Add Tabnine code review workflow for pull requests#5
Conversation
b53914b to
d0ff0f4
Compare
| ref: ${{ github.event.pull_request.head.sha }} | ||
|
|
||
| - name: Code Review | ||
| uses: codota/tabnine-pr-agent@main |
There was a problem hiding this comment.
Tabnine PR Bot
[Warning] Supply Chain Security — Unpinned action reference
codota/tabnine-pr-agent@main pins to a mutable branch rather than an immutable commit SHA. If that repository is ever compromised or has an accidental breaking push to main, the next PR against this repo will run the updated (potentially malicious) code with pull-requests: write permissions — without any review gate.
This is the only unpinned third-party action across all workflows in this repo; everything else already uses tagged versions.
Suggested fix: Pin to a specific commit SHA instead of @main:
| uses: codota/tabnine-pr-agent@main | |
| uses: codota/tabnine-pr-agent@<COMMIT_SHA> |
You can find the current HEAD SHA with:
gh api repos/codota/tabnine-pr-agent/commits/main --jq .sha
Then update the ref and add a comment with the version it corresponds to, e.g.:
uses: codota/tabnine-pr-agent@abc1234 # v1.2.3
Tabnine PR Bot[Low Risk] — CI configuration and context documentation addition. What This PR Does Assessment Key Findings
Cross-Repository Impact Coaching Guidelines What Looks Good
Review metadata
|
No description provided.