ci: SHA-pin GitHub Actions + pinact gate, Dependabot, .pinact.yml (#144)#51
Merged
Conversation
WalkthroughThis PR implements organization-wide GitHub Actions SHA pinning by introducing Dependabot configuration for automated dependency updates, pinact verification to enforce pinning rules, and pinning all individual GitHub Actions and reusable workflow references to specific commit SHAs across the workflow suite. ChangesGitHub Actions Pinning and Verification
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Secret Leak CheckOK No secrets detected in this PR's diff. |
Adopts the org GitHub Actions pinning standard (geolonia-operations#144, epic geolonia-operations#142). - SHA-pin every action with a version comment via pinact. - .pinact.yml: canonical config (min_age 7 days/always; geolonia/* exempt from the cooldown since we author our own releases). - .github/dependabot.yml: github-actions weekly, cooldown 8 (one over the 7-day min_age), groups minor/patch into one PR (majors + security individual). - .github/workflows/pinact-check.yml: per-PR Action Pinning Check calling geolonia/.github reusable at v1.
62a3f45 to
7ec3e91
Compare
Secret Leak CheckOK No secrets detected in this PR's diff. |
Contributor
Author
|
@coderabbitai full review |
✅ Action performedFull review finished. |
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/reusable-sync-team-access.yml (1)
84-90:⚠️ Potential issue | 🟠 MajorExplicitly scope the GitHub App token permissions for the dispatch token.
actions/create-github-app-token@v3.2.0in.github/workflows/reusable-sync-team-access.ymlscopes onlyowner/repositories; there are nopermission-*inputs in theactions/create-github-app-tokenusages under.github/workflows, so the minted token can inherit broader installation permissions than needed. Add only the minimalpermission-*scope(s) required for the subsequent repository dispatch call.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/reusable-sync-team-access.yml around lines 84 - 90, The workflow currently uses actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 to mint a token (see the step that passes repositories: ${{ steps.target.outputs.repo_name }}) but does not set any permission-* inputs, so the token may inherit overly-broad installation permissions; update that create-github-app-token step to include explicit minimal permission-* inputs required by the later repository_dispatch call (identify the repository_dispatch step that targets ${{ steps.target.outputs.repo_name }} and add only the corresponding permission-* keys with least privilege), ensuring you reference the same action usage (actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1) and preserve client-id, private-key, repositories, owner inputs.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/reusable-release-auto-on-tag.yml:
- Around line 125-128: The GitHub App token created by
actions/create-github-app-token is not scoped and inherits all installation
permissions; restrict it to least privilege by adding the permissions input and
set contents: write so the token only allows pushing tags. Update the step that
uses actions/create-github-app-token@... (the one with inputs client-id and
private-key) to include a permissions mapping with permission-contents: write
(i.e., the permissions: contents: write equivalent) so the token cannot use
broader installation rights.
---
Outside diff comments:
In @.github/workflows/reusable-sync-team-access.yml:
- Around line 84-90: The workflow currently uses
actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 to mint
a token (see the step that passes repositories: ${{
steps.target.outputs.repo_name }}) but does not set any permission-* inputs, so
the token may inherit overly-broad installation permissions; update that
create-github-app-token step to include explicit minimal permission-* inputs
required by the later repository_dispatch call (identify the repository_dispatch
step that targets ${{ steps.target.outputs.repo_name }} and add only the
corresponding permission-* keys with least privilege), ensuring you reference
the same action usage
(actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1) and
preserve client-id, private-key, repositories, owner inputs.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 13ef1b76-956a-48ae-bd21-8fd64bc96de7
📒 Files selected for processing (14)
.github/dependabot.yml.github/workflows/pinact-check.yml.github/workflows/publish-techdocs.yml.github/workflows/release-auto-on-tag.yml.github/workflows/reusable-backstage-techdocs.yml.github/workflows/reusable-bumblebee-scan.yml.github/workflows/reusable-cdk-deploy-monitor.yml.github/workflows/reusable-pinact-check.yml.github/workflows/reusable-release-auto-on-tag.yml.github/workflows/reusable-secret-leak-check.yml.github/workflows/reusable-sync-team-access.yml.github/workflows/secret-leak-check.yml.pinact.ymlpinact/.pinact.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adopts the org GitHub Actions pinning standard (geolonia-operations#144, epic geolonia-operations#142). Follows the merged pilot (geolonia-infra-cdk).
What changed
# vX.Y.Zcomment) via pinact v4..pinact.yml(canonical, copied fromgeolonia/.github):min_age7 days/always, two-spaceseparator, and a rule exemptinggeolonia/*from the cooldown (we author our own releases)..github/dependabot.yml:github-actionsweekly,cooldown: 8(one day over the 7-daymin_ageso Dependabot PRs always clear the pinact gate on arrival),groupsbatching minor/patch into one PR (majors + security stay individual)..github/workflows/pinact-check.yml: per-PR Action Pinning Check callinggeolonia/.github/.github/workflows/reusable-pinact-check.yml@v1.Verification
pinact run --verify --verify-min-agepasses locally. The newAction Pinning Checkjob validates this in CI.Summary by CodeRabbit