chore(ci): modernize and harden CI workflows#209
Conversation
github-actions
Bot
added
needs-triage
Kusari Analysis Results:Caution Flagged Issues Detected The dependency analysis found no issues. However, the code analysis identified 7 high-severity findings across 4 GitHub Actions workflow files where actions are referenced using mutable version tags (e.g., @v6) instead of immutable commit SHA hashes. This is a confirmed supply chain security risk: if any of these tags are moved or compromised by a malicious actor, the workflows will silently execute arbitrary code. The risk is significantly elevated because several of these workflows operate with elevated permissions (contents: write, pull-requests: write), meaning a compromised action could push malicious code to the repository or open fraudulent pull requests. Action items to resolve: Pin all GitHub Actions references to their full-length commit SHAs (e.g., actions/checkout@<full-sha> instead of actions/checkout@v6) in all 4 affected workflow files: discover-cncf-repos.yml, sync-cncf-projects.yml, sync-pcc-and-audit-statuses.yml, and update_mailing_list.yml. Note View full detailed analysis result for more information on the output and the checks that were run. Required Code Mitigationsactions/checkout@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.actions/setup-go@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.actions/checkout@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.actions/setup-go@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.actions/checkout@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.actions/setup-python@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.actions/checkout@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.
Found this helpful? Give it a 👍 or 👎 reaction! |
![kusari-inspector[bot]](https://avatars.githubusercontent.com/in/1220830?s=60&v=4){kind=small}
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
actions/checkout@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.
There was a problem hiding this comment.
Intentional. First-party GitHub Actions (actions/*) are referenced by major version tag rather than SHA pin. Dependabot is being added (#205) to manage version updates.
|
|
||
| - name: Setup Go | ||
| uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 | ||
| uses: actions/setup-go@v6 |
There was a problem hiding this comment.
actions/setup-go@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.
There was a problem hiding this comment.
Intentional. First-party GitHub Actions (actions/*) are referenced by major version tag rather than SHA pin. Dependabot is being added (#205) to manage version updates.
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
actions/checkout@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.
There was a problem hiding this comment.
Intentional. First-party GitHub Actions (actions/*) are referenced by major version tag rather than SHA pin. Dependabot is being added (#205) to manage version updates.
|
|
||
| - name: Setup Go | ||
| uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 | ||
| uses: actions/setup-go@v6 |
There was a problem hiding this comment.
actions/setup-go@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.
There was a problem hiding this comment.
Intentional. First-party GitHub Actions (actions/*) are referenced by major version tag rather than SHA pin. Dependabot is being added (#205) to manage version updates.
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
actions/checkout@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.
There was a problem hiding this comment.
Intentional. First-party GitHub Actions (actions/*) are referenced by major version tag rather than SHA pin. Dependabot is being added (#205) to manage version updates.
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| uses: actions/setup-python@v6 |
There was a problem hiding this comment.
actions/setup-python@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.
There was a problem hiding this comment.
Intentional. First-party GitHub Actions (actions/*) are referenced by major version tag rather than SHA pin. Dependabot is being added (#205) to manage version updates.
| remind: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: "Guard: only run on 4th Thursday" |
There was a problem hiding this comment.
Were you removing this because in CRON you trust?
There was a problem hiding this comment.
Yup. Was this because something went bad?
|
Sorry @cblecker can you rebase and I'll review this week? 👼 |
cblecker
force-pushed
the
sync-workflows-modernization
branch
from
471851e to
b925526
Compare
cblecker
changed the title
Paths pointed to a developer's local Windows machine instead of repo-relative paths, causing the syntax check to always fail. Assisted-by: Claude:claude-sonnet-4-6[1m] Signed-off-by: Christoph Blecker <admin@toph.ca>
Update actions/checkout from v4 to v6 and actions/setup-python from v5 to v6 in test-landscape-guard, pin actions/setup-go and actions/upload-artifact to SHAs in reusable-generate-sbom, add missing version comments to already-pinned checkout SHAs, and add persist-credentials: false to all checkout steps. Assisted-by: Claude:claude-sonnet-4-6[1m] Signed-off-by: Christoph Blecker <admin@toph.ca>
cblecker
force-pushed
the
sync-workflows-modernization
branch
from
b925526 to
9537d53
Compare
|
@jeefy ready for review |
2 participants
Summary
syntax_check.pythat caused the syntax check to always failactions/checkoutv4→v6 andactions/setup-pythonv5→v6 in test-landscape-guard; pinactions/setup-goandactions/upload-artifactto SHAs in reusable-generate-sbom; add missing version comments to already-pinned SHAs; addpersist-credentials: falseto all checkout stepspermissions: contents: noneto the glossary slack notifier, pinrtCamp/action-slack-notifyto SHATest plan
tests/syntax_check.pyruns without path errorstest-landscape-guardworkflow passes with updated action versionsreusable-generate-sbomworkflow generates SBOMs correctlysync-pcc-and-audit-statuses,sync-lfx-insights-health,landscape-data-content-auditor) function as beforeupdate_mailing_listworkflow succeeds