Skip to content

ci(security): SHA-pin every third-party action to a 40-char commit SHA#320

Merged
Yambr merged 1 commit into
mainfrom
fix/sha-pin-workflow-actions
Jul 1, 2026
Merged

ci(security): SHA-pin every third-party action to a 40-char commit SHA#320
Yambr merged 1 commit into
mainfrom
fix/sha-pin-workflow-actions

Conversation

@Yambr

@Yambr Yambr commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Why

The scheduled SAST — semgrep gate has flagged yaml.github-actions.security.github-actions-mutable-action-tag on every uses: pinned to a movable tag — ~65 of the 69 blocking findings failing the nightly security run since 2026-06-18. security.yml already SHA-pins its own steps and documents the mandatory 40-char-SHA pinning policy (lines ~18-24); the other workflows predate that tightening and were never migrated.

Companion PR #319 clears the trufflehog job and the 4 dependabot-missing-cooldown findings. Together the two PRs return the nightly security run to green.

Changes

Pin-only — every SHA is exactly what the tag resolves to today; no version upgrades. 67 substitutions across 9 workflow files, each with a trailing # vX.Y.Z comment.

Action Pinned SHA Version
actions/checkout 34e114876b0b11c390a56381ad16ebd13914f8d5 / df4cb1c069e1874edd31b4311f1884172cec0e10 v4.3.1 / v6.0.3
actions/setup-node 49933ea5288caeca8642d1e84afbd3f7d6820020 v4.4.0
actions/setup-python a26af69be951a213d495a4c3e4e4022e16d87065 v5.6.0
actions/stale eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 v10.3.0
azure/setup-helm 1a275c3b69536ee54be43f2070a358922e12c8d4 v4.3.1
docker/build-push-action 53b7df96c91f9c12dcc8a07bcb9ccacbed38856a v7.3.0
docker/login-action c94ce9fb468520275223c153574b00df6fe4bcc9 v3.7.0
docker/metadata-action 80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 v6.1.0
docker/setup-buildx-action d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 v4.1.0
github/codeql-action/* dd903d2e4f5405488e5ef1422510ee31c8b32357 v3.36.2
helm/chart-releaser-action cae68fefc6b5f367a0275617c9f83181ba54714f v1.7.0
lycheeverse/lychee-action 8646ba30535128ac92d33dfc9133794bfdd9b411 v2.8.0
softprops/action-gh-release 3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 v2.6.2
errata-ai/vale-action d89dee975228ae261d22c15adcd03578634d429c v2.1.1
DavidAnson/markdownlint-cli2-action eb5ca3ab411449c66620fe7f1b3c9e10547144b0 v18.0.0

Verification

  • No movable @vN tag remains in .github/workflows/.
  • All .github/workflows/*.yml parse under PyYAML.

🤖 Generated with Claude Code

The scheduled `SAST — semgrep` gate flags
`github-actions-mutable-action-tag` on every `uses:` pinned to a movable
tag (@v4, @v6, …) — ~65 of the 69 blocking findings that have failed the
nightly `security` run since 2026-06-18. security.yml already SHA-pins
its own steps and documents the mandatory 40-char-SHA pinning policy;
the other workflows predate that tightening.

Resolve each movable tag to the commit it currently points to and pin to
the 40-char SHA with a trailing `# vX.Y.Z` comment. Pin-only — no version
upgrades; every SHA is exactly what the tag resolves to today. 67
substitutions across 9 workflow files. All files parse under PyYAML.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@Yambr, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 35 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 05cd9c3c-4952-4709-b4b5-ece4e1991c6a

📥 Commits

Reviewing files that changed from the base of the PR and between d7c182f and d54e9b7.

📒 Files selected for processing (9)
  • .github/workflows/build.yml
  • .github/workflows/codeql.yml
  • .github/workflows/contracts-lint.yml
  • .github/workflows/docs-lint.yml
  • .github/workflows/helm.yml
  • .github/workflows/identity-lint.yml
  • .github/workflows/release-chart.yml
  • .github/workflows/release.yml
  • .github/workflows/stale.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/sha-pin-workflow-actions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@Yambr Yambr merged commit f81aba9 into main Jul 1, 2026
36 checks passed
@Yambr Yambr deleted the fix/sha-pin-workflow-actions branch July 1, 2026 21:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant