MPT-22385 Add Danger PR-formatting check workflow#349
Merged
d3rky merged 1 commit intoJun 18, 2026
Conversation
Add a Danger workflow that runs the shared softwareone-platform/one-danger action on pull requests to enforce the PR-formatting rules. MPT-22385
📝 WalkthroughWalkthroughA new GitHub Actions workflow ChangesDanger CI Workflow
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 3 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/danger.yml (1)
17-22: ⚡ Quick winPin external actions to immutable commit SHAs.
Using mutable tags (
@v6,@1.1.0) increases supply-chain risk. Pinning to SHAs hardens the workflow without changing behavior.Suggested hardening diff
- - name: Checkout - uses: actions/checkout@v6 + - name: Checkout + uses: actions/checkout@<resolved_checkout_sha> - name: Run Danger - uses: softwareone-platform/one-danger@1.1.0 + uses: softwareone-platform/one-danger@<resolved_one_danger_sha>Use the release/tag refs only to resolve the SHA once, then pin the SHA in workflow.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/danger.yml around lines 17 - 22, The GitHub Actions workflow is using mutable version tags (v6 and 1.1.0) for external actions, which creates supply chain security risks. Replace the mutable tags with immutable commit SHAs for both the actions/checkout and softwareone-platform/one-danger actions. First resolve the commit SHA for each action version, then update the workflow to reference the SHAs directly instead of the version tags. This ensures the workflow will always use the exact same version of each action regardless of any future tag changes.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/danger.yml:
- Around line 17-22: The GitHub Actions workflow is using mutable version tags
(v6 and 1.1.0) for external actions, which creates supply chain security risks.
Replace the mutable tags with immutable commit SHAs for both the
actions/checkout and softwareone-platform/one-danger actions. First resolve the
commit SHA for each action version, then update the workflow to reference the
SHAs directly instead of the version tags. This ensures the workflow will always
use the exact same version of each action regardless of any future tag changes.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 0f22f917-abfe-4258-bf8b-58da9178d91f
📒 Files selected for processing (1)
.github/workflows/danger.yml
🔗 Linked repositories identified
CodeRabbit considers these linked repositories for cross-repo context during reviews:
softwareone-platform/mpt-extension-skills(manual)
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: build
🔇 Additional comments (1)
.github/workflows/danger.yml (1)
17-17: No issues found. Theactions/checkout@v6tag is valid and published; the workflow will not fail due to a missing tag.
d3rky
deleted the
feature/MPT-22385/add-danger-pr-formatting-check-workflow
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 AI-generated PR — Please review carefully.
What
Add
.github/workflows/danger.ymlrunning the sharedsoftwareone-platform/one-danger@1.1.0action on pull requests. It enforces the PR-formatting rules (Jira key in title, single commit, size threshold, no merge commits, release-branch markers and release→main linkage) via Danger.Part of the org-wide rollout (US-3); the same workflow was smoke-tested in
mpt-extension-sdk.Jira
Closes MPT-22385 (subtask of MPT-22376).
Testing
This PR triggers the new Danger workflow on itself.
Closes MPT-22385
softwareone-platform/one-danger@1.1.0action