Use final version tags for standard GH actions, and SHA1 commit references to community GH actions.

[yruslan]

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflows to use newer, more secure action releases and runtime environments for improved reliability and compatibility.
  • Standardized job setup steps across pipelines to simplify maintenance.
• Tests / Coverage
  • Enhanced code coverage reporting to include additional project paths and ensure broader test visibility.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updated four GitHub Actions workflows to newer action versions (checkout, setup-java/setup-python, poetry); jacoco workflow also updates jacoco-report/github-script and adds coverage path for extras/. Control flow and behavior remain unchanged.

Changes

Cohort / File(s)	Summary
Checkout action upgrade ​.github/workflows/jacoco.yml, ​.github/workflows/python.yml, ​.github/workflows/release.yml, ​.github/workflows/scala.yml	Replaced actions/checkout@v2/v4 with actions/checkout@v6.0.2 across workflows.
Java / JDK setup ​.github/workflows/jacoco.yml, ​.github/workflows/scala.yml	actions/setup-java usage updated; jacoco.yml now uses actions/setup-java@v5.1.0 with temurin, java-version: 8, and sbt cache.
Python / Poetry / related actions ​.github/workflows/python.yml	Upgraded actions/setup-python and pinned abatilo/actions-poetry to a specific commit; checkout and related actions updated to newer versions.
Coverage & scripting ​.github/workflows/jacoco.yml	madrapps/jacoco-report action updated to a specific commit, actions/github-script pinned to v6.4.1, and coverage paths extended to include extras/.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Feature/update python project #655: Similar updates to .github/workflows/python.yml—upgrading setup-python and Poetry action versions.

Poem

🐰 I hopped through CI with glee tonight,

Updated checkouts, kept the tests light,
Java, Python, newer skies so blue,
Extras counted — coverage grew,
A tiny rabbit cheers: builds pass true! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes across all modified workflow files, which involve upgrading GitHub Actions to specific version tags and pinning community actions to commit SHAs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0401fe6 and a36082f.

📒 Files selected for processing (1)

• .github/workflows/jacoco.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: Test Spark 3.4.4 on Scala 2.12.20
• GitHub Check: Test Spark 3.5.5 on Scala 2.13.16
• GitHub Check: Test Spark 3.3.4 on Scala 2.12.20
• GitHub Check: Test Spark 3.4.4 on Scala 2.13.16
• GitHub Check: Test Spark 3.3.4 on Scala 2.13.16
• GitHub Check: Test Spark 3.5.5 on Scala 2.12.20
• GitHub Check: Test Spark 2.4.8 on Scala 2.11.12
• GitHub Check: Test Coverage on Scala 2.12.20
• GitHub Check: test (3.10, ubuntu-22.04)

🔇 Additional comments (4)

.github/workflows/jacoco.yml (4)

29-37: Environment and matrix updates are appropriate.

Ubuntu 22.04 LTS is a stable choice. The Scala (2.12.20) and Spark (3.4.4) version bumps are minor updates and both versions are available on Maven Central.

---

40-47: Good security improvement by switching to official GitHub action.

Replacing the community olafurpg/setup-scala action with the official actions/setup-java action is a sound security practice. The sbt cache option is well-supported by this action.

---

69-74: Good: Pinning to specific version tag.

Using v6.4.1 instead of just v6 provides better reproducibility and security, aligning with the PR objective of using final version tags for GitHub Actions.

---

51-64: SHA pinning for community actions is a strong security practice.

Using a full commit SHA instead of a tag prevents supply chain attacks where a tag could be moved or compromised. The inline comment documenting how to retrieve the SHA from a version tag supports maintainability.

The coverage paths expanded to include extras/ alongside core/ target aligns with the project's multi-module structure.

⚠️ Note: The specific SHA correspondence to v1.7.2 could not be verified due to knowledge cutoff limitations. Recommend confirming locally with:

git ls-remote --tags https://github.com/madrapps/jacoco-report.git v1.7.2

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Unit Test Coverage

Overall Project	84.18%	🍏

There is no coverage information present for the Files changed