ci: pin GitHub Actions to commit SHAs

[roydahan]

Summary

• Pin all external GitHub Actions to full commit SHAs to reduce supply chain attack surface
• Upgrade outdated actions to their latest versions

This PR was generated automatically. Please verify that GitHub Actions work as expected with these changes before merging.

Reference: scylladb/scylladb#29421

[coderabbitai]

Note

Currently processing new changes in this PR. This may take a few minutes, please wait...

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: fbd41143-b498-4f66-9631-7185624fdca1

📥 Commits

Reviewing files that changed from the base of the PR and between c10258a and 35cc08c.

📒 Files selected for processing (3)

• .github/workflows/dep-lic-scan.yaml
• .github/workflows/snyk-cli-scan.yml
• .github/workflows/tests@v1.yml

📝 Walkthrough

Walkthrough

This pull request pins all GitHub Actions to specific commit SHAs across three CI/CD workflow files, replacing unpinned major-version tags. The changes affect the dependency license scanning workflow, Snyk security scanning workflow, and the main test workflow. Actions updated include checkout (v6.0.3), setup-java (v5.2.0), setup-python (v6.2.0), and upload-artifact (v7.0.1). All job logic, triggers, Maven commands, test configurations, and artifact names remain unchanged.

Suggested reviewers

• dkropachev
• nikagra

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: pin GitHub Actions to commit SHAs' directly and clearly summarizes the main change across all three modified workflow files, which involve pinning GitHub Actions to specific commit references.
Description check	✅ Passed	The description is directly related to the changeset, explaining the purpose of pinning GitHub Actions to commit SHAs for supply chain security and noting that versions were upgraded.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch ci/pin-github-actions-to-sha-scylla-4.x

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/tests@v1.yml (1)

83-87: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Artifact name collision across three jobs causes data loss in upload-artifact v7.

The upgrade from upload-artifact@v2 to v7 introduces a breaking change: v7 no longer merges artifacts with the same name. Three jobs upload to the same test-results artifact name:

• Unit tests (line 86)
• Cassandra integration tests (line 155)
• Scylla integration tests (line 208)

With v2, these would merge into a single artifact. With v7, each upload overwrites the previous one, so only the last job's results are preserved and earlier test results are lost.

Each job must use a unique artifact name. For example: test-results-unit, test-results-cassandra-${{ matrix.cassandra-version }}, and test-results-scylla-${{ matrix.scylla-version }}.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/tests@v1.yml around lines 83 - 87, The artifact uploads in
.github/workflows/tests@v1.yml all use the same name "test-results", which with
upload-artifact v7 causes overwrites; update each job's upload step to use a
unique artifact name (replace "test-results" in the Unit tests upload, the
Cassandra integration tests upload, and the Scylla integration tests upload) —
e.g., "test-results-unit" for the unit test job, "test-results-cassandra-${{
matrix.cassandra-version }}" for the Cassandra job, and "test-results-scylla-${{
matrix.scylla-version }}" for the Scylla job so artifacts no longer collide when
using actions/upload-artifact v7.

🧹 Nitpick comments (1)

.github/workflows/dep-lic-scan.yaml (1)

17-17: Update: actions/checkout pin df4cb1c069e1874edd31b4311f1884172cec0e10 matches release v6.0.3, and v6.0.3 is the latest stable version.

• Keep an eye on the static analysis warning: consider setting persist-credentials: false on the checkout step if credentials aren’t needed.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dep-lic-scan.yaml at line 17, The checkout action is
pinned to actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10; to address
the static analysis warning add the persist-credentials: false setting to the
checkout step (under the uses: actions/checkout... step) so credentials are not
persisted when they aren’t needed; modify the checkout step to include a with:
block containing persist-credentials: false (only do this if downstream steps
don’t require the repository credentials).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/tests@v1.yml:
- Around line 83-87: The artifact uploads in .github/workflows/tests@v1.yml all
use the same name "test-results", which with upload-artifact v7 causes
overwrites; update each job's upload step to use a unique artifact name (replace
"test-results" in the Unit tests upload, the Cassandra integration tests upload,
and the Scylla integration tests upload) — e.g., "test-results-unit" for the
unit test job, "test-results-cassandra-${{ matrix.cassandra-version }}" for the
Cassandra job, and "test-results-scylla-${{ matrix.scylla-version }}" for the
Scylla job so artifacts no longer collide when using actions/upload-artifact v7.

---

Nitpick comments:
In @.github/workflows/dep-lic-scan.yaml:
- Line 17: The checkout action is pinned to
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10; to address the static
analysis warning add the persist-credentials: false setting to the checkout step
(under the uses: actions/checkout... step) so credentials are not persisted when
they aren’t needed; modify the checkout step to include a with: block containing
persist-credentials: false (only do this if downstream steps don’t require the
repository credentials).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: a0850cb5-2293-46ab-9831-78dfdb4b538a

📥 Commits

Reviewing files that changed from the base of the PR and between 1d65bce and c10258a.

📒 Files selected for processing (3)

• .github/workflows/dep-lic-scan.yaml
• .github/workflows/snyk-cli-scan.yml
• .github/workflows/tests@v1.yml

[roydahan]

@copilot resolve the merge conflicts in this pull request

[Lorak-mmk]

This PR is based on master from 2023(!). Rebase on current version please.

[sylwiaszunejko]

On master this issue is already fixed in #872 and #873