debug(ci): use rootless version of buildkit-cache-dance

[TheDarthMole]

No description provided.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d76fb787-dbe7-475f-82ce-1b981ccd37ad

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

The pull request updates the GitHub Actions workflow build configuration by modifying the "Inject go-build-cache" step. The action reference is changed from reproducible-containers/buildkit-cache-dance pinned to commit v3.3.1 to jackmisbach/buildkit-cache-dance using the rootless variant. All configuration parameters (builder, dockerfile, skip-extraction, and cache-map) remain unchanged, preserving the existing cache mapping behaviour and control flow.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to evaluate whether it relates to the changeset.	Add a description explaining the purpose of switching to the rootless buildkit-cache-dance variant and any testing or benefits involved.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: switching to the rootless variant of the buildkit-cache-dance action in the CI workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch debug/test-buildkit-cache-dance-rootless

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Actionable comments posted: 1

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 03b068ad-ff26-42b1-90a7-83a6586b5ae6

📥 Commits

Reviewing files that changed from the base of the PR and between 40b6ec9 and 7be5290.

📒 Files selected for processing (1)

• .github/workflows/build.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

repo='https://github.com/jackmisbach/buildkit-cache-dance.git'

echo "Resolving 'rootless' to immutable refs..."
refs="$(git ls-remote "$repo" 'refs/heads/rootless' 'refs/tags/rootless' 'rootless')"
printf '%s\n' "$refs"

sha="$(printf '%s\n' "$refs" | awk 'NR==1 {print $1}')"
if [ -z "$sha" ]; then
  echo "Could not resolve a SHA for 'rootless'" >&2
  exit 1
fi

echo
echo "Candidate SHA to pin: $sha"
echo
echo "Inspecting action metadata at that SHA..."
curl -fsSL "https://raw.githubusercontent.com/jackmisbach/buildkit-cache-dance/$sha/action.yml" | sed -n '1,120p'

Repository: TheDarthMole/upswake

Length of output: 2079

---

Pin this action to an immutable commit SHA.

Line 120 references @rootless, which is a mutable branch reference on a third-party repository. This reintroduces workflow drift and weakens supply-chain hardening. GitHub's guidance recommends pinning actions to full commit SHAs for maximum safety and reproducibility.

Suggested change

-        uses: jackmisbach/buildkit-cache-dance@rootless
+        uses: jackmisbach/buildkit-cache-dance@995b7bfce9b62060b4240cc0936a6af743e82247

The action at this SHA exposes all inputs currently in use: builder, dockerfile, skip-extraction, and cache-map.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: jackmisbach/buildkit-cache-dance@rootless
	uses: jackmisbach/buildkit-cache-dance@995b7bfce9b62060b4240cc0936a6af743e82247

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 120-120: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'Docker' step Uses Step uses 'jackmisbach/buildkit-cache-dance' with ref 'rootless', not a pinned commit hash

[jackmisbach]

Hey! Even though I, of course, have no malicious intent 😂, I would recommend pinning it to the SHA digest.
uses: jackmisbach/buildkit-cache-dance@995b7bfce9b62060b4240cc0936a6af743e82247
Although I'm sure you already saw the security tools saying that ❤️

[TheDarthMole]

Hey @jackmisbach! That's a good shout, I should have used the pinned versions. I did see the security tools but just wanted a quick POC to see if the fixes you made worked, and they do! Thank you for your contributions to reproducible-containers/buildkit-cache-dance, I look forward to them being merged into main