harden remind-docs-and-tests workflow

[GuyEshdat]

Summary

Hardens the pull_request_target-triggered auto-comment workflow against supply-chain risk.

• SHA-pinned wow-actions/auto-comment@v1. The action runs against the base repo with a GITHUB_TOKEN; pinning to a commit prevents tag-repointing attacks.
• Default-deny GITHUB_TOKEN: top-level permissions: {}, the run job gets contents: read + pull-requests: write only.

Test plan

• Open a PR from a fork against master — auto-comment posts as before.
• Open a PR from an internal branch — same behavior.

Made with Cursor

Summary by CodeRabbit

• Chores
  • Improved CI workflow security by defining explicit, minimal permission scopes and narrowing permissions at the job level.
  • Increased stability and auditability by pinning a third-party workflow action to a fixed version rather than a floating reference.

[linear]

CORE-684 harden workflows for dbt-package

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 90aa39f1-37e0-4daf-953a-8ba7c63e654e

📥 Commits

Reviewing files that changed from the base of the PR and between 2553a76 and 28d0cd4.

📒 Files selected for processing (1)

• .github/workflows/remind-docs-and-tests.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/remind-docs-and-tests.yml

---

📝 Walkthrough

Walkthrough

A GitHub Actions workflow file was updated to set an explicit empty top-level permissions: block, grant only contents: read and pull-requests: write at the job level, and replace wow-actions/auto-comment@v1 with a pinned commit SHA reference.

Changes

Cohort / File(s)	Summary
Workflow Security & Pinning .github/workflows/remind-docs-and-tests.yml	Added top-level permissions: {}; granted minimal job-level permissions (contents: read, pull-requests: write); replaced floating action tag wow-actions/auto-comment@v1 with a pinned commit SHA.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I nibbled tokens, trimmed each role,
SHA pinned tight to keep control.
Minimal rights, a tidy nest—
The workflow hops and does its best. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'harden remind-docs-and-tests workflow' directly summarizes the main change: adding security hardening (SHA-pinning and permission restrictions) to the workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch core-684-harden-remind-docs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

👋 @GuyEshdat
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in the elementary repository.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/remind-docs-and-tests.yml (1)

13-13: Action uses deprecated Node.js 16 runtime; consider upgrading to a newer release or alternative.

The SHA pinning to commit 2fc064c21cfb2505de3c5c10e1473b8eb7beca1a is correct. However, the pinned action uses node16 as its runtime, which reached end-of-life in September 2023 and has been deprecated by GitHub Actions. The action itself has not been updated since October 2022. GitHub may eventually remove support for node16 runners, causing this workflow to fail silently. Monitor the wow-actions/auto-comment repository for updates to a node20-compatible release, or evaluate alternative maintained actions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/remind-docs-and-tests.yml at line 13, The workflow
currently pins the deprecated Node.js 16-based action by referencing
wow-actions/auto-comment@2fc064c21cfb2505de3c5c10e1473b8eb7beca1a; update this
by either switching to a maintained release of wow-actions/auto-comment that
declares node20 (or later) in its action.yml, replacing the pinned SHA with that
newer tag/SHA, or replace the step with an alternative maintained action (or
your own fork) that targets node20, ensuring the uses: reference for
wow-actions/auto-comment (the current pinned identifier) is updated accordingly
and validated in CI.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/remind-docs-and-tests.yml:
- Line 13: The workflow currently pins the deprecated Node.js 16-based action by
referencing wow-actions/auto-comment@2fc064c21cfb2505de3c5c10e1473b8eb7beca1a;
update this by either switching to a maintained release of
wow-actions/auto-comment that declares node20 (or later) in its action.yml,
replacing the pinned SHA with that newer tag/SHA, or replace the step with an
alternative maintained action (or your own fork) that targets node20, ensuring
the uses: reference for wow-actions/auto-comment (the current pinned identifier)
is updated accordingly and validated in CI.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 928431f1-c260-4cf4-97e2-716b5088e5a7

📥 Commits

Reviewing files that changed from the base of the PR and between 04d8fde and 2553a76.

📒 Files selected for processing (1)

• .github/workflows/remind-docs-and-tests.yml