chore: SHA-pin pre-commit hook revisions#10
Merged
Conversation
Pin pre-commit-hooks and detect-secrets to full commit SHAs instead of mutable version tags.
- Un-gitignore Cargo.lock to pin transitive dependency versions. icu_* crates v2.2.0 require Rust 1.86, breaking the MSRV 1.85 CI job when Cargo resolves fresh dependencies. - Add .secrets.baseline required by detect-secrets pre-commit hook (added in prior commit but baseline file was missing).
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✅ Files skipped from review due to trivial changes (2)
📝 WalkthroughWalkthroughRemoved Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.secrets.baseline (1)
133-149: Consider adding inline pragma comments as an alternative.While the baseline file approach is valid, you might also consider adding
# pragma: allowlist secretcomments directly on lines 62 and 86 ofencryption_tests.rs. This would:
- Make the allowlisting more explicit in the source code
- Eliminate the need for baseline entries for these specific test fixtures
- Make it clearer to future maintainers that these are intentional test values
Example:
api_key: "sk-live-abc123".to_owned(), // pragma: allowlist secretHowever, the current baseline approach is equally valid and may be preferred if you want to keep test code free of security-scanning annotations.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.secrets.baseline around lines 133 - 149, Add inline allowlist pragmas to the test fixtures flagged in the baseline by placing a comment like "pragma: allowlist secret" on the specific test values in crates/cachekit/tests/encryption_tests.rs (the literal test lines at or around the values referenced at line numbers 62 and 86) so the security scanner recognizes them as intentional test secrets; update the two lines that set the test secret values (search for the api_key or hardcoded secret assignments in encryption_tests.rs) to include the pragma comment instead of relying solely on .secrets.baseline.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.pre-commit-config.yaml:
- Line 33: Update the detect-secrets rev to match the claimed v1.5.0 tag:
replace the current detect-secrets SHA value
(01886c8a910c64595c47f186ca1ffc0b77fa5458) with the correct commit for v1.5.0
(68e8b45440415753fff70a312ece8da92ba85b4a) or alternatively update the version
comment to reflect the SHA currently used; ensure the pre-commit entry for
detect-secrets uses a consistent rev value that corresponds to its annotated
version.
---
Nitpick comments:
In @.secrets.baseline:
- Around line 133-149: Add inline allowlist pragmas to the test fixtures flagged
in the baseline by placing a comment like "pragma: allowlist secret" on the
specific test values in crates/cachekit/tests/encryption_tests.rs (the literal
test lines at or around the values referenced at line numbers 62 and 86) so the
security scanner recognizes them as intentional test secrets; update the two
lines that set the test secret values (search for the api_key or hardcoded
secret assignments in encryption_tests.rs) to include the pragma comment instead
of relying solely on .secrets.baseline.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 500e3011-ddde-4d80-92cb-a5ce64b0e97d
⛔ Files ignored due to path filters (1)
Cargo.lockis excluded by!**/*.lock
📒 Files selected for processing (3)
.gitignore.pre-commit-config.yaml.secrets.baseline
💤 Files with no reviewable changes (1)
- .gitignore
| # General file checks | ||
| - repo: https://github.com/pre-commit/pre-commit-hooks | ||
| rev: v5.0.0 | ||
| rev: cef0300fd0fc4d2a87a85fa2093c6b283ea36f4b # v5.0.0 # pragma: allowlist secret |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Verify that the commit SHAs in .pre-commit-config.yaml correspond to the claimed version tags
echo "Checking pre-commit-hooks SHA..."
curl -s https://api.github.com/repos/pre-commit/pre-commit-hooks/git/refs/tags/v5.0.0 | jq -r '.object.sha' | head -c 40
echo " (expected: cef0300fd0fc4d2a87a85fa2093c6b283ea36f4b)"
echo -e "\n\nChecking detect-secrets SHA..."
curl -s https://api.github.com/repos/Yelp/detect-secrets/git/refs/tags/v1.5.0 | jq -r '.object.sha' | head -c 40
echo " (expected: 01886c8a910c64595c47f186ca1ffc0b77fa5458)"Repository: cachekit-io/cachekit-rs
Length of output: 320
Fix the detect-secrets SHA: it does not correspond to v1.5.0.
The pre-commit-hooks SHA (line 33) is correct for v5.0.0. However, the detect-secrets SHA on line 45 is incorrect: the config specifies 01886c8a910c64595c47f186ca1ffc0b77fa5458, but the actual v1.5.0 tag in the Yelp/detect-secrets repository points to 68e8b45440415753fff70a312ece8da92ba85b4a. Update the SHA to match the claimed version or correct the version comment.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.pre-commit-config.yaml at line 33, Update the detect-secrets rev to match
the claimed v1.5.0 tag: replace the current detect-secrets SHA value
(01886c8a910c64595c47f186ca1ffc0b77fa5458) with the correct commit for v1.5.0
(68e8b45440415753fff70a312ece8da92ba85b4a) or alternatively update the version
comment to reflect the SHA currently used; ensure the pre-commit entry for
detect-secrets uses a consistent rev value that corresponds to its annotated
version.
Add `// pragma: allowlist secret` to test fixture values in encryption_tests.rs instead of relying on .secrets.baseline entries. Inline pragmas travel with the code — baseline entries go stale when lines shift.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
rev:values to full commit SHAs instead of mutable version tagspragma: allowlist secretto prevent detect-secrets false positives on SHA stringsWhy
Mutable tags are a supply chain attack vector — anyone with write access to the hook repo can move a tag to point at malicious code. SHA pins are immutable.
Test plan
Summary by CodeRabbit
Chores
Tests