ci: update workflow references to main branch

[sxzz]

🔗 Linked issue

📚 Description

Versions based on tags and the v1 branch have been deprecated. Always use the main branch.

[coderabbitai]

📝 Walkthrough

Walkthrough

The GitHub Actions release workflow configuration was updated to change the action reference source from a pinned version tag (v2.0.0) to the main branch. This single-line modification affects the release job's action execution by using the latest version from the main branch instead of the specific tagged release.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'ci: update workflow references to main branch' clearly and accurately summarizes the main change: updating CI workflow references to use the main branch instead of a versioned tag.
Description check	✅ Passed	The description explains that versions based on tags and the v1 branch have been deprecated and instructs to always use the main branch, which directly relates to the changeset updating workflow references.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Line 10: In .github/workflows/release.yml change the reusable workflow
reference that currently uses
"sxzz/workflows/.github/workflows/release.yml@main" to pin to a specific full
commit SHA (replace `@main` with @<FULL_COMMIT_SHA>), and optionally add a
trailing comment (e.g., "# sxzz/workflows main @ YYYY-MM-DD") to document which
HEAD SHA/version is pinned; ensure the SHA corresponds to the current HEAD of
sxzz/workflows@main so the workflow is locked to an auditable, immutable commit.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d9289b04-66fa-4e5f-9a43-89fd6499a8d5

📥 Commits

Reviewing files that changed from the base of the PR and between 3d72f09 and d13cd00.

📒 Files selected for processing (1)

• .github/workflows/release.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚖️ Poor tradeoff

Pin the reusable workflow to a full commit SHA instead of the mutable @main ref.

Referencing @main means any commit pushed to sxzz/workflows — without a review in this repo — will be silently picked up on the next release tag push. Because this job runs with id-token: write (OIDC federation, e.g. npm publish) and contents: write, a broken or compromised commit on @main can corrupt a release or exfiltrate OIDC credentials.

The PR description notes that tag-based versions are deprecated, which is understood. However, a full commit SHA is the recommended mitigation: it locks to a specific, auditable state of the workflow without needing versioned tags.

🔒 Suggested fix: pin to a commit SHA

-    uses: sxzz/workflows/.github/workflows/release.yml@main
+    uses: sxzz/workflows/.github/workflows/release.yml@<FULL_COMMIT_SHA>

Replace <FULL_COMMIT_SHA> with the current HEAD SHA of sxzz/workflows@main. You can keep a comment beside it to track which "version" it corresponds to:

    # sxzz/workflows main @ 2026-05-06
    uses: sxzz/workflows/.github/workflows/release.yml@<FULL_COMMIT_SHA>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 10, In .github/workflows/release.yml
change the reusable workflow reference that currently uses
"sxzz/workflows/.github/workflows/release.yml@main" to pin to a specific full
commit SHA (replace `@main` with @<FULL_COMMIT_SHA>), and optionally add a
trailing comment (e.g., "# sxzz/workflows main @ YYYY-MM-DD") to document which
HEAD SHA/version is pinned; ensure the SHA corresponds to the current HEAD of
sxzz/workflows@main so the workflow is locked to an auditable, immutable commit.

[atinux]

@sxzz i agree with coderabbit comment here, how can we be sure that using the @main is secure as this CI has write permission?

[sxzz]

@atinux As README updated:

Due to GitHub Actions limitations and this project (sxzz/workflows)'s goal of avoiding frequent per-project workflow updates, future changes may include breaking updates and do not follow SemVer.

Specifically, it is impossible, or at least very difficult, to pin a SHA when using sxzz/workflows. sxzz/workflows/release.yml workflow uses sxzz/workflows/setup-js internally.

GitHub does not support having sxzz/workflows/release.yml@PIN_SHA use sxzz/workflows/setup-js@SAME_SHA. In practice, it has always used sxzz/workflows/setup-js@v2, and v2 is a branch name.

As a result, this kind of versioning is fundamentally unreliable. Therefore, sxzz/workflows is designed so that it does not need frequent updates. If you require a full commit SHA, the better option is to copy the sxzz/workflows/release.yml file directly (while you can still use setup-js).

[sxzz]

By the way, all Git tags (e.g. v2.0.0) have been removed. I searched GitHub codebases and found that this is the only usage. If it is not migrated, the CI may fail on the next trigger.

[atinux]

alright, I trust you @sxzz <3