PR for v0.1.2#293
Conversation
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
chore(deps): update dependency puppeteer to v25
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis PR updates GitHub Actions versions for Storybook deployment and npm publishing, and bumps the Vite, Puppeteer, and eslint-plugin-storybook development dependencies. ChangesRoutine Maintenance Version Bumps
Estimated code review effort: 1 (Trivial) | ~3 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…-pages-artifact-5.x chore(deps): update actions/upload-pages-artifact action to v5
…rability fix(deps): update dependency vite to v7.3.2 [security]
…-pages-5.x chore(deps): update actions/deploy-pages action to v5
…rtifact-actions chore(deps): update github artifact actions (major)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/deploy-storybook.yml:
- Around line 28-33: The GitHub Actions in the deploy-storybook.yml workflow
file are using mutable version tags (`@v5`) which violates the security policy.
Replace both the actions/upload-pages-artifact@v5 and actions/deploy-pages@v5
references with their respective full commit SHAs to ensure immutable action
versions and reduce supply-chain risk.
In @.github/workflows/real-npm-publish.yml:
- Line 30: Replace all tag-pinned action references with full commit SHA pins in
the workflow file. Specifically, update the `uses: actions/upload-artifact@v7`
entry at line 30 and the similar tag-pinned upload-artifact entries at lines 49
and 79 by replacing the version tags (like `@v7`, `@v8`) with their corresponding
full commit SHA values to comply with the unpinned-actions policy.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 3817bbe4-c371-4905-95c0-cedbb46c3484
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (4)
.github/workflows/deploy-storybook.yml.github/workflows/real-npm-publish.ymlpackage.jsonpackages/stencil-library/package.json
| uses: actions/upload-pages-artifact@v5 | ||
| with: | ||
| path: "packages/stencil-library/storybook-static" | ||
|
|
||
| - name: Deploy to GitHub Pages | ||
| uses: actions/deploy-pages@v4 | ||
| uses: actions/deploy-pages@v5 |
There was a problem hiding this comment.
Pin GitHub Actions to immutable commit SHAs instead of mutable tags.
@v5 tags are mutable and violate the repository’s unpinned-actions policy. Pin both actions to full commit SHAs to reduce supply-chain risk.
Suggested change
- - name: Upload Storybook to GitHub Pages
- uses: actions/upload-pages-artifact@v5
+ - name: Upload Storybook to GitHub Pages
+ uses: actions/upload-pages-artifact@<full-length-commit-sha>
with:
path: "packages/stencil-library/storybook-static"
- name: Deploy to GitHub Pages
- uses: actions/deploy-pages@v5
+ uses: actions/deploy-pages@<full-length-commit-sha>
with:
token: ${{ github.token }}🧰 Tools
🪛 zizmor (1.25.2)
[error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
[error] 33-33: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/deploy-storybook.yml around lines 28 - 33, The GitHub
Actions in the deploy-storybook.yml workflow file are using mutable version tags
(`@v5`) which violates the security policy. Replace both the
actions/upload-pages-artifact@v5 and actions/deploy-pages@v5 references with
their respective full commit SHAs to ensure immutable action versions and reduce
supply-chain risk.
Source: Linters/SAST tools
| # - run: npx lerna run test | ||
| - name: Upload build artifacts | ||
| uses: actions/upload-artifact@v6 | ||
| uses: actions/upload-artifact@v7 |
There was a problem hiding this comment.
Use SHA-pinned action references for artifact actions.
These uses entries are tag-pinned (@v7, @v8) and fail the unpinned-actions policy. Please pin each to a full commit SHA.
Suggested change
- - name: Upload build artifacts
- uses: actions/upload-artifact@v7
+ - name: Upload build artifacts
+ uses: actions/upload-artifact@<full-length-commit-sha>
- - name: Download build artifacts
- uses: actions/download-artifact@v8
+ - name: Download build artifacts
+ uses: actions/download-artifact@<full-length-commit-sha>
- - name: Download build artifacts
- uses: actions/download-artifact@v8
+ - name: Download build artifacts
+ uses: actions/download-artifact@<full-length-commit-sha>Also applies to: 49-49, 79-79
🧰 Tools
🪛 zizmor (1.25.2)
[error] 30-30: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/real-npm-publish.yml at line 30, Replace all tag-pinned
action references with full commit SHA pins in the workflow file. Specifically,
update the `uses: actions/upload-artifact@v7` entry at line 30 and the similar
tag-pinned upload-artifact entries at lines 49 and 79 by replacing the version
tags (like `@v7`, `@v8`) with their corresponding full commit SHA values to comply
with the unpinned-actions policy.
Source: Linters/SAST tools
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Summary by CodeRabbit