chore(ci): replace ratchet with pinact for GitHub Actions SHA pinning

[yamadashy]

This PR replaces the ratchet tool with pinact for managing GitHub Actions SHA pinning across all workflow files.

Summary

• Remove ratchet workflows: Deleted ratchet-update.yml and ratchet-verify.yml workflows
• Add pinact workflow: New pinact.yml workflow for automated SHA pinning
• Update action comments: Changed from ratchet-style comments (# ratchet:action@v1) to pinact-style comments (# v1.2.3)
• Add pinact configuration: New .pinact.yaml config file with ignore rules for Homebrew actions and local actions
• Update npm scripts: Replaced ratchet-* scripts with pinact-* commands in package.json

Benefits

• More reliable SHA pinning with better GitHub Actions integration
• Cleaner comment format without the ratchet: prefix
• Active maintenance and better error handling compared to ratchet

Checklist

• Run npm run test
• Run npm run lint

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Pins and updates GitHub Actions versions across workflows, adds Pinact configuration and workflow, replaces Ratchet scripts/workflows with Pinact equivalents, and updates the local composite action to a pinned setup-node commit. No business logic or application code changes.

Changes

Cohort / File(s)	Summary of changes
Workflow action version updates .github/workflows/autofix.yml, .github/workflows/benchmark.yml, .github/workflows/ci.yml, .github/workflows/claude-review.yml, .github/workflows/claude.yml, .github/workflows/codeql.yml, .github/workflows/docker.yml, .github/workflows/homebrew.yml, .github/workflows/pack-repository.yml, .github/workflows/schema-update.yml, .github/workflows/test-action.yml	Updated external action refs to explicit tags/versions (e.g., actions/checkout@v5.0.0, actions/setup-node@v5.0.0, artifact/codecov/docker/CodeQL versions). Homebrew actions moved to @main. Repomix and other refs adjusted to tagged or branch pins. No logic changes.
Introduce Pinact .github/workflows/pinact.yml, .pinact.yaml, package.json	Added Pinact workflow (checkout + pin actions). Added Pinact config (v3) with file patterns and ignore rules. Replaced Ratchet npm scripts with pinact-run and pinact-check.
Remove Ratchet workflows .github/workflows/ratchet-update.yml, .github/workflows/ratchet-verify.yml	Deleted scheduled update and PR-verify workflows for Ratchet.
Local composite action pin update .github/actions/repomix/action.yml	Pinned actions/setup-node from @v4 to a specific commit (commented as v4.4.0). Surrounding logic unchanged.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Pull Request
  participant GH as GitHub Actions
  participant Job as Pinact Job
  participant Pin as pinact-action

  Dev->>GH: PR opened/synchronized
  GH->>Job: Trigger workflow "Pinact"
  activate Job
  Job->>Job: actions/checkout@<pinned>
  Job->>Pin: suzuki-shunsuke/pinact-action@<pinned>
  activate Pin
  Pin-->>Job: Scan workflows and pin/verify action refs
  deactivate Pin
  Job-->>GH: Complete (success/failure)
  deactivate Job

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• chore(ci): Add automated ratchet update workflow and disable dependabot actions updates #795 — Introduced Ratchet workflows; this PR removes them and replaces with Pinact.
• fix: pin GitHub Actions to commit SHAs for security #651 — Changed pinning strategy across workflows; closely related to action ref updates here.
• feat(actions): Add GitHub Action support #510 — Added the local .github/actions/repomix action; this PR updates its setup-node pin.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly and accurately summarizes the primary change: replacing ratchet with pinact for GitHub Actions SHA pinning. It follows conventional commit style (chore(ci):) and is specific to the workflow and config modifications present in the diff.
Description Check	✅ Passed	The PR description follows the repository template and provides a clear summary, enumerated changes (removed ratchet workflows, added pinact workflow and config, updated action comments, and updated npm scripts), stated benefits, and the checklist with npm test and lint items marked complete. The details align with the file-level changes in the diff and give reviewers sufficient context to evaluate the change.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/pinact

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @yamadashy, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request initiates the migration of GitHub Actions SHA pinning from the ratchet tool to pinact. This change is intended to enhance the reliability and maintainability of the CI/CD pipeline by utilizing a more actively developed tool, providing clearer action comments, and improving error handling. The core changes involve introducing pinact's configuration, updating development scripts, and applying initial SHA pins.

Highlights

• Migration to pinact: The project is transitioning from the ratchet tool to pinact for managing GitHub Actions SHA pinning, aiming for more reliable and actively maintained CI/CD practices.
• New pinact configuration: A new .pinact.yaml configuration file has been added to define which workflow and action files pinact should process, along with ignore rules for specific actions like Homebrew and local repository actions.
• Updated npm scripts: The package.json file has been updated to replace the old ratchet-pin and ratchet-update npm scripts with new pinact-run and pinact-check commands, reflecting the tool change.
• SHA pinning applied: An example of SHA pinning has been applied to the actions/setup-node@v4 action within .github/actions/repomix/action.yml, demonstrating the new pinning methodology.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[cloudflare-workers-and-pages]

Deploying repomix with    Cloudflare Pages

Latest commit:	066087e
Status:	✅  Deploy successful!
Preview URL:	https://7efafb7c.repomix.pages.dev
Branch Preview URL:	https://chore-pinact.repomix.pages.dev

View logs

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.85%. Comparing base (ddb2131) to head (066087e).
⚠️ Report is 3 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #866   +/-   ##
=======================================
  Coverage   88.85%   88.85%           
=======================================
  Files         109      109           
  Lines        7575     7575           
  Branches     1423     1423           
=======================================
  Hits         6731     6731           
  Misses        844      844           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gemini-code-assist]

Code Review

This pull request successfully replaces the ratchet tool with pinact for pinning GitHub Actions to specific commit SHAs. The changes are well-implemented, including updating the action usage in the composite action, adding a pinact configuration file, and updating the npm scripts. I have one suggestion to make the new .pinact.yaml configuration file slightly more concise. Overall, this is a solid improvement for the repository's CI/CD security and reliability.

[Copilot]

Pull Request Overview

This PR migrates from ratchet to pinact for GitHub Actions SHA pinning to improve automation and maintain security standards. The change replaces a deprecated tool with an actively maintained alternative that provides better GitHub Actions integration.

• Removes ratchet workflows and scripts, replacing them with pinact equivalents
• Updates all action comments from ratchet-style (# ratchet:action@v1) to pinact-style (# v1.2.3)
• Adds pinact configuration with ignore rules for Homebrew and local actions

Reviewed Changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
package.json	Updates npm scripts to use pinact commands instead of ratchet
.pinact.yaml	Adds configuration file for pinact with file patterns and ignore rules
.github/workflows/ratchet-*.yml	Removes old ratchet verification and update workflows
.github/workflows/pinact.yml	Adds new pinact workflow for SHA pinning verification
.github/workflows/*.yml	Updates action comments to pinact format across all workflow files
.github/actions/repomix/action.yml	Adds SHA pinning to local action that was previously unpinned

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (3)

.github/actions/repomix/action.yml (1)

46-46: Align setup-node version with workflows (v5).

Workflows use actions/setup-node v5.0.0; the composite action uses v4.4.0. For consistency and latest fixes, bump to the v5.0.0 commit SHA.

Apply:

-uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0

Optionally, consider defaulting node-version to the repo’s supported LTS.

.github/workflows/ci.yml (1)

16-18: Optional: DRY common setup across jobs.

Consider a reusable workflow or local composite action for checkout + setup-node to reduce repetition.

.github/workflows/pinact.yml (1)

1-15: Set explicit, least‑privilege permissions.

Pinact runs on PRs; define minimal permissions (and write only if you want it to comment).

Apply this diff:

 name: Pinact
 on:
   pull_request: {}
+permissions:
+  contents: read
+  pull-requests: write
 jobs:
   pinact:
     runs-on: ubuntu-24.04

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ddb2131 and 066087e.

📒 Files selected for processing (17)

• .github/actions/repomix/action.yml (1 hunks)
• .github/workflows/autofix.yml (2 hunks)
• .github/workflows/benchmark.yml (4 hunks)
• .github/workflows/ci.yml (16 hunks)
• .github/workflows/claude-review.yml (1 hunks)
• .github/workflows/claude.yml (1 hunks)
• .github/workflows/codeql.yml (2 hunks)
• .github/workflows/docker.yml (2 hunks)
• .github/workflows/homebrew.yml (1 hunks)
• .github/workflows/pack-repository.yml (1 hunks)
• .github/workflows/pinact.yml (1 hunks)
• .github/workflows/ratchet-update.yml (0 hunks)
• .github/workflows/ratchet-verify.yml (0 hunks)
• .github/workflows/schema-update.yml (1 hunks)
• .github/workflows/test-action.yml (2 hunks)
• .pinact.yaml (1 hunks)
• package.json (1 hunks)

💤 Files with no reviewable changes (2)

• .github/workflows/ratchet-update.yml
• .github/workflows/ratchet-verify.yml

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2024-11-02T17:45:31.561Z

Learnt from: chenrui333
PR: yamadashy/repomix#151
File: .github/workflows/release.yml:13-13
Timestamp: 2024-11-02T17:45:31.561Z
Learning: For `.github/workflows/release.yml`, the project prefers to use `master` for GitHub Actions instead of pinning specific versions.

Applied to files:

• .github/workflows/pack-repository.yml
• .github/workflows/homebrew.yml
• .github/workflows/docker.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-and-publish-image

🔇 Additional comments (24)

.github/workflows/claude-review.yml (1)

16-16: Good pin on actions/checkout.

.github/workflows/pack-repository.yml (3)

15-15: Good pin on actions/checkout.

---

18-18: Avoid @main for the composite action; pin or use local path.

Referencing the repo action via @main is mutable and a supply‑chain risk. Prefer pinning to a commit SHA or using the local action path for this repo.

Suggested change:

-uses: yamadashy/repomix/.github/actions/repomix@main
+uses: ./.github/actions/repomix

Alternatively, pin to a specific commit SHA with an inline version comment.

---

23-23: Good pin on upload-artifact.

.github/workflows/claude.yml (1)

28-28: Good pin on actions/checkout.

.github/workflows/test-action.yml (2)

24-24: Good pin on actions/checkout.

---

53-53: Good pin on upload-artifact.

.github/workflows/autofix.yml (2)

15-15: Good pin on actions/checkout.

---

18-18: Good pin on setup-node.

.github/workflows/codeql.yml (3)

29-29: Good pin on actions/checkout.

---

33-33: Good pin on codeql init.

---

49-49: Good pin on codeql analyze.

.github/workflows/benchmark.yml (4)

28-30: Good pins on checkout and setup-node.

---

66-66: Good pin on upload-artifact.

---

83-85: Good pins on checkout and setup-node (full job).

---

118-118: Good pin on upload-artifact (full job).

.github/workflows/schema-update.yml (1)

18-28: LGTM: Pinned actions with clear version comments.

Good move to commit-SHA pins plus human-readable tags.

.github/workflows/homebrew.yml (1)

13-21: Confirm intentional @main usage for Homebrew actions.

These are excluded in .pinact.yaml. If this exception is policy, keep; otherwise consider pinning specific SHAs or vendoring.

.github/workflows/docker.yml (1)

30-62: LGTM: Docker actions are properly pinned.

All critical Docker steps use commit-SHA pins and current tags.

.github/workflows/ci.yml (1)

16-18: LGTM: Systematic pinning across all jobs.

Thanks for standardizing on SHAs and adding version comments.

Also applies to: 29-31, 41-43, 54-56, 67-69, 84-86, 101-103, 120-122, 129-131, 140-143, 159-162, 173-175, 182-187, 198-200, 221-224, 235-236, 248-251, 261-262

.github/workflows/pinact.yml (1)

13-15: Verify Pinact action mode on PRs.

Confirm the action’s default is check-only (no writes) under PR events; adjust flags if you expect auto-fixes.

.pinact.yaml (2)

3-6: Condense patterns with brace expansion (and consider recursive actions).

Shorter and future‑proof for nested action dirs.

Apply this diff:

 files:
-  - pattern: .github/workflows/*.yml
-  - pattern: .github/workflows/*.yaml
-  - pattern: .github/actions/*/action.yml
-  - pattern: .github/actions/*/action.yaml
+  - pattern: .github/workflows/*.{yml,yaml}
+  - pattern: .github/actions/**/action.{yml,yaml}

---

8-12: Confirm ignore pattern for local composite action

Current .pinact.yaml ignores yamadashy/repomix/.github/actions/repomix (matches .github/workflows/pack-repository.yml), but workflows also call the local action as ./.github/actions/repomix (in .github/workflows/test-action.yml). Pinact’s ignore name is an exact Go regexp and may not normalize local paths to the repo‑qualified name — either add an ignore entry for the local path (e.g. name: '^\./\.github/actions/repomix$' ref: '.*') or confirm Pinact resolves local uses to 'yamadashy/repomix/.github/actions/repomix'.

package.json (1)

45-47: LGTM: Pinact scripts added.

Matches the workflow migration away from Ratchet.