Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions .github/workflows/gh-ci-fix-command.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
name: On-Demand GitHub Actions Pin Fix

on:
workflow_dispatch:
inputs:
pr:
description: 'PR Number'
type: string
required: true
comment-id:
description: 'Comment ID (Optional)'
type: string
required: false

permissions:
contents: write
workflows: write

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚫 [actionlint] reported by reviewdog 🐶
unknown permission scope "workflows". all available permission scopes are "actions", "attestations", "checks", "contents", "deployments", "discussions", "id-token", "issues", "packages", "pages", "pull-requests", "repository-projects", "security-events", "statuses" [permissions]

pull-requests: write
Comment on lines +15 to +18
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Invalid permission scope prevents workflow linting
workflows: write isn’t a recognized permission (actionlint is already failing this). Could we drop or replace it with a valid scope (likely just rely on contents: write) so the workflow passes lint and can run, wdyt?

🤖 Prompt for AI Agents
.github/workflows/gh-ci-fix-command.yml lines 15-18: the permissions block
contains an invalid scope "workflows: write" which causes actionlint to fail;
remove the "workflows: write" entry (or replace it with a valid permission if
you explicitly need one) and keep "contents: write" (and "pull-requests: write"
if required) so the YAML is valid and the workflow lints and runs.


env:
AIRBYTE_ANALYTICS_ID: ${{ vars.AIRBYTE_ANALYTICS_ID }}

jobs:
gh-ci-fix:
name: Pin GitHub Actions
runs-on: ubuntu-latest
steps:
- name: Authenticate as GitHub App
uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
id: get-app-token
with:
owner: "airbytehq"
repositories: "PyAirbyte"
app-id: ${{ secrets.OCTAVIA_BOT_APP_ID }}
private-key: ${{ secrets.OCTAVIA_BOT_PRIVATE_KEY }}

- name: Run Poe Command
uses: aaronsteers/poe-command-processor@04330aa7047b6b182ff280a962cbbcd99d6eb683 # v1.3.0
with:
command: "gh-ci-fix"
github-token: ${{ steps.get-app-token.outputs.token }}
pr: ${{ github.event.inputs.pr }}
comment-id: ${{ github.event.inputs.comment-id }}
1 change: 1 addition & 0 deletions .github/workflows/slash_command_dispatch.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ jobs:
fix-pr
test-pr
poetry-lock
gh-ci-fix
static-args: |
pr=${{ github.event.issue.number }}
comment-id=${{ github.event.comment.id }}
Expand Down
51 changes: 51 additions & 0 deletions .github/workflows/validate-pinned-actions.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
name: Validate Pinned Actions

on:
pull_request:
paths:
- '.github/workflows/**'
- '**/action.yml'
- '**/action.yaml'

permissions:
contents: read
pull-requests: write

jobs:
validate-pinned-actions:
name: Validate Actions are SHA-pinned
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0

- name: Set up Python
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
with:
python-version: '3.10'

- name: Set up Poetry
uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9
with:
poetry-version: "2.2.0"

- name: Install dependencies
run: poetry install

- name: Install pinact CLI
run: |
go install github.com/suzuki-shunsuke/pinact/cmd/pinact@latest

- name: Validate all actions are pinned
run: |
if ! poetry run poe gh-ci-check; then
echo "❌ Some GitHub Actions are not pinned to SHA hashes!"
echo ""
echo "To fix this, use the slash command '/gh-ci-fix' on this PR."
echo ""
echo "Or run locally:"
echo " poetry run poe gh-ci-fix"
exit 1
else
echo "✅ All GitHub Actions are properly pinned to SHA hashes."
fi
15 changes: 15 additions & 0 deletions docs/CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,21 @@ This repo uses a policy of SHA-pinning GitHub Actions, for hardened security.
To pin your GitHub actions, you can use the [pinact](https://github.com/suzuki-shunsuke/pinact) tool:

```bash
# Install pinact CLI tool
go install github.com/suzuki-shunsuke/pinact/cmd/pinact@latest

# Pin all GitHub Actions in workflow files
pinact run

# Pin actions in a specific file
pinact run .github/workflows/python_lint.yml

# Check if actions are pinned (dry-run)
pinact run --dry-run
```

You can also use the `/gh-ci-fix` slash command on pull requests to automatically pin actions.

# Convert from from fixed version to sha
# Example: actions/checkout@v4 -> actions/checkout@08e... # v4.3.0
pinact run [optional_file]
Expand Down
5 changes: 5 additions & 0 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,11 @@ fix = { shell = "ruff format . && ruff check --fix -s || ruff format ." }
fix-unsafe = { shell = "ruff format . && ruff check --fix --unsafe-fixes . && ruff format ." }
fix-and-check = { shell = "poe fix && poe check" }

# GitHub Actions CI tasks
install = { shell = "poetry install" }
gh-ci-check = { shell = "$HOME/go/bin/pinact run --check", help = "Check if GitHub Actions are pinned to SHA hashes" }
gh-ci-fix = { shell = "$HOME/go/bin/pinact run", help = "Pin GitHub Actions to their SHA hashes" }

Comment on lines +202 to +206
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Hard-coded $HOME path breaks on Windows runners
These Poe tasks invoke $HOME/go/bin/pinact, but on Windows cmd won’t expand $HOME, so poe gh-ci-check/gh-ci-fix will fail for contributors on that platform. Could we switch to a PATH-based invocation (e.g., cmd = "pinact run --check" / cmd = "pinact run") so it works cross-platform, wdyt?

🤖 Prompt for AI Agents
In pyproject.toml around lines 202-206 the poe tasks hard-code
$HOME/go/bin/pinact which won’t expand on Windows; replace the shell invocations
that use the $HOME path with PATH-based invocations (e.g., use cmd = "pinact run
--check" for gh-ci-check and cmd = "pinact run" for gh-ci-fix, or set shell to
simply "pinact run..." without $HOME) so the tasks run cross-platform; ensure
the task definitions no longer reference $HOME and rely on pinact being
available on PATH.

# MCP Server Tasks
mcp-serve-local = { cmd = "poetry run airbyte-mcp", help = "Start the MCP server with STDIO transport" }
mcp-serve-http = { cmd = "poetry run python -c \"from airbyte.mcp.server import app; app.run(transport='http', host='127.0.0.1', port=8000)\"", help = "Start the MCP server with HTTP transport" }
Expand Down
Loading