Skip to content

Provide GitHub Actions pinning#539

Open
lucperkins wants to merge 2 commits into
mainfrom
actions-pinning
Open

Provide GitHub Actions pinning#539
lucperkins wants to merge 2 commits into
mainfrom
actions-pinning

Conversation

@lucperkins

@lucperkins lucperkins commented Jun 4, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • Chores
    • Enabled automated dependency updates for CI workflows on a weekly schedule.
    • Pinned third‑party CI actions to fixed versions to improve build stability and security.
    • Added a new CI workflow to run additional repository checks on pushes and pull requests.
    • Configured automated scanning rules to require pinned references for certain integrations.

@netlify

netlify Bot commented Jun 4, 2026

Copy link
Copy Markdown

Deploy Preview for zero-to-nix ready!

Name Link
🔨 Latest commit 4316855
🔍 Latest deploy log https://app.netlify.com/projects/zero-to-nix/deploys/6a282b518ecf320008c10292
😎 Deploy Preview https://deploy-preview-539--zero-to-nix.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@coderabbitai

coderabbitai Bot commented Jun 4, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 98f7f027-cd88-4ce0-b2c0-786d2bb1aff8

📥 Commits

Reviewing files that changed from the base of the PR and between 556191f and 4316855.

📒 Files selected for processing (1)
  • .github/workflows/update-flake-lock.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/update-flake-lock.yml

📝 Walkthrough

Walkthrough

Pins third-party GitHub Actions to specific commit SHAs across CI and maintenance workflows; adds Dependabot for weekly action updates and a Zizmor workflow plus config to enforce ref-pinning for DeterminateSystems/*.

Changes

GitHub Actions Supply Chain Hardening

Layer / File(s) Summary
Dependabot configuration for automatic action updates
.github/dependabot.yml
Dependabot v2 is configured to monitor GitHub Actions at the repository root on a weekly schedule, with a 7-day cooldown, ignore rule for DeterminateSystems/*, and commit message prefix ci.
CI workflow action pinning
.github/workflows/ci.yml
The main CI workflow pins actions/checkout, actions/cache, actions/cache/save, and lycheeverse/lychee-action to specific commit SHAs across the test and build-shells-and-templates jobs; checkout steps set persist-credentials: false.
Flake and Flakehub workflow action pinning
.github/workflows/update-flake-lock.yml, .github/workflows/flakehub-cache.yml, .github/workflows/flakehub-publish-rolling.yml
update-flake-lock pins actions/checkout, DeterminateSystems/determinate-nix-action, and peter-evans/create-pull-request to specific SHAs in its jobs; flakehub workflows pin actions/checkout to a commit SHA and set persist-credentials: false.
Zizmor security scanning workflow and enforcement rules
.github/workflows/zizmor.yml, .github/zizmor.yml
Adds a zizmor workflow (push to main and pull_request) that runs zizmorcore/zizmor-action, and .github/zizmor.yml enforces ref-pin for DeterminateSystems/*.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 I pin the actions, tidy and neat,
Hashes lined up in tidy rows of meat,
Dependabot hums its weekly tune,
Zizmor watches by the light of the moon,
The rabbit hops home — supply chain complete.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Provide GitHub Actions pinning' directly and clearly describes the primary objective of the pull request, which is to pin GitHub Actions to specific commit SHAs across multiple workflow files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch actions-pinning

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/zizmor.yml (1)

3-26: ⚠️ Potential issue | 🟠 Major

Pin DeterminateSystems/* action refs before merging Zizmor enforcement
.github/zizmor.yml enforces rules.unpinned-uses.config.policies: DeterminateSystems/*: ref-pin, but multiple workflows still use unpinned DeterminateSystems/*@main`` (e.g., .github/workflows/ci.yml and other `.github/workflows/*.yml` files). With this on `pull_request`, Zizmor is likely to fail until those `uses:` refs are SHA-pinned or otherwise addressed.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/zizmor.yml around lines 3 - 26, Zizmor is configured to
block unpinned action refs via rules.unpinned-uses.config.policies but your
workflows still reference DeterminateSystems/*`@main`; locate all uses: entries
that match DeterminateSystems/* (e.g., in .github/workflows/ci.yml and other
.github/workflows/*.yml) and replace the unpinned ref (e.g., `@main`) with a
pinned ref (tag or commit SHA), ensuring each uses:
DeterminateSystems/<action>@<sha-or-tag> is updated consistently so the Zizmor
job (uses: zizmorcore/zizmor-action...) will pass on pull_request.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 92-94: The workflow checks out with actions/checkout@... using
persist-credentials: false, then the "Fix hash mismatches" step runs git commit
&& git push origin "$GITHUB_HEAD_REF" without re-authenticating; fix it by
either setting persist-credentials: true on that checkout or add a step before
the push that reconfigures origin to include the GITHUB_TOKEN (e.g., git remote
set-url origin https://x-access-token:$GITHUB_TOKEN@github.com/${{
github.repository }}.git) so the git push in the "Fix hash mismatches" step
succeeds.

---

Outside diff comments:
In @.github/workflows/zizmor.yml:
- Around line 3-26: Zizmor is configured to block unpinned action refs via
rules.unpinned-uses.config.policies but your workflows still reference
DeterminateSystems/*`@main`; locate all uses: entries that match
DeterminateSystems/* (e.g., in .github/workflows/ci.yml and other
.github/workflows/*.yml) and replace the unpinned ref (e.g., `@main`) with a
pinned ref (tag or commit SHA), ensuring each uses:
DeterminateSystems/<action>@<sha-or-tag> is updated consistently so the Zizmor
job (uses: zizmorcore/zizmor-action...) will pass on pull_request.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 123a2da2-3d0d-4097-a65b-16a5c4c4680b

📥 Commits

Reviewing files that changed from the base of the PR and between 16c2f9f and 556191f.

📒 Files selected for processing (7)
  • .github/dependabot.yml
  • .github/workflows/ci.yml
  • .github/workflows/flakehub-cache.yml
  • .github/workflows/flakehub-publish-rolling.yml
  • .github/workflows/update-flake-lock.yml
  • .github/workflows/zizmor.yml
  • .github/zizmor.yml

Comment thread .github/workflows/ci.yml
Comment on lines +92 to +94
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify that checkout credentials are disabled while git push is still used
rg -nC3 'persist-credentials:\s*false|git push origin' .github/workflows/ci.yml

# Verify there is no explicit authenticated remote setup before push
rg -nC3 'git remote set-url|x-access-token|https://.*github.com' .github/workflows/ci.yml

Repository: DeterminateSystems/zero-to-nix

Length of output: 56


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "== file = $FILE =="
ls -l "$FILE" || true
echo "== line 60-160 =="
sed -n '60,160p' "$FILE" | nl -ba -w3 -s':'
echo "== full grep matches =="
echo "--- persist-credentials ---"
rg -n "persist-credentials" "$FILE" || true
echo "--- git push ---"
rg -n "git push" "$FILE" || true
echo "--- git remote set-url ---"
rg -n "git remote set-url" "$FILE" || true
echo "--- token/x-access-token/https://github.com ---"
rg -n "x-access-token|https://.*github.com|GITHUB_TOKEN" "$FILE" || true

Repository: DeterminateSystems/zero-to-nix

Length of output: 265


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "== file = $FILE =="
ls -l "$FILE" || true
echo "== line 60-160 =="
sed -n '60,160p' "$FILE" | nl -ba -w3 -s':'
echo "== full grep matches =="
echo "--- persist-credentials ---"
rg -n "persist-credentials" "$FILE" || true
echo "--- git push ---"
rg -n "git push" "$FILE" || true
echo "--- git remote set-url ---"
rg -n "git remote set-url" "$FILE" || true
echo "--- token/x-access-token/https://github.com ---"
rg -n "x-access-token|https://.*github.com|GITHUB_TOKEN" "$FILE" || true

Repository: DeterminateSystems/zero-to-nix

Length of output: 265


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "== grep basics =="
echo "-- persist-credentials --"
rg -n "persist-credentials" "$FILE" || true
echo "-- git push --"
rg -n "git push" "$FILE" || true
echo "-- git remote set-url --"
rg -n "git remote set-url" "$FILE" || true
echo "-- token/https --"
rg -n "x-access-token|https://github\.com|GITHUB_TOKEN" "$FILE" || true

echo "== show around 70-140 with sed+awk line numbers =="
sed -n '70,140p' "$FILE" | awk '{printf "%4d:%s\n", NR+69, $0}'

Repository: DeterminateSystems/zero-to-nix

Length of output: 2633


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
wc -l "$FILE"
echo "== top 80 =="
sed -n '1,80p' "$FILE"
echo "== around token at line 1-70 and 40-70 =="
sed -n '1,70p' "$FILE" | nl -ba 2>/dev/null || sed -n '1,70p' "$FILE" # fallback if nl missing
echo "== around lines 85-140 =="
sed -n '85,140p' "$FILE"
echo "== search for reconfig/auth commands =="
rg -n "git (config|remote)|extraheader|http(s)?:\\/\\/github\\.com|credential|token\\b|GITHUB_TOKEN" "$FILE"

Repository: DeterminateSystems/zero-to-nix

Length of output: 6260


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "Lines: $(wc -l < "$FILE")"
echo "---- top 90 ----"
sed -n '1,90p' "$FILE"
echo "---- around Fix hash mismatches ----"
sed -n '90,150p' "$FILE"
echo "---- auth-related searches ----"
rg -n "git (config|remote|credential)|extraheader|http(s)?:\\/\\/github\\.com|x-access-token|GITHUB_TOKEN" "$FILE" || true

Repository: DeterminateSystems/zero-to-nix

Length of output: 4318


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "Lines: $(wc -l < "$FILE")"
echo "---- top 90 ----"
sed -n '1,90p' "$FILE"
echo "---- around Fix hash mismatches ----"
sed -n '90,150p' "$FILE"
echo "---- auth-related searches ----"
rg -n "git (config|remote|credential)|extraheader|http(s)?:\\/\\/github\\.com|x-access-token|GITHUB_TOKEN" "$FILE" || true

Repository: DeterminateSystems/zero-to-nix

Length of output: 4318


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "Lines: $(wc -l < "$FILE")"
echo "---- top 90 ----"
sed -n '1,90p' "$FILE"
echo "---- around Fix hash mismatches ----"
sed -n '90,150p' "$FILE"
echo "---- auth-related searches ----"
rg -n "git (config|remote|credential)|extraheader|http(s)?:\\/\\/github\\.com|x-access-token|GITHUB_TOKEN" "$FILE" || true

Repository: DeterminateSystems/zero-to-nix

Length of output: 4318


🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"

echo "== git remote / set-url =="
rg -n "git remote|remote set-url" "$FILE" || true

echo "== extraheader / credential helpers / http auth =="
rg -n "extraheader|credential|http\\.|GIT_ASKPASS|GITHUB_TOKEN" "$FILE" || true

echo "== x-access-token or token in URL =="
rg -n "x-access-token|github\\.com/.*@" "$FILE" || true

echo "== any other checkout steps (re-persist credentials) =="
rg -n "uses: actions/checkout" "$FILE"

echo "== show around second persist-credentials (near line 94) =="
sed -n '80,140p' "$FILE"

Repository: DeterminateSystems/zero-to-nix

Length of output: 2321


Fix git push auth when using persist-credentials: false in ci workflow
build-shells-and-templates checks out with persist-credentials: false, but the later Fix hash mismatches step commits and runs git push origin "$GITHUB_HEAD_REF". There’s no authenticated origin reconfiguration (e.g., git remote set-url with a token) in this workflow before the push, so the fallback push path can fail.

Suggested patch
       - name: Fix hash mismatches
         if: failure() && github.event_name == 'pull_request'
         id: fix-hashes
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
+          git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}`@github.com/`${GITHUB_REPOSITORY}.git"
           git stash --include-untracked
           git fetch --depth=1 origin "$GITHUB_HEAD_REF"
           git checkout -B "$GITHUB_HEAD_REF" "${{ github.event.pull_request.head.sha }}"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 92 - 94, The workflow checks out with
actions/checkout@... using persist-credentials: false, then the "Fix hash
mismatches" step runs git commit && git push origin "$GITHUB_HEAD_REF" without
re-authenticating; fix it by either setting persist-credentials: true on that
checkout or add a step before the push that reconfigures origin to include the
GITHUB_TOKEN (e.g., git remote set-url origin
https://x-access-token:$GITHUB_TOKEN@github.com/${{ github.repository }}.git) so
the git push in the "Fix hash mismatches" step succeeds.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants