Add pinact and zizmor workflow checks#43
Conversation
There was a problem hiding this comment.
Pull request overview
Adds automated security/compliance checks for GitHub Actions by introducing Pinact (action pin verification) and Zizmor (workflow linting), and updates existing workflows to use pinned action SHAs.
Changes:
- Add new
pinactworkflow to verify actions are pinned by commit SHA. - Add new
zizmorworkflow to scan workflows/actions for issues. - Pin several existing workflow
uses:references to specific commit SHAs.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/zizmor.yaml |
New workflow to run zizmor on workflow/action changes (and on main pushes). |
.github/workflows/pinact.yaml |
New workflow to verify action pinning via pinact. |
.github/workflows/triage.yaml |
Pins actions/add-to-project to a commit SHA. |
.github/workflows/tests.yaml |
Pins multiple actions (checkout, setup-go, terraform setup, lint, codecov, goreleaser, release action). |
.github/workflows/release.yaml |
Pins checkout/setup-go/import-gpg/goreleaser actions. |
.github/workflows/dependabot-changie.yaml |
Pins checkout/fetch-metadata/changie/git-auto-commit actions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Only run on pull requests from the same repository | ||
| if: github.event.pull_request.head.repo.full_name == github.repository |
There was a problem hiding this comment.
The workflow is configured to run on push to main, but the only job has an if: that references github.event.pull_request..., which evaluates false on push events. This results in push-triggered runs where the job is skipped (no pin verification happens). Either remove the push trigger, or update the if: to explicitly handle push (e.g., gate only on pull_request when needed).
| # Only run on pull requests from the same repository | |
| if: github.event.pull_request.head.repo.full_name == github.repository | |
| # Run on pushes, and only run on pull requests when they come from the same repository | |
| if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository |
| app-id: ${{ secrets.RD_APP_ID }} | ||
| private-key: ${{ secrets.RD_APP_PRIVATE_KEY }} | ||
| installation-id: ${{ secrets.RD_APP_INSTALLATION_ID }} | ||
| - name: set to project board | ||
| uses: actions/add-to-project@v1.0.2 | ||
| uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 |
There was a problem hiding this comment.
With the new Pinact verification workflow enabled (verify: true), this workflow still references an unpinned action (labd/action-gh-app-token@main). Pinact will fail until this is pinned to a full commit SHA (or explicitly excluded).
Add pinact and zizmor workflow checks to this repository.