@anshugarg15checks…fix/ci-pin-actions-unit-tests → master7 files · +28 −19review: @acsrujanreview: @abir-taheerupdated 2w agoThe ComposioHQ org enforces "actions must be pinned to a full-length commit SHA." Five unit-test workflows still referenced actions by tag (@v4, @v3, @v5), so GitHub rejected them at startup:
The actions actions/checkout@v4, dorny/paths-filter@v3, and codecov/codecov-action@v5 are not allowed in ComposioHQ/hermes because all actions must be pinned to a full-length commit SHA.
They failed in ~6s, before any test ran — part of the CI red that's forcing manual merges.
Pin every tag-referenced action to a commit SHA (version kept as a trailing # vX.Y.Z comment). Where this repo already pins an action elsewhere (pnpm/action-setup, actions/setup-node), those exact vetted SHAs are reused; the rest are resolved from upstream.
| Action | Was | Now |
|---|---|---|
| actions/checkout | @v4 | @34e1148 # v4.3.1 |
| dorny/paths-filter | @v3 | @d1c1ffe # v3.0.3 |
| codecov/codecov-action | @v5 | @75cd116 # v5.5.4 |
| pnpm/action-setup (retool) | @v4 | @b906aff # v4.3.0 |
| actions/setup-node (retool) | @v4 | @49933ea # v4.4.0 |
Pure pins — no major-version bumps, no behavior change.
The two heavyweight unit suites — Apollo test:unit ("Vitest Tests") and Thermos Unit Tests — are not in this PR because they:
depot-ubuntu-24.04-8 runners, which are currently unavailable (jobs stuck queued), andhermes/dev / thermos/dev Doppler secret set into the test process — a separate "no secrets in unit tests" cleanup that needs a verify run.Minimal. Only uses: values change; YAML structure is untouched. Each suite is path-gated, so it self-validates when its package is touched.
🤖 Generated with Claude Code