Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/check-commit-format.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

What is the commit SHA for actions/checkout v7.0.0?

💡 Result:

The commit SHA for actions/checkout v7.0.0 is 9c091bb [1]. While the release preparation pull request (#2464) was associated with commit ee538cb [2][3], the tag v7.0.0 points to 9c091bb [1].

Citations:


🏁 Script executed:

cat -n .github/workflows/check-commit-format.yml

Repository: openshift-online/ocm-common

Length of output: 1339


🌐 Web query:

actions/checkout v7.0.0 commit SHA github releases

💡 Result:

The version v7.0.0 of the actions/checkout GitHub Action was officially released on June 18, 2026 [1]. The commit SHA for this release is 1044a6dea927916f2c38ba5aeffbc0a847b1221a [2][3]. Key updates in the v7.0.0 release include: - A security fix to block checking out fork pull requests for pull_request_target and workflow_run events [1][4]. - A transition of the module to ESM (ECMAScript modules) and an update of its dependencies [1][4]. - Various dependency bumps, including updates to address security vulnerabilities [1][2]. - Documentation and README updates to reflect the new major version [2]. You can verify these details directly on the official actions/checkout release page [1][5].

Citations:


Pin the actions/checkout action to a full commit SHA instead of a tag.

The actions/checkout@v7 reference uses a tag instead of a full commit SHA. This violates the CI/CD security requirement to pin all actions by hash, preventing supply-chain attacks via tag reuse or unexpected updates.

Replace with the full SHA for v7.0.0:

Diff
- uses: actions/checkout@v7
+ uses: actions/checkout@1044a6dea927916f2c38ba5aeffbc0a847b1221a
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/checkout@v7
uses: actions/checkout@1044a6dea927916f2c38ba5aeffbc0a847b1221a
🧰 Tools
🪛 zizmor (1.25.2)

[error] 14-14: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/check-commit-format.yml at line 14, The actions/checkout
action reference in the workflow file is currently pinned to a tag (v7) instead
of a full commit SHA, which creates a security vulnerability. Replace the `uses:
actions/checkout@v7` line with the full commit SHA for v7.0.0 by changing the
tag reference to the complete commit hash of that version. This ensures the
workflow uses an immutable reference and prevents potential supply-chain attacks
through tag reuse or unexpected updates.

Source: Coding guidelines

with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.ref }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/check-pull-request.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ jobs:
runs-on: ${{ matrix.platform }}
steps:
- name: Checkout the source
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

What is the commit SHA for actions/checkout v7.0.0?

💡 Result:

The commit SHA for actions/checkout version 7.0.0 is 9c091bb [1]. This version was released on June 18, 2026 [2].

Citations:


🏁 Script executed:

cat -n .github/workflows/check-pull-request.yml

Repository: openshift-online/ocm-common

Length of output: 2652


All GitHub actions in this workflow must be pinned to full commit SHAs, not tags.

The file contains six unpinned action references that violate the CI/CD security requirement:

  • Line 41: actions/checkout@v7
  • Line 43: actions/setup-go@v6
  • Line 47: actions/cache@v3
  • Line 67: actions/checkout@v7
  • Line 69: actions/setup-go@v6
  • Line 76: golangci/golangci-lint-action@v6

Replace all tag references with full commit SHAs. For example, actions/checkout@v7 should be pinned to actions/checkout@9c091bb (v7.0.0).

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 40-41: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 41-41: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/check-pull-request.yml at line 41, Replace all GitHub
action references in the check-pull-request.yml workflow file from tag-based
versions to full commit SHA pinning. The actions that need to be updated are:
actions/checkout@v7 (appears on lines 41 and 67), actions/setup-go@v6 (appears
on lines 43 and 69), actions/cache@v3 (line 47), and
golangci/golangci-lint-action@v6 (line 76). For each action, replace the tag
reference with the corresponding full commit SHA. For example, change
actions/checkout@v7 to actions/checkout@9c091bb (or the appropriate SHA for each
action's version). This ensures the workflow adheres to CI/CD security best
practices by using immutable commit references instead of mutable tags.

Source: Coding guidelines

- name: Setup Go
uses: actions/setup-go@v6
with:
Expand All @@ -64,7 +64,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout the source
uses: actions/checkout@v6
uses: actions/checkout@v7
- name: Setup Go
uses: actions/setup-go@v6
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/publish-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

What is the commit SHA for actions/checkout v7.0.0?

💡 Result:

The commit SHA for actions/checkout v7.0.0 is 9c091bb1645e77d0186596160166d488e001999a [1]. It is associated with the release tag v7.0.0, which was published on June 18, 2026 [2][1].

Citations:


🏁 Script executed:

cat -n .github/workflows/publish-release.yml | head -30

Repository: openshift-online/ocm-common

Length of output: 771


Pin actions/checkout to full commit SHA instead of tag.

The actions/checkout@v7 reference at line 18 uses a version tag instead of a full commit SHA. Replace with the commit SHA 9c091bb1645e77d0186596160166d488e001999a (v7.0.0):

uses: actions/checkout@9c091bb1645e77d0186596160166d488e001999a
🧰 Tools
🪛 zizmor (1.25.2)

[error] 18-18: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-release.yml at line 18, Replace the
`actions/checkout@v7` reference with the full commit SHA to enhance workflow
security. Change the uses statement from `actions/checkout@v7` to `uses:
actions/checkout@9c091bb1645e77d0186596160166d488e001999a` which corresponds to
version 7.0.0. This pins the action to a specific immutable commit instead of a
mutable version tag.

Source: Coding guidelines

with:
fetch-depth: 0
-
Expand Down
Loading