fix: correct step-security/harden-runner SHA in merge conflict bot workflow

[cheese-cakee]

Fixes #1278

Corrected the SHA for step-security/harden-runner action in merge conflict bot workflow.

• From: 20cf3052978e1b6646b35198a5d69ed51a6c9d71
• To: 20cf305ff2072d973412fa9b1e3a4f227bda3c76

Also fixed duplicate Fixed section in CHANGELOG.md as suggested by CodeRabbit.

[exploreriii]

your middle commit isn't signed, you can soft revert them and re-sign
git reset soft --HEAD~3
https://github.com/hiero-ledger/hiero-sdk-python/pull/1280/checks?check_run_id=59234585613

[coderabbitai]

📝 Walkthrough

Walkthrough

Corrected an incorrect SHA reference for the step-security/harden-runner GitHub action in the merge conflict bot workflow and added a changelog entry documenting the fix.

Changes

Cohort / File(s)	Summary
Workflow Configuration .github/workflows/bot-merge-conflict.yml	Updated step-security/harden-runner action reference from SHA 20cf3052978e1b6646b35198a5d69ed51a6c9d71 to 20cf305ff2072d973412fa9b1e3a4f227bda3c76 (both tagged v2.14.0).
Changelog CHANGELOG.md	Added Unreleased -> Fixed entry: "Fixed step-security/harden-runner action SHA in merge conflict bot workflow (#1278)".

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Pre-merge checks

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Linked Issues check	❓ Inconclusive	The PR implements the core requirement from issue #1278 by replacing the incorrect SHA with the correct one in the workflow file and adding a changelog entry, though commit signing status requires verification.	Verify that all commits are properly DCO and GPG-signed as required by issue #1278 acceptance criteria, as indicated by the sign check failure reported in PR objectives.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: correcting the step-security/harden-runner SHA in the merge conflict bot workflow.
Description check	✅ Passed	The description is directly related to the changeset, explaining what SHA was changed and referencing the linked issue #1278 that motivated the change.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #1278: SHA replacement in the workflow file and changelog entry updates, with no extraneous modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a32233b and cfc1dfe.

📒 Files selected for processing (2)

• .github/workflows/bot-merge-conflict.yml
• CHANGELOG.md

🧰 Additional context used

📓 Path-based instructions (1)

.github/workflows/**/*

⚙️ CodeRabbit configuration file

.github/workflows/**/*: Review workflows as security-sensitive infrastructure.

A good workflow is small, focused, and boring.
If a workflow is clever, generic, or overly flexible, it is a risk.

---

PRIORITY 0 — ABSOLUTE REQUIREMENTS

• All third-party actions MUST be pinned to full commit SHAs, similar to other workflows.
• permissions: MUST be explicitly declared and minimally scoped.
• Workflows MUST behave safely when executed from forks.
• YAML MUST orchestrate steps, not implement business logic.
• Any workflow that mutates GitHub state MUST support dry-run mode.
• Dry-run behavior must be explicit and visible in logs.
• Workflows MUST NOT modify repository source code outside .github/.

---

PRIORITY 1 — SCOPE, FOCUS & RESTRAINT

• The title of each workflow must be relevant, match similar naming schemes, and match its script filename.
• Each workflow MUST have a single, clearly defined objective and SHOULD document this in a top-level comment.
• Flag workflows that:
  • Attempt to be generic “frameworks”
  • Include speculative or future-facing logic
  • Perform actions unrelated to the stated goal
• Over-abstraction and excess flexibility are maintenance risks.

---

PRIORITY 2 — INPUT HARDENING

• Treat ALL GitHub event data as potentially hostile input, including:
  • issue titles, bodies, and comments
  • labels, usernames, branch names
• Free-form user input MUST NOT be passed directly into:
  • shell commands
  • gh CLI arguments
  • Node.js exec / spawn calls
• Require strict allowlists or exact string matches.
• Flag any use of:
  • eval or bash -c
  • backticks or $(...) with user-controlled input

------------------...

Files:

• .github/workflows/bot-merge-conflict.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: codecov/patch
• GitHub Check: build-and-test (3.13)
• GitHub Check: build-and-test (3.11)
• GitHub Check: build-and-test (3.12)
• GitHub Check: build-and-test (3.10)
• GitHub Check: run-examples
• GitHub Check: Codacy Static Code Analysis

🔇 Additional comments (2)

CHANGELOG.md (1)

121-121: LGTM! Changelog entry is well-formatted.

The changelog entry accurately documents the fix, is properly placed in the "Fixed" section, includes the issue reference (#1278), and follows the project's changelog format.

.github/workflows/bot-merge-conflict.yml (1)

36-36: SHA 20cf305ff2072d973412fa9b1e3a4f227bda3c76 is correct for step-security/harden-runner v2.14.0.

The action is properly pinned to the official commit hash for the v2.14.0 release.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@           Coverage Diff           @@
##             main    #1280   +/-   ##
=======================================
  Coverage   91.79%   91.79%           
=======================================
  Files         139      139           
  Lines        8466     8466           
=======================================
  Hits         7771     7771           
  Misses        695      695           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.