Conversation
|
Need an answer fast? Review this PR in Change Stack to ask focused questions about the PR or a changed range. Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
📝 WalkthroughWalkthroughReplaces legacy adapters/routing/engines with a typed WebAdapter + Route + Engine stack, refactors security and configs, adds payload/task utilities, reshapes exports, introduces a full docs site and CI for docs/tests/coverage, and updates/expands tests across new components. ChangesCore architecture, adapters, routing, engines, security, utilities, and repo updates
Sequence Diagram(s)sequenceDiagram
participant Client
participant WebAdapter
participant Route
participant Engine
participant Security
participant Dispatcher
Client->>WebAdapter: POST /route
WebAdapter->>Engine: handle_request(web_request)
Engine->>Route: match(web_request)
Route-->>Engine: route_params
Engine->>Security: verify(target, request, route_params)
Security-->>Engine: ok or raises
Engine->>Dispatcher: feed_webhook_update/feed_raw_update
Dispatcher-->>Engine: result (optional TelegramMethod)
Engine-->>WebAdapter: json_response or payload_response
Estimated code review effort🎯 5 (Critical) | ⏱️ ~120 minutes Poem
✨ Finishing Touches🧪 Generate unit tests (beta)
|
Welcome to Codecov 🎉Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests. ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment Thanks for integrating Codecov - We've got you covered ☂️ |
There was a problem hiding this comment.
Actionable comments posted: 17
🧹 Nitpick comments (3)
docs/_assets/style/custom.css (1)
34-39: 💤 Low valueRemove or fix commented CSS block.
The commented CSS block has whitespace formatting violations flagged by Stylelint. Either remove the commented code if it's no longer needed, or fix the whitespace issues if you plan to uncomment it in the future.
♻️ Option 1: Remove commented code
-/*FIX: page construct*/ -/*.g-root_theme_dark .pc-header-block__background,*/ -/*.g-root_theme_dark .pc-header-block__background-media,*/ -/*.g-root_theme_dark .pc-header-block__background .pc-Media {*/ -/* background: `#101827` !important;*/ -/*}*/ - .pc-basic-card,♻️ Option 2: Fix whitespace if keeping
-/*FIX: page construct*/ -/*.g-root_theme_dark .pc-header-block__background,*/ -/*.g-root_theme_dark .pc-header-block__background-media,*/ -/*.g-root_theme_dark .pc-header-block__background .pc-Media {*/ -/* background: `#101827` !important;*/ -/*}*/ +/* FIX: page construct */ +/* .g-root_theme_dark .pc-header-block__background, */ +/* .g-root_theme_dark .pc-header-block__background-media, */ +/* .g-root_theme_dark .pc-header-block__background .pc-Media { */ +/* background: `#101827` !important; */ +/* } */🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/_assets/style/custom.css` around lines 34 - 39, The commented CSS block containing selectors .g-root_theme_dark .pc-header-block__background, .g-root_theme_dark .pc-header-block__background-media, and .g-root_theme_dark .pc-header-block__background .pc-Media is causing Stylelint whitespace violations; either delete the entire commented block if it's unused, or restore/clean it by uncommenting and fixing whitespace/indentation to match project style (no trailing spaces, consistent indentation, proper spacing around braces and commas) so the rules validate cleanly in docs/_assets/style/custom.css.package.json (1)
8-8: ⚡ Quick winConsider adding a package-lock.json or equivalent.
The project uses npm scripts and dependencies but doesn't reference a lockfile. Without
package-lock.json, dependency versions may vary across environments, potentially breaking the docs build.Generate and commit a lockfile after installing dependencies:
npm install # Generates package-lock.json git add package-lock.json🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@package.json` at line 8, The repository lacks a dependency lockfile which can cause inconsistent installs; run npm install to generate package-lock.json, add the lockfile to version control and commit it so the build script ("build" in package.json) and other npm-driven tasks use deterministic dependency versions; ensure you run npm ci locally/CI afterwards to verify the docs build still succeeds and include package-lock.json in the commit..github/workflows/tests.yml (1)
25-47: ⚡ Quick winConsider pinning GitHub Actions to commit SHAs for supply-chain security.
The workflow uses tag-based action references (
actions/checkout@v6,astral-sh/setup-uv@v8.1.0,codecov/codecov-action@v5), which can change if tags are moved or deleted. For stronger supply-chain guarantees, consider pinning to full commit SHAs with a comment containing the version tag for readability.Additionally, the
actions/checkoutstep does not setpersist-credentials: false, which could allow credentials to persist in subsequent steps or artifacts.🔒 Example of SHA-pinned actions with persist-credentials
- - uses: actions/checkout@v6 + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v6.0.0 + with: + persist-credentials: false - uses: astral-sh/setup-uv@v8.1.0 + uses: astral-sh/setup-uv@67765507163a38a7085f3eb5083d8aeef9c350cf # v8.1.0 - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@7f8b4b4bde536c465e797be725023e5ab321a4e7 # v5.1.2You can find commit SHAs on each action's GitHub releases page.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/tests.yml around lines 25 - 47, Update the GitHub Actions workflow to pin third-party actions to their full commit SHAs instead of tag references (replace actions/checkout@v6, astral-sh/setup-uv@v8.1.0, codecov/codecov-action@v5 with their corresponding commit SHAs and add a trailing comment with the original tag for readability), and modify the actions/checkout step to include persist-credentials: false to prevent credentials from persisting to later steps or artifacts.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/docs.yml:
- Around line 73-90: The deploy job named "deploy" in .github/workflows/docs.yml
is currently running for pull_request events because the if guard is commented
out; re-enable a conditional to only run on non-PR triggers by restoring or
adding an if: github.event_name == 'push' || github.event_name ==
'workflow_dispatch' (or equivalent negative PR check) on the deploy job so
deployment only runs for push or manual workflow_dispatch events and not for
pull_request events.
- Around line 39-42: Update the GitHub Actions checkout step that uses
actions/checkout@v4 to disable persisting repository credentials by adding
persist-credentials: false to the step (alongside the existing fetch-depth: 0);
keep this change only if no later job needs to push with the checkout token,
otherwise leave as-is.
- Around line 24-27: The workflow-level permissions currently grant pages: write
and id-token: write too broadly; remove those from the top-level permissions
block (leave contents: read) and add a narrower permissions block to the
specific deploy job (e.g., the job named "deploy" or whatever job runs the
deployment) with pages: write and id-token: write so only that job gets elevated
rights; update the deploy job's permissions entry to include pages: write and
id-token: write and leave other jobs using the default or the workflow-level
contents: read.
- Line 40: Update each `uses:` entry that currently references a tag (e.g.,
`actions/checkout@v4`, `actions/setup-node@v4`, `actions/configure-pages@v5`,
`actions/upload-pages-artifact@v3`, `actions/deploy-pages@v4`) to use the
corresponding full 40-character commit SHA instead of the tag, and add a
trailing comment preserving the human-readable tag (e.g., `#
actions/checkout@v4`) for maintainability; ensure you replace all occurrences in
the workflow and verify the SHA values match the respective GitHub Actions
repository commits.
In @.github/workflows/release.yml:
- Line 1: The file whose workflow name is "Release & Publish" contains CRLF line
endings; convert its line endings to LF (Unix-style) so YAML lint passes. Open
the file with the "name: Release & Publish" declaration, change the file
encoding/line endings to LF (e.g., via editor setting, dos2unix, or git config
core.autocrlf=false + re-save), and commit the normalized file so CI YAML lint
no longer reports CRLF.
- Around line 17-21: The checkout step "🛎️ Checkout repository" using
actions/checkout@v6 leaves credentials in git config; update that step (the step
with name "🛎️ Checkout repository" and uses: actions/checkout@v6) to set
persist-credentials: false in its with: block so the runner does not retain the
authenticated token after checkout.
- Line 18: The workflow uses floating tags like actions/checkout@v6 and several
action refs (python-semantic-release/python-semantic-release@v10.5.3,
astral-sh/setup-uv@v8.1.0, python-semantic-release/publish-action@v10.5.3);
replace each `uses:` reference in .github/workflows/release.yml with the
corresponding commit SHA for that exact release (find the SHA on the action's
GitHub releases or with git ls-remote) so the workflow is pinned to an immutable
commit, update all occurrences (e.g., the lines referencing actions/checkout,
python-semantic-release, astral-sh/setup-uv,
python-semantic-release/publish-action), and verify the workflow still runs
before merging.
In `@CONTRIBUTING.md`:
- Around line 47-53: Update the fenced code block that shows the directory tree
in CONTRIBUTING.md to include a language specifier (e.g., change the opening
triple backticks to "```plaintext") so the block renders correctly and improves
accessibility; locate the block containing "src/aiogram_webhook/" and its child
lines and modify only the opening fence to include the specifier.
In `@docs/.yfm`:
- Line 44: Update the github-url-prefix value in docs/.yfm: replace the template
URL string "https://github.com/diplodoc-platform/docs/blob/master" with the
correct repository URL "https://github.com/m-xim/aiogram-webhook/blob/master" so
all generated links point to this repo; locate the key named github-url-prefix
in the file and overwrite its value accordingly.
- Line 46: The logo's url field in docs/.yfm currently points to an external
placeholder (https://google.com); update the url under the logo configuration to
the correct project homepage, documentation index, or repository URL (replace
the value of the url key in docs/.yfm) so the logo links to your actual project
destination rather than an external placeholder.
- Line 61: The vcsControl.url currently hardcodes the branch to "main" which
breaks edit links for this PR's target branch; update the value of
vcsControl.url (the string
'https://github.com/m-xim/aiogram-webhook/edit/main/docs/{path}') so it does not
hardcode "main"—replace "main" with the correct branch variable (e.g.,
'{branch}' or 'develop' depending on your env) or derive it dynamically; ensure
the symbol vcsControl.url and the placeholder {path} remain intact and that the
chosen branch placeholder will be substituted at runtime or by your doc
generator.
In `@docs/extensions/feedback-control/index.js`:
- Line 44: Update the warning message passed to run.logger.warn in the extension
copy failure path: change the text from "Unable copy the feedback-control
extension script ${extensionFilePath}." to "Unable to copy the feedback-control
extension script ${extensionFilePath}." while keeping the error object argument;
the affected call is the run.logger.warn(...) that references extensionFilePath.
- Line 14: The assertion (0, node_assert_1.ok)(config.feedbackControl.endpoint
!== '', 'feedbackControl.endpoint must be not empty') can throw when
config.feedbackControl.endpoint is undefined; update the validation to first
verify the property exists (e.g., check config.feedbackControl.endpoint != null
or typeof config.feedbackControl.endpoint !== 'undefined') before asserting it's
not an empty string, and then keep the original assertion on the non-empty
condition so code referencing config.feedbackControl.endpoint is safe.
In `@docs/extensions/feedback-control/resources/feedback-control-extension.js`:
- Around line 29-32: getLocalState currently calls JSON.parse on data from
window.localStorage without guarding against malformed JSON; wrap the parse in a
try-catch inside getLocalState (referencing getLocalState, storageKey and
window.localStorage.getItem) so parsing errors are caught, return null (or a
safe default) when parse fails, optionally remove the invalid storage entry or
log the error for debugging, and ensure the function never throws due to bad
JSON.
In `@docs/extensions/vcs-control/index.js`:
- Line 17: The assertion for config.vcsControl.url currently only checks type
but the message says "must be not empty"; update the check in the same statement
to ensure a non-empty string (e.g., assert ok(typeof config.vcsControl.url ===
"string" && config.vcsControl.url.trim().length > 0, 'vcsControl.url must be not
empty')) or, if you prefer the simpler change, update the message to
'vcsControl.url must be a string' to match the existing typeof check; locate the
assertion using node_assert_1.ok and the config.vcsControl.url symbol to apply
the change.
In `@package.json`:
- Line 19: The package.json dependency for "`@diplodoc/cli`" currently points to
the mutable GitHub branch string "github:m-xim/diplodoc-cli#all"; update this
entry to pin to a specific commit SHA (e.g.
"github:m-xim/diplodoc-cli#<commit-sha>") or replace it with a stable npm
version if available to ensure reproducible builds and remove the mutable branch
reference.
- Line 14: Replace the non-portable SSH host in package.json by updating the
"url" value that currently reads "git@github.com-m:m-xim/aiogram-webhook.git" to
use the standard GitHub SSH host format so other contributors/tools without an
SSH alias can clone (i.e., change the host from "github.com-m" to "github.com"
in the "url" field).
---
Nitpick comments:
In @.github/workflows/tests.yml:
- Around line 25-47: Update the GitHub Actions workflow to pin third-party
actions to their full commit SHAs instead of tag references (replace
actions/checkout@v6, astral-sh/setup-uv@v8.1.0, codecov/codecov-action@v5 with
their corresponding commit SHAs and add a trailing comment with the original tag
for readability), and modify the actions/checkout step to include
persist-credentials: false to prevent credentials from persisting to later steps
or artifacts.
In `@docs/_assets/style/custom.css`:
- Around line 34-39: The commented CSS block containing selectors
.g-root_theme_dark .pc-header-block__background, .g-root_theme_dark
.pc-header-block__background-media, and .g-root_theme_dark
.pc-header-block__background .pc-Media is causing Stylelint whitespace
violations; either delete the entire commented block if it's unused, or
restore/clean it by uncommenting and fixing whitespace/indentation to match
project style (no trailing spaces, consistent indentation, proper spacing around
braces and commas) so the rules validate cleanly in
docs/_assets/style/custom.css.
In `@package.json`:
- Line 8: The repository lacks a dependency lockfile which can cause
inconsistent installs; run npm install to generate package-lock.json, add the
lockfile to version control and commit it so the build script ("build" in
package.json) and other npm-driven tasks use deterministic dependency versions;
ensure you run npm ci locally/CI afterwards to verify the docs build still
succeeds and include package-lock.json in the commit.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: e33443ca-586d-43f2-b099-1d40b9d1b6a5
⛔ Files ignored due to path filters (15)
docs/_assets/brand/banner.pngis excluded by!**/*.pngdocs/_assets/brand/favicon.icois excluded by!**/*.icodocs/_assets/brand/logo-dark.pngis excluded by!**/*.pngdocs/_assets/brand/logo-light.pngis excluded by!**/*.pngdocs/_assets/icons/adapter.svgis excluded by!**/*.svgdocs/_assets/icons/combine.svgis excluded by!**/*.svgdocs/_assets/icons/engine.svgis excluded by!**/*.svgdocs/_assets/icons/github-dark.svgis excluded by!**/*.svgdocs/_assets/icons/github-light.svgis excluded by!**/*.svgdocs/_assets/icons/lifecycle.svgis excluded by!**/*.svgdocs/_assets/icons/pypi.svgis excluded by!**/*.svgdocs/_assets/icons/route.svgis excluded by!**/*.svgdocs/_assets/icons/security.svgis excluded by!**/*.svgdocs/_assets/icons/webhook.svgis excluded by!**/*.svgpackage-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (49)
.github/workflows/docs.yml.github/workflows/release.yml.github/workflows/tests.yml.gitignoreCONTRIBUTING.mdREADME.mddocs/.yfmdocs/404.yamldocs/_assets/script/fix_code_blocks.jsdocs/_assets/style/custom.cssdocs/_includes/register-vs-set-webhook.mddocs/_includes/request-flow.mddocs/_includes/security-warning.mddocs/extensions/breadcrumbs/index.jsdocs/extensions/feedback-control/index.jsdocs/extensions/feedback-control/resources/feedback-control-extension.jsdocs/extensions/vcs-control/index.jsdocs/index.yamldocs/pages/behavior/overview.mddocs/pages/behavior/webhook-replies.mddocs/pages/engines/custom-engine.mddocs/pages/engines/overview.mddocs/pages/engines/single-bot-engine.mddocs/pages/engines/token-engine.mddocs/pages/extending/overview.mddocs/pages/learn/first-webhook.mddocs/pages/learn/overview.mddocs/pages/learn/quick-start.mddocs/pages/other/api.mddocs/pages/other/errors.mddocs/pages/other/webhook-config.mddocs/pages/recipes/multi-bot.mddocs/pages/recipes/single-bot.mddocs/pages/route/overview.mddocs/pages/route/path-parameters.mddocs/pages/route/query-parameters.mddocs/pages/security/custom-checks.mddocs/pages/security/custom-secret-token.mddocs/pages/security/ip-check.mddocs/pages/security/overview.mddocs/pages/security/secret-token.mddocs/pages/web/aiohttp.mddocs/pages/web/custom.mddocs/pages/web/fastapi.mddocs/pages/web/overview.mddocs/theme.yamldocs/toc.yamlpackage.jsonpyproject.toml
✅ Files skipped from review due to trivial changes (30)
- docs/_assets/script/fix_code_blocks.js
- docs/_includes/register-vs-set-webhook.md
- docs/pages/security/overview.md
- docs/theme.yaml
- docs/_includes/security-warning.md
- docs/pages/web/fastapi.md
- docs/pages/engines/overview.md
- docs/pages/other/api.md
- docs/pages/route/path-parameters.md
- docs/pages/security/secret-token.md
- docs/pages/security/ip-check.md
- docs/pages/behavior/webhook-replies.md
- docs/pages/extending/overview.md
- docs/pages/security/custom-checks.md
- docs/pages/route/overview.md
- docs/pages/security/custom-secret-token.md
- docs/pages/web/overview.md
- docs/pages/learn/overview.md
- docs/pages/other/webhook-config.md
- docs/pages/web/aiohttp.md
- docs/pages/behavior/overview.md
- docs/pages/engines/token-engine.md
- docs/_includes/request-flow.md
- docs/pages/engines/custom-engine.md
- docs/toc.yaml
- docs/pages/learn/first-webhook.md
- docs/pages/web/custom.md
- .gitignore
- README.md
- docs/pages/learn/quick-start.md
🚧 Files skipped from review as they are similar to previous changes (1)
- pyproject.toml
| permissions: | ||
| contents: read | ||
| pages: write | ||
| id-token: write |
There was a problem hiding this comment.
Reduce workflow-level token scope to least privilege.
pages: write and id-token: write at workflow scope are broader than necessary; only deploy needs them.
Suggested fix
permissions:
contents: read
- pages: write
- id-token: write🧰 Tools
🪛 zizmor (1.25.2)
[error] 26-26: overly broad permissions (excessive-permissions): pages: write is overly broad at the workflow level
(excessive-permissions)
[error] 27-27: overly broad permissions (excessive-permissions): id-token: write is overly broad at the workflow level
(excessive-permissions)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/docs.yml around lines 24 - 27, The workflow-level
permissions currently grant pages: write and id-token: write too broadly; remove
those from the top-level permissions block (leave contents: read) and add a
narrower permissions block to the specific deploy job (e.g., the job named
"deploy" or whatever job runs the deployment) with pages: write and id-token:
write so only that job gets elevated rights; update the deploy job's permissions
entry to include pages: write and id-token: write and leave other jobs using the
default or the workflow-level contents: read.
Source: Linters/SAST tools
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
Disable persisted checkout credentials in the build job.
Use persist-credentials: false unless a later step must push with the checkout token.
Suggested fix
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
+ persist-credentials: false🧰 Tools
🪛 zizmor (1.25.2)
[warning] 39-42: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 40-40: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/docs.yml around lines 39 - 42, Update the GitHub Actions
checkout step that uses actions/checkout@v4 to disable persisting repository
credentials by adding persist-credentials: false to the step (alongside the
existing fetch-depth: 0); keep this change only if no later job needs to push
with the checkout token, otherwise leave as-is.
Source: Linters/SAST tools
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/docs.yml"
echo "== File: $FILE =="
[ -f "$FILE" ] || { echo "Missing $FILE"; exit 1; }
nl -ba "$FILE" | sed -n '1,140p'
echo
echo "== Extract all uses: lines =="
rg -n "^\s*uses:\s*" "$FILE" || true
echo
echo "== Check for SHA-pinned format (actions/*@<40-hex>) =="
python3 - <<'PY'
import re, pathlib
p = pathlib.Path(".github/workflows/docs.yml")
txt = p.read_text()
uses = []
for m in re.finditer(r'(?m)^\s*uses:\s*([^\s#]+)', txt):
uses.append((m.group(0).split(':',1)[0].strip(), m.group(1)))
pat = re.compile(r'@([0-9a-f]{40})$')
for full, ref in uses:
if '@' in ref and pat.search(ref):
print("SHA pinned:", ref)
else:
print("NOT SHA pinned:", ref)
PYRepository: m-xim/aiogram-webhook
Length of output: 165
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/docs.yml"
echo "== File exists? $FILE =="
[ -f "$FILE" ] && echo "YES" || { echo "NO"; exit 1; }
echo
echo "== Show lines 1-140 (numbered) =="
cat -n "$FILE" | sed -n '1,140p'
echo
echo "== uses: entries =="
rg -n "^[[:space:]]*uses:[[:space:]]*" "$FILE" || true
echo
echo "== SHA-pinning check for actions/*@<40-hex> =="
python3 - <<'PY'
import re, pathlib
p = pathlib.Path(".github/workflows/docs.yml")
txt = p.read_text()
uses = []
for m in re.finditer(r'(?m)^\s*uses:\s*([^\s#]+)', txt):
uses.append(m.group(1).strip())
sha_pat = re.compile(r'@([0-9a-f]{40})$')
for ref in uses:
m = sha_pat.search(ref)
if m:
print(f"SHA pinned: {ref}")
else:
print(f"NOT SHA pinned: {ref}")
PY
echo
echo "== Show referenced lines (40,45,53,69,90) =="
for L in 40 45 53 69 90; do
echo "--- $L ---"
sed -n "${L}p" "$FILE" | cat -n
doneRepository: m-xim/aiogram-webhook
Length of output: 3577
Pin GitHub Actions by commit SHA in .github/workflows/docs.yml.
uses: entries are version-tagged (not immutable refs): actions/checkout@v4 (40), actions/setup-node@v4 (45), actions/configure-pages@v5 (53), actions/upload-pages-artifact@v3 (69), actions/deploy-pages@v4 (90). Pin each to a full 40-hex commit SHA and keep a comment with the human-readable version/tag for maintenance.
🧰 Tools
🪛 zizmor (1.25.2)
[error] 40-40: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/docs.yml at line 40, Update each `uses:` entry that
currently references a tag (e.g., `actions/checkout@v4`,
`actions/setup-node@v4`, `actions/configure-pages@v5`,
`actions/upload-pages-artifact@v3`, `actions/deploy-pages@v4`) to use the
corresponding full 40-character commit SHA instead of the tag, and add a
trailing comment preserving the human-readable tag (e.g., `#
actions/checkout@v4`) for maintainability; ensure you replace all occurrences in
the workflow and verify the SHA values match the respective GitHub Actions
repository commits.
Source: Linters/SAST tools
Summary by CodeRabbit
New Features
Improvements
Chores