Disable Greptile SHA pinning rule

[charlesbluca]

Summary

• Split the bundled Greptile github-actions-security rule into separate GitHub Actions security checks.
• Disabled only the third-party action SHA pinning rule with enabled: false.
• Kept the permissions, secret logging, unsafe pull_request_target, and secret exfiltration review rules enabled.

Why

Greptile was flagging workflow actions that are pinned to version tags even though the repo does not consistently enforce full-SHA pinning today. Splitting the compound rule lets us disable that sentence locally while preserving the other workflow security checks.

Validation

• jq empty .greptile/config.json
• git diff --check -- .greptile/config.json

[greptile-apps]

Greptile Summary

This PR splits a single bundled Greptile github-actions-security rule into five focused rules so that the SHA-pinning check can be toggled independently. The SHA-pinning rule is disabled with "enabled": false — a field explicitly supported in the .greptile/ config schema — while the four remaining workflow security rules (permissions, secret echoing, pull_request_target injection, and secret exfiltration review) stay active.

• Rule decomposition: The original monolithic rule is replaced by github-actions-pin-third-party-actions, github-actions-permissions, github-actions-no-secret-echo, github-actions-no-pr-target-checkout, and github-actions-secret-exfiltration-review — each with identical scope globs and "severity": "high".
• Targeted disable: Only github-actions-pin-third-party-actions carries "enabled": false; the other four rules are unconditionally active, preserving the security coverage that matters most.
• Schema validity: The Greptile docs confirm enabled is a first-class optional boolean field on rule objects (default true), so this is the correct mechanism to use rather than the top-level disabledRules array.

Confidence Score: 5/5

Safe to merge — the change only touches the Greptile reviewer config and has no effect on production code or runtime behavior.

The edit is purely additive: one compound rule is split into five focused rules, and only the SHA-pinning check is turned off. The remaining four GitHub Actions security rules are unchanged and still active. The "enabled": false field is documented by Greptile as the correct per-rule toggle, and jq empty confirms the JSON is well-formed.

No files require special attention.

Important Files Changed

Filename	Overview
.greptile/config.json	Splits the compound github-actions-security rule into 5 discrete rules and disables only the SHA-pinning check via "enabled": false, which is a supported field in the Greptile config schema.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[PR touches .github/workflows/**] --> B{Rule check}
    B --> C[github-actions-pin-third-party-actions\n❌ DISABLED]
    B --> D[github-actions-permissions\n✅ enabled]
    B --> E[github-actions-no-secret-echo\n✅ enabled]
    B --> F[github-actions-no-pr-target-checkout\n✅ enabled]
    B --> G[github-actions-secret-exfiltration-review\n✅ enabled]

    style C fill:#f5f5f5,stroke:#aaa,color:#999
    style D fill:#e6f4ea,stroke:#34a853
    style E fill:#e6f4ea,stroke:#34a853
    style F fill:#e6f4ea,stroke:#34a853
    style G fill:#e6f4ea,stroke:#34a853

Loading

_{Reviews (2): Last reviewed commit: "Merge branch 'main' into codex/disable-g..." | Re-trigger Greptile}