.
The lockfile = true setting is enabled, but the mise.lock file does not exist in the repository. Without this file, the lockfile setting has no effect and tool versions remain unpinned, breaking reproducibility across environments. Generate the lock file by running mise lock and commit it to the repository.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.config/mise/config.toml around lines 13 - 14, The repository has mise
lockfile support enabled via the settings key lockfile = true but the actual
mise.lock is missing; run the mise lock command locally (mise lock) to generate
mise.lock, verify the generated file, add and commit mise.lock to the repo so
the lockfile setting takes effect and tool versions are pinned.
2 participants
In the light of https://tanstack.com/blog/npm-supply-chain-compromise-postmortem:
Summary by CodeRabbit