Skip to content

Pin GitHub Actions#331

Open
gjtorikian wants to merge 2 commits intomainfrom
chore/pin-github-actions
Open

Pin GitHub Actions#331
gjtorikian wants to merge 2 commits intomainfrom
chore/pin-github-actions

Conversation

@gjtorikian
Copy link
Contributor

@gjtorikian gjtorikian commented Feb 26, 2026
edited
Loading

Summary

Pin all third-party GitHub Actions to immutable commit SHAs.

Why

Action tags (like v3, v4, main) can be moved or retagged, which means a future workflow run could execute different code than what we reviewed today. Pinning to SHAs makes the workflow supply chain deterministic and auditable, reducing the risk of action-level compromise or accidental breaking changes. We can still update intentionally by bumping the SHA.

kkoch986 and others added 2 commits February 16, 2026 12:16
@kkoch986
fix revokeSession api call format
5ef74d6 
according to the docs, this should be a post to
/user_management/sessions/revoke but it was adding the session id
to the url instead which caused a 404 and for the session to not be
revoked.
@gjtorikian
Pin GitHub Actions
2115ffc
@gjtorikian gjtorikian requested a review from a team as a code owner February 26, 2026 19:38
@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 26, 2026

Greptile Summary

This PR successfully pins third-party GitHub Actions to immutable commit SHAs across all workflow files, improving supply chain security. However, the PR contains unrelated changes that should be separated:

  • GitHub Actions pinning (3 workflow files): All pins are correct with proper version comments
  • Claude documentation (~2,500 lines): New .claude/ directory with SDK generation docs - unrelated to Actions pinning
  • Bug fix commit (separate author): Fixes revokeSession API endpoint to use POST body instead of URL path - unrelated to Actions pinning

Recommendations:

  • The Actions pinning changes are safe and ready to merge
  • Consider splitting the Claude documentation and bug fix into separate PRs for cleaner git history and easier review
  • The revokeSession fix correctly changes from path parameter to request body, matching API documentation

Confidence Score: 4/5

  • Safe to merge - all code changes are correct, but PR contains unrelated changes
  • Score reflects that while all technical changes are sound (SHA pinning is correct, bug fix properly addresses API format issue), the PR mixes three unrelated concerns that should be separate PRs, making review and git history less clear
  • No files require special attention - all changes are straightforward

Important Files Changed

Filename Overview
.github/workflows/ci.yml Properly pins actions/checkout and actions/cache to commit SHAs with version comments
.github/workflows/release.yml Properly pins actions/create-github-app-token, actions/checkout, and softprops/action-gh-release to SHAs
.github/workflows/version-bump.yml Properly pins actions/create-github-app-token, actions/checkout, and peter-evans/create-pull-request to SHAs
lib/UserManagement.php Fixes revokeSession API call to use correct endpoint format with session_id in request body
tests/WorkOS/UserManagementTest.php Updates test to match corrected revokeSession API call format

Last reviewed commit: 2115ffc

greptile-apps[bot]
greptile-apps bot reviewed Feb 26, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

11 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jonatascastro12 jonatascastro12 Awaiting requested review from jonatascastro12 jonatascastro12 is a code owner automatically assigned from workos/php

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gjtorikian @kkoch986