chore: Using slim runners where possible

[yhakbar]

Description

Hoping this reduces the workflow run queue times.

TODOs

Read the Gruntwork contribution guidelines.

• I authored this code entirely myself
• I am submitting code based on open source software (e.g. MIT, MPL-2.0, Apache)]
• I am adding or upgrading a dependency or adapted code and confirm it has a compatible open source license
• Update the docs.
• Run the relevant tests successfully, including pre-commit checks.
• Include release notes. If this PR is backward incompatible, include a migration guide.

Release Notes (draft)

Added / Removed / Updated [X].

Migration Guide

Summary by CodeRabbit

• Chores
  • Pinned CI actions to exact revisions for more reproducible workflows.
  • Switched some workflow runners to a slimmer image for faster runs.
  • Added pipx and a codespell integration to CI tooling.
  • Updated codespell configuration to ignore node_modules and dist directories.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
terragrunt-docs	Ready	Preview, Comment	Jan 29, 2026 9:43pm

[coderabbitai]

📝 Walkthrough

Walkthrough

Pins many GitHub Actions to specific commit SHAs, bumps mise version to 2026.1.9, changes select runners to ubuntu-slim, adds GITHUB_TOKEN to some mise steps, updates codespell skip list, and adds pipx/codespell entries to mise.cicd.toml.

Changes

Cohort / File(s)	Summary
Workflow files (action pinning & mise/version updates) .github/workflows/.../announce-release.yml, .../base-test.yml, .../build-no-proxy.yml, .../build.yml, .../cloud-nuke.yml, .../codespell.yml, .../flake.yml, .../fuzz.yml, .../go-mod-tidy-check.yml, .../gopls.yml, .../install-script-test.yml, .../integration-test.yml, .../license-check.yml, .../lint.yml, .../markdownlint.yml, .../oidc-integration-test.yml, .../precommit.yml, .../release.yml, .../sign-macos.yml, .../sign-windows.yml, .../stale.yml	Replace many action tag references with specific commit SHAs (checkout, mise-action, cache, upload/download-artifact, cosign-installer, etc.). Bump mise/tool version inputs from 2025.8.16 → 2026.1.9. Change some runners to ubuntu-slim. Add GITHUB_TOKEN to certain mise steps, add merge-multiple: true to download-artifact in sign-windows, and enhance test reporting options in integration-test.yml. No control-flow logic changes beyond pins and minor step param additions.
Configuration files (codespell & mise tools) \.codespellrc, mise.cicd.toml	Add node_modules and dist to .codespellrc skip list. Add pipx = { version = "1.8.0", os = ["macos", "linux"] } and "pipx:codespell" = { version = "2.4.1", os = ["macos", "linux"] } to mise.cicd.toml.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: Adding codespell workflow #4173: Overlaps changes to the codespell workflow and related CICD tool configuration.
• feat: Adding build-no-proxy.yml workflow #4171: Modifies build-no-proxy.yml, which this PR also updates/pins.
• chore: Removing latest Terraform OSS workflows #5262: Makes overlapping edits to .github/workflows/codespell.yml and mise.cicd.toml.

Suggested reviewers

• denis256
• wakeful

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete and does not follow the required template. The 'Description' section only contains a single sentence explaining the purpose ('Hoping this reduces the workflow run queue times') with no detailed explanation of changes. Critical sections like 'Release Notes (draft)' contain placeholder text unchanged. Multiple checkboxes remain incomplete or incorrectly marked.	Provide a detailed description of all changes made in this PR, particularly the addition of pinned action SHAs and pipx tool configurations. Replace placeholder text in the Release Notes section and ensure Migration Guide appropriately states 'No migration needed' if there are no backward-incompatible changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: Using slim runners where possible' directly relates to the main changes in this PR, which involve updating multiple GitHub Actions workflows to use ubuntu-slim runners instead of ubuntu-latest.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[thisguycodes]

I don't think we should put lint on slim. But I do think we could put the license check on it?

[thisguycodes]

Lint is pretty CPU intensive. It takes 5-10m now, and slim has half the CPU.

[yhakbar]

Markdownlint isn't. This isn't the golangci-lint workflow.

[thisguycodes]

Oh derp

[thisguycodes]

Oh derp

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/build-no-proxy.yml (1)

31-48: Correct the actions/cache SHA to match a documented v5 release.

The actions/checkout and jdx/mise-action SHAs are correct:

• actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd = v6.0.2 ✅
• jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 = v3 ✅

However, actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 does not match any documented v5 release:

• v5.0.0 = a7833574556fa59680c1b7cb190c1735db73ebf0
• v5.0.1 = 9255dc7a253b0ccc959486e2bca901246202afeb
• v5.0.2 = 8b402f58fbc84540c8b491a91e594a4576fec3d7

The pinned SHA corresponds to what the moving v5 tag currently points to, but this is undocumented and makes the pin non-verifiable. Update to a specific release SHA (e.g., v5.0.2's 8b402f58fbc84540c8b491a91e594a4576fec3d7) to maintain supply chain security.

🤖 Fix all issues with AI agents

In @.github/workflows/announce-release.yml:
- Line 16: Update the inline comment on the actions/checkout step to reflect the
exact released tag: change the comment after "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" from "# v6" to "#
v6.0.2" so the SHA and human-readable tag match exactly.
- Line 13: The workflow uses gh, jq, and curl but sets runs-on: ubuntu-slim
which doesn't guarantee these tools; update the workflow to either change the
runner from runs-on: ubuntu-slim to runs-on: ubuntu-latest, or add an explicit
install step that installs gh, jq, and curl before they are used (ensure the
install step runs before any steps calling gh, jq, or curl); reference the
runner line runs-on and the tooling names gh, jq, curl to locate where to apply
the change.

In @.github/workflows/install-script-test.yml:
- Around line 15-22: The workflow comments incorrectly claim the pinned SHAs
match v6 and v3; update either the inline comments or the pinned commits so they
agree: for the checkout step (actions/checkout) and the Cosign installer step
(sigstore/cosign-installer) either change the comment tags to reflect the actual
commit SHAs currently used (de0fac2e... and 7e8b541e...) or re-pin the uses
entries to the true commit SHAs that correspond to v6 and v3 respectively;
ensure the comment after uses: actions/checkout and uses:
sigstore/cosign-installer matches the actual SHA you choose.

🧹 Nitpick comments (1)

.github/workflows/integration-test.yml (1)

143-146: Consider pinning docker/setup-docker-action for consistency.

This action is still using the version tag @v4 while other actions in this workflow have been pinned to specific SHAs. For consistent security posture across the workflow, this should also be pinned.

♻️ Suggested change

       - name: "Setup Docker"
         if: runner.os == 'Linux'
         id: set-up-docker
-        uses: docker/setup-docker-action@v4
+        uses: docker/setup-docker-action@<SHA> # v4

You can find the commit SHA for v4 by checking the docker/setup-docker-action releases.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

find . -name "announce-release.sh" -type f

Repository: gruntwork-io/terragrunt

Length of output: 104

---

🏁 Script executed:

fd "announce-release" --type f

Repository: gruntwork-io/terragrunt

Length of output: 49

---

🌐 Web query:

GitHub Actions ubuntu-slim runner label documentation available packages

💡 Result:

• Runner label / what it is: ubuntu-slim is a single‑CPU GitHub‑hosted runner (currently public preview) that runs your job inside a container (not a full VM), has a 15‑minute job timeout, and comes with only a minimal set of preinstalled tools (intended for lightweight automation, not heavy CI builds). [2]
• Where GitHub documents the label: GitHub’s “GitHub-hosted runners reference” documents ubuntu-slim and its specs/limits. [2]
• Where “available packages / installed software” is documented: GitHub’s canonical place for “what’s installed on runner images” is the actions/runner-images repo (it lists available images/labels and links to “Included Software” docs, including an entry for Ubuntu Slim). [1] However, the ecosystem has noted gaps/requests for an explicit, complete package list for ubuntu-slim. [3]
• Practical way to see what’s available in your job run: because installed tools can change, the most reliable method is to print inventory during the workflow run (e.g., uname -a, cat /etc/os-release, which git, git --version, python --version, node --version, dpkg -l, etc.), and/or consult the “Set up job” log which indicates runner image details. [1]

Sources:
[1] actions/runner-images repository README (available images + included-software links)
[2] GitHub Docs: “GitHub-hosted runners reference” (includes ubuntu-slim specs, container model, timeout, minimal tools)
[3] actions/runner-images issue requesting a published ubuntu-slim included-software list

---

🏁 Script executed:

cat -n .github/scripts/announce-release.sh

Repository: gruntwork-io/terragrunt

Length of output: 2274

---

🌐 Web query:

site:github.com actions/runner-images ubuntu-slim included software packages

💡 Result:

GitHub doesn’t currently publish a complete, versioned “included software”/package list for the ubuntu-slim GitHub-hosted runner comparable to the Ubuntu2404-Readme.md lists for the full Ubuntu images—there’s an open request specifically asking for that documentation. [1]

What is documented is that ubuntu-slim (public preview) is a single‑CPU runner and only a minimal set of tools is installed, intended for lightweight tasks. [2]

If you need the actual installed packages/tools, the practical options are:

• Inspect at runtime in a job (e.g., dpkg -l, apt list --installed, snap list, pipx list, etc.).
• Review the image build definitions/scripts in the actions/runner-images repo under the images/ubuntu-slim/ area (source of truth for what gets installed), even though an explicit “included software” inventory isn’t published as a single list. [1]

Sources:
[1] actions/runner-images#13340
[2] https://docs.github.com/actions/reference/runners/github-hosted-runners

---

🌐 Web query:

ubuntu-slim runner github actions gh jq curl available installed

💡 Result:

ubuntu-slim is a GitHub-hosted single-CPU runner that runs your job inside a container and comes with only a minimal set of preinstalled tools (it’s meant for lightweight automation, not full CI stacks). GitHub does not guarantee the same preinstalled toolset as ubuntu-latest. [1], [2]

So for gh, jq, and even curl, you should not rely on them being present on ubuntu-slim; instead, explicitly install (or at least probe) them in your workflow. [2]

Example:

- name: Check tools
  run: |
    command -v curl || echo "curl missing"
    command -v jq   || echo "jq missing"
    command -v gh   || echo "gh missing"

- name: Install tools if needed
  run: |
    sudo apt-get update
    sudo apt-get install -y curl jq gh

Sources:
[1] actions/runner-images (runner labels include ubuntu-slim)
[2] GitHub Docs: ubuntu-slim is container-based and has only a minimal preinstalled toolset

---

The workflow will fail on ubuntu-slim because required tools are not available.

Line 13: The script uses gh (line 12), jq (lines 13–40), and curl (lines 42–45), none of which are guaranteed on ubuntu-slim (GitHub does not publish a complete package list, but documents that it includes only a minimal set of tools). Either:

• Switch to ubuntu-latest (which includes these tools), or
• Add an explicit install step:

  - run: apt-get update && apt-get install -y gh jq curl

🤖 Prompt for AI Agents

In @.github/workflows/announce-release.yml at line 13, The workflow uses gh, jq,
and curl but sets runs-on: ubuntu-slim which doesn't guarantee these tools;
update the workflow to either change the runner from runs-on: ubuntu-slim to
runs-on: ubuntu-latest, or add an explicit install step that installs gh, jq,
and curl before they are used (ensure the install step runs before any steps
calling gh, jq, or curl); reference the runner line runs-on and the tooling
names gh, jq, curl to locate where to apply the change.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

actions/checkout de0fac2e4500dabe0009e67214ff5f5447ce83dd

💡 Result:

de0fac2e4500dabe0009e67214ff5f5447ce83dd is the Git commit SHA for actions/checkout release v6.0.2 (published January 9, 2026). It corresponds to the change “Fix tag handling: preserve annotations and explicit fetch-tags” (PR #2356). [1]

v6.0.2 includes (per the release notes):

• Add orchestration_id to the git user-agent when ACTIONS_ORCHESTRATION_ID is set (PR Feat(#2292) add accesslogging bucket tags property to remote state s3 config block #2355)
• Fix tag handling: make fetch-tags: true work correctly and preserve annotated tags (PR [Feature] Add Official GitHub Actions #2356) [1]

---

Update the pinned actions/checkout comment to reflect the exact version.

The SHA de0fac2e4500dabe0009e67214ff5f5447ce83dd corresponds to actions/checkout v6.0.2, not just v6. Update the inline comment from # v6 to # v6.0.2 for precision and to avoid supply-chain drift.

🤖 Prompt for AI Agents

In @.github/workflows/announce-release.yml at line 16, Update the inline comment
on the actions/checkout step to reflect the exact released tag: change the
comment after "uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
from "# v6" to "# v6.0.2" so the SHA and human-readable tag match exactly.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# actions/checkout v6
echo "=== actions/checkout v6 ==="
gh api repos/actions/checkout/git/ref/tags/v6 --jq '.object.sha' || echo "Error querying v6 tag"

# sigstore/cosign-installer v3
echo "=== sigstore/cosign-installer v3 ==="
gh api repos/sigstore/cosign-installer/git/ref/tags/v3 --jq '.object.sha' || echo "Error querying v3 tag"

Repository: gruntwork-io/terragrunt

Length of output: 478

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== actions/checkout v6 tag info ==="
curl -s https://api.github.com/repos/actions/checkout/git/refs/tags/v6 | jq '.object.sha // .message'

echo ""
echo "=== sigstore/cosign-installer v3 tag info ==="
curl -s https://api.github.com/repos/sigstore/cosign-installer/git/refs/tags/v3 | jq '.object.sha // .message'

Repository: gruntwork-io/terragrunt

Length of output: 236

---

Fix incorrect tag annotations on pinned actions—SHAs do not match v6 and v3 tags.

The pinned commit SHAs do not correspond to the referenced versions:

• actions/checkout is pinned to de0fac2e... but v6 resolves to 8e8c483d...
• sigstore/cosign-installer is pinned to 7e8b541e... but v3 resolves to f713795c...

Update the inline comments to reflect the actual pinned versions, or re-pin to the correct commits matching the stated tags.

🤖 Prompt for AI Agents

In @.github/workflows/install-script-test.yml around lines 15 - 22, The workflow
comments incorrectly claim the pinned SHAs match v6 and v3; update either the
inline comments or the pinned commits so they agree: for the checkout step
(actions/checkout) and the Cosign installer step (sigstore/cosign-installer)
either change the comment tags to reflect the actual commit SHAs currently used
(de0fac2e... and 7e8b541e...) or re-pin the uses entries to the true commit SHAs
that correspond to v6 and v3 respectively; ensure the comment after uses:
actions/checkout and uses: sigstore/cosign-installer matches the actual SHA you
choose.

[yhakbar]

I don't think we should put lint on slim. But I do think we could put the license check on it?

We can try throwing license check on it, though it takes ~2m on average on the latest ubuntu runner.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/codespell.yml:
- Around line 9-12: The workflow uses runs-on: ubuntu-slim which may lack
required tools; add a bootstrap step before the mise-action invocation to update
apt and install curl, tar, and unzip (e.g., run: apt-get update && apt-get
install -y curl tar unzip, using sudo if necessary) so the jdx/mise-action has
the expected tooling, or alternatively run a short test job to validate the
image contents and document the verification; locate the job that declares
runs-on: ubuntu-slim in the workflow file and insert the bootstrap step
immediately before the step that calls jdx/mise-action (or adjust the runner to
a fuller image).

🧹 Nitpick comments (1)

.github/workflows/codespell.yml (1)

18-24: Add explicit minimal GITHUB_TOKEN permissions for the third‑party action.

Since the token is passed to jdx/mise-action, set job-level permissions explicitly to follow least-privilege principle and align with the repo's pattern of explicit permission declarations across other workflows.

🔒 Suggested permissions hardening

 jobs:
   codespell:
     name: Check Spelling
     runs-on: ubuntu-slim
+    permissions:
+      contents: read

The mise-action only needs repo read access for GitHub API calls to avoid rate limits; contents: read is the minimal required scope.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

GitHub Actions ubuntu-slim runner image contents preinstalled software

💡 Result:

ubuntu-slim is a GitHub-hosted runner label that points to GitHub’s “Ubuntu Slim” image (currently a preview image type in actions/runner-images). It’s intended for lightweight tasks and has only a minimal set of preinstalled tools compared to ubuntu-24.04 / ubuntu-22.04. [1][2]

What’s (known to be) preinstalled

GitHub doesn’t publish a single always-up-to-date “full software list” page for ubuntu-slim the way it does for ubuntu-24.04/ubuntu-22.04 (the image is updated frequently), but recent image release notes show examples of what’s included.

For the Ubuntu Slim image version 20260120.46.1 (OS 24.04.3 LTS), the release notes list these tools present on the image: Docker Client, Docker Buildx, Docker Compose v2, Node.js, AzCopy, yq, AWS CLI, AWS SAM CLI, Azure CLI, GitHub CLI, Google Cloud CLI. [3]

How to get the exact contents for your run

Because the images change often, the most reliable way is to inspect the job logs: GitHub notes you can determine the exact image version and software versions used in a specific run from the “Set up job” step output. [1]

Sources: [1] actions/runner-images repo README, [2] GitHub Docs (hosted runners reference), [3] Ubuntu Slim image release notes for ubuntu-slim/20260120.46.1.

---

🌐 Web query:

jdx/mise-action requirements dependencies curl tar unzip

💡 Result:

For jdx/mise-action, the action itself is a Node-based JavaScript action, so on GitHub-hosted runners you typically don’t need to install anything manually. The “missing deps” issue usually comes up on self-hosted runners or minimal container images.

Required/commonly needed system deps

• curl — needed if you install mise via the standard installer (curl https://mise.run | sh). [1]
• tar — required by GitHub Actions caching implementations when running in containers (the cache action expects a POSIX tar on PATH). [2]
• unzip — commonly required in containerized/self-hosted runner setups because various GitHub Actions components and tooling distributions are shipped as .zip archives (for example, runner-container hooks are installed via a .zip + unzip). [3]

Typical install command (Debian/Ubuntu)

apt-get update && apt-get install -y curl tar unzip

Sources: [1] [2] [3]

---

🌐 Web query:

codespell dependencies requirements minimal environment

💡 Result:

• Minimum runtime environment for codespell: Python ≥ 3.8. codespell itself has no required (runtime) third‑party dependencies (dependencies = []). [1] [2]
• If you want codespell to read config from pyproject.toml on Python < 3.11: install tomli (e.g., codespell[toml], or add tomli as an extra dependency in pre-commit). [1] [2]
• Optional extras (only if you enable them):
  • Better encoding detection: codespell[hard-encoding-detection] → chardet. [2]

Sources: PyPI project page for codespell (Python requirement + tomli note) [1]; codespell’s pyproject.toml showing dependencies = [] and optional extras [2].

---

Verify ubuntu-slim includes required tooling or add bootstrap step.

The ubuntu-slim runner image is explicitly minimal with no published comprehensive software list. While jdx/mise-action is Node-based and designed for GitHub-hosted runners, the specific tools it may need (curl, tar, unzip) are not confirmed as preinstalled. To ensure compatibility, either inspect the job logs for the exact image version/contents in a test run, or add a bootstrap step: apt-get update && apt-get install -y curl tar unzip before the mise-action step.

🤖 Prompt for AI Agents

In @.github/workflows/codespell.yml around lines 9 - 12, The workflow uses
runs-on: ubuntu-slim which may lack required tools; add a bootstrap step before
the mise-action invocation to update apt and install curl, tar, and unzip (e.g.,
run: apt-get update && apt-get install -y curl tar unzip, using sudo if
necessary) so the jdx/mise-action has the expected tooling, or alternatively run
a short test job to validate the image contents and document the verification;
locate the job that declares runs-on: ubuntu-slim in the workflow file and
insert the bootstrap step immediately before the step that calls jdx/mise-action
(or adjust the runner to a fuller image).