Follow the GitHub Actions best practices

[5ouma]

⚠️ Issue

close #

✏️ Description

Keep the GitHub Actions clean and secure.

• I agree to follow the Code of Conduct.

[Copilot]

Pull Request Overview

This PR updates multiple GitHub Actions workflows to follow best practices for security and reliability. The changes focus on adding explicit timeouts to jobs, updating checkout options to disable unnecessary credential persistence, and pinning action versions to fixed commits.

Reviewed Changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/update-lock.yml	Added a timeout, updated checkout credentials, and pinned the lock update action version.
.github/workflows/release.yml	Introduced timeouts and updated checkout credentials for release and JSR publish jobs.
.github/workflows/pre-commit.yml	Added a timeout and pinned the pre-commit action version.
.github/workflows/labeler.yml	Added a timeout to the labeler job.
.github/workflows/ci.yml	Added timeouts, updated checkout credentials, and pinned setup action versions across multiple jobs.

Files not reviewed (1)

• .github/renovate.json: Language not supported

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (82b9453) to head (58fc700).
Report is 1 commits behind head on main.

✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #214   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            6         6           
  Lines           97        97           
  Branches         6         6           
=========================================
  Hits            97        97           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Walkthrough

This update modifies several GitHub configuration and workflow files to introduce explicit version pinning for external actions and presets, and to enforce stricter job execution timeouts. The Renovate configuration is updated to reference a fixed version of its presets. Multiple workflow files now specify maximum job runtimes and pin action versions using commit hashes or version tags, rather than tracking moving branches. Additionally, the actions/checkout step is updated to prevent credential persistence across several workflows. No changes were made to exported or public entities in the codebase.

Changes

Files/Paths	Change Summary
.github/renovate.json	Updated to pin extended presets to version v0.1.1 instead of using default/latest references.
.github/workflows/ci.yml	Added timeout-minutes: 1 to all jobs, set persist-credentials: false in checkout steps, and pinned actions to commit hash 3d7fe8d0af9597d68e95f581c032b77813c024af (v0.1.1).
.github/workflows/labeler.yml	Added timeout-minutes: 1 to the label job.
.github/workflows/pre-commit.yml	Added timeout-minutes: 3 to the job and pinned pre-commit action to commit hash 3d7fe8d0af9597d68e95f581c032b77813c024af (v0.1.1).
.github/workflows/release.yml	Added timeout-minutes: 1 to tagpr and publish jobs; set persist-credentials: false in checkout steps.
.github/workflows/update-lock.yml	Added timeout-minutes: 3 to the job, set persist-credentials: false in checkout, and pinned lock update action to commit hash 3d7fe8d0af9597d68e95f581c032b77813c024af (v0.1.1).

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 82b9453 and 58fc700.

📒 Files selected for processing (6)

• .github/renovate.json (1 hunks)
• .github/workflows/ci.yml (3 hunks)
• .github/workflows/labeler.yml (1 hunks)
• .github/workflows/pre-commit.yml (1 hunks)
• .github/workflows/release.yml (2 hunks)
• .github/workflows/update-lock.yml (1 hunks)

🔇 Additional comments (26)

.github/workflows/labeler.yml (1)

13-13: Validate timeout for label job
Adding timeout-minutes: 1 prevents hanging runs, but please confirm this duration is sufficient for the label action in typical scenarios.

.github/workflows/release.yml (4)

18-18: Validate timeout for tagpr job
Applying timeout-minutes: 1 ensures the tagging step won’t hang indefinitely, but verify that the version tagging completes reliably within this limit under normal conditions.

---

25-26: Disable credential persistence for checkout in tagpr
Adding persist-credentials: false reduces the risk of leaking the default token to subsequent steps — aligns with security best practices.

---

44-44: Validate timeout for publish job
By setting timeout-minutes: 1 on the publish job, we limit its execution. Please confirm that the publish process (JSR publish) completes reliably within one minute.

---

49-50: Disable credential persistence for checkout in publish
Setting persist-credentials: false on the checkout step enhances security by preventing token reuse.

.github/renovate.json (1)

3-3: Pin Renovate presets to specific tag
Locking extends to #v0.1.1 prevents unexpected updates from downstream changes — good for stability. Please verify that tag v0.1.1 exists in 5ouma/utils and update if necessary.

.github/workflows/pre-commit.yml (2)

15-15: Validate timeout for pre-commit job
A 3‑minute timeout helps avoid long‑running checks, but confirm that the full pre-commit suite reliably finishes within this window.

---

19-19: Pin pre-commit action to commit hash
Using 5ouma/utils/pre-commit@3d7fe8d0af9597d68e95f581c032b77813c024af (v0.1.1) ensures reproducible runs, aligning with best practices.

.github/workflows/ci.yml (15)

24-24: Validate timeout for lint-check
Setting timeout-minutes: 1 helps detect hung jobs quickly. Confirm that linting completes within one minute for your codebase.

---

31-31: Disable credential persistence for lint-check checkout
Adding persist-credentials: false on the checkout step enforces least privilege and is a recommended best practice.

---

34-34: Pin setup-deno-with-cache action to commit hash
Locking 5ouma/utils/setup-deno-with-cache to 3d7fe8d0af9597d68e95f581c032b77813c024af (v0.1.1) ensures reproducible builds.

---

46-46: Validate timeout for format-check
The timeout-minutes: 1 guard is good to prevent hanging format checks. Please verify that formatting runs finish under this time.

---

50-50: Disable credential persistence for format-check checkout
Using persist-credentials: false here minimizes credential exposure and aligns with security best practices.

---

55-55: Pin setup-deno-with-cache for format-check
Pinning to the same commit hash maintains consistency and reproducibility across jobs.

---

62-62: Validate timeout for type-check
Applying timeout-minutes: 1 is helpful, but double-check if full type checking (with docs) consistently completes within a minute.

---

69-69: Disable credential persistence for type-check checkout
Preventing credential persistence ensures that no unintended Git operations leak tokens.

---

72-72: Pin setup-deno-with-cache for type-check
Consistent version pinning improves stability; locking to v0.1.1 is good.

---

80-80: Validate timeout for test job
Running tests under a 1‑minute timeout may be tight depending on test suite size. Please ensure tests reliably pass within this period.

---

87-87: Disable credential persistence for test checkout
Setting persist-credentials: false reduces token exposure scope — excellent practice.

---

90-90: Pin setup-deno-with-cache for test
Locking the Deno setup action to a specific commit hash guarantees consistent environment across runs.

---

109-109: Validate timeout for dry-run-publish job
Imposing a 1‑minute limit for dry‑run publishing is prudent, but verify that the dry‑run completes within this slot.

---

115-115: Disable credential persistence for dry-run-publish checkout
Disabling credential persistence on checkout enhances security by adhering to the principle of least privilege.

---

119-119: Pin setup-deno-with-cache for dry-run-publish
Consistent version pinning keeps the environment stable; v0.1.1 is correctly referenced.

.github/workflows/update-lock.yml (3)

17-17: Enforce a strict job timeout
Adding timeout-minutes: 3 prevents runaway executions and aligns this workflow with GitHub Actions best practices for resource control.

---

24-25: Disable credential persistence for security
Setting persist-credentials: false is a solid improvement. Please verify that downstream steps (in particular the lock‐file updater action) still receive the correct authentication context to push or commit changes.

---

29-29: Pin lock‐file updater action to a specific commit
Locking 5ouma/utils/update-deno-lock-file to 3d7fe8d0af9597d68e95f581c032b77813c024af (v0.1.1) ensures reproducibility and guards against unexpected upstream changes.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.