fix: correct step-security/harden-runner SHA in merge conflict bot workflow

[cheese-cakee]

Fixes #1278

Corrected the SHA for step-security/harden-runner action in merge conflict bot workflow.

• From: 20cf3052978e1b6646b35198a5d69ed51a6c9d71
• To: 20cf305ff2072d973412fa9b1e3a4f227bda3c76

[coderabbitai]

📝 Walkthrough

Walkthrough

Two files were updated to correct an incorrect commit hash reference for the step-security/harden-runner action in a GitHub Actions workflow and to document this correction in the changelog.

Changes

Cohort / File(s)	Summary
Workflow configuration .github/workflows/bot-merge-conflict.yml	Updated step-security/harden-runner action commit hash from 20cf3052978e1b6646b35198a5d69ed51a6c9d71 to 20cf305ff2072d973412fa9b1e3a4f227bda3c76 (v2.14.0 remains unchanged)
Changelog documentation CHANGELOG.md	Added entry in Unreleased section under "Fixed" subsection documenting the corrected SHA for step-security/harden-runner action (#1278)

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Pre-merge checks

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately describes the main change: correcting the step-security/harden-runner SHA in the merge conflict bot workflow.
Description check	✅ Passed	The description directly addresses the PR purpose by referencing issue #1278 and detailing the SHA correction from the incorrect to the correct hash.
Linked Issues check	✅ Passed	The PR fully implements issue #1278 requirements: updates the incorrect SHA to the correct one in bot-merge-conflict.yml, includes a changelog entry, and uses signed commits.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #1278: only the SHA correction in the workflow file and a related changelog entry are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5cf8553 and 88a27d2.

📒 Files selected for processing (2)

• .github/workflows/bot-merge-conflict.yml
• CHANGELOG.md

🧰 Additional context used

📓 Path-based instructions (1)

.github/workflows/**/*

⚙️ CodeRabbit configuration file

.github/workflows/**/*: Review workflows as security-sensitive infrastructure.

A good workflow is small, focused, and boring.
If a workflow is clever, generic, or overly flexible, it is a risk.

---

PRIORITY 0 — ABSOLUTE REQUIREMENTS

• All third-party actions MUST be pinned to full commit SHAs, similar to other workflows.
• permissions: MUST be explicitly declared and minimally scoped.
• Workflows MUST behave safely when executed from forks.
• YAML MUST orchestrate steps, not implement business logic.
• Any workflow that mutates GitHub state MUST support dry-run mode.
• Dry-run behavior must be explicit and visible in logs.
• Workflows MUST NOT modify repository source code outside .github/.

---

PRIORITY 1 — SCOPE, FOCUS & RESTRAINT

• The title of each workflow must be relevant, match similar naming schemes, and match its script filename.
• Each workflow MUST have a single, clearly defined objective and SHOULD document this in a top-level comment.
• Flag workflows that:
  • Attempt to be generic “frameworks”
  • Include speculative or future-facing logic
  • Perform actions unrelated to the stated goal
• Over-abstraction and excess flexibility are maintenance risks.

---

PRIORITY 2 — INPUT HARDENING

• Treat ALL GitHub event data as potentially hostile input, including:
  • issue titles, bodies, and comments
  • labels, usernames, branch names
• Free-form user input MUST NOT be passed directly into:
  • shell commands
  • gh CLI arguments
  • Node.js exec / spawn calls
• Require strict allowlists or exact string matches.
• Flag any use of:
  • eval or bash -c
  • backticks or $(...) with user-controlled input

------------------...

Files:

• .github/workflows/bot-merge-conflict.yml

🪛 markdownlint-cli2 (0.18.1)

CHANGELOG.md

76-76: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Codacy Static Code Analysis

🔇 Additional comments (1)

.github/workflows/bot-merge-conflict.yml (1)

36-36: SHA update is correct and follows security best practices.

The change to pin step-security/harden-runner to the full commit SHA 20cf305ff2072d973412fa9b1e3a4f227bda3c76 (v2.14.0) aligns with PRIORITY 0 requirements. This SHA is consistently used across all updated workflows in the repository, and no instances of the old SHA remain. All other third-party actions in this workflow are also properly pinned.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Duplicate "Fixed" section — merge with existing section at line 122.

This PR introduces a duplicate "Fixed" section under "Unreleased". The changelog format requires only one section per category per release. A "Fixed" section already exists at line 122.

Additionally, there's a missing blank line before the new heading (line 76), as flagged by static analysis.

🔎 Proposed fix

Move the entry to the existing "Fixed" section. Remove lines 76-78 and add the entry after line 122:

 - Added merge conflict bot workflow (`.github/workflows/bot-merge-conflict.yml`) and helper script (`.github/scripts/bot-merge-conflict.js`) to detect and notify about PR merge conflicts, with retry logic for unknown mergeable states, idempotent commenting, and push-to-main recheck logic (#1247)
 
-### Fixed
-- Fixed step-security/harden-runner action SHA in merge conflict bot workflow (#1278)
-
 ### Changed
 - Bumped requests from 2.32.3 to 2.32.4 to 2.32.5

Then, at line 122, add the entry to the existing "Fixed" section:

 ### Fixed
 
+- Fixed step-security/harden-runner action SHA in merge conflict bot workflow (#1278)
 - Fixed the README account balance example to use correct SDK APIs and provide a runnable testnet setup. (#1250)

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 markdownlint-cli2 (0.18.1)

76-76: Headings should be surrounded by blank lines
Expected: 1; Actual: 0; Below

(MD022, blanks-around-headings)

[exploreriii]

Please check yourlatest commit is not signed correclty
https://github.com/hiero-ledger/hiero-sdk-python/pull/1279/checks?check_run_id=59234481489

[exploreriii]

this should be line 123

[cheese-cakee]

Closing this PR due to GitHub Actions caching issues. Created new PR #1280 with the same fix.

[github-actions]

Hi, this is WorkflowBot.
Your pull request cannot be merged as it is not passing all our workflow checks.
Please click on each check to review the logs and resolve issues so all checks pass.
To help you:

• DCO signing guide
• Changelog guide
• Merge conflicts guide
• Rebase guide
• Testing guide
• Discord
• Community Calls
  Thank you for contributing!
  From the Hiero Python SDK Team