Provide GitHub Actions pinning#539
Conversation
✅ Deploy Preview for zero-to-nix ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughPins third-party GitHub Actions to specific commit SHAs across CI and maintenance workflows; adds Dependabot for weekly action updates and a Zizmor workflow plus config to enforce ref-pinning for DeterminateSystems/*. ChangesGitHub Actions Supply Chain Hardening
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/zizmor.yml (1)
3-26:⚠️ Potential issue | 🟠 MajorPin
DeterminateSystems/*action refs before merging Zizmor enforcement
.github/zizmor.ymlenforcesrules.unpinned-uses.config.policies: DeterminateSystems/*: ref-pin, but multiple workflows still use unpinnedDeterminateSystems/*@main`` (e.g.,.github/workflows/ci.ymland other `.github/workflows/*.yml` files). With this on `pull_request`, Zizmor is likely to fail until those `uses:` refs are SHA-pinned or otherwise addressed.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/zizmor.yml around lines 3 - 26, Zizmor is configured to block unpinned action refs via rules.unpinned-uses.config.policies but your workflows still reference DeterminateSystems/*`@main`; locate all uses: entries that match DeterminateSystems/* (e.g., in .github/workflows/ci.yml and other .github/workflows/*.yml) and replace the unpinned ref (e.g., `@main`) with a pinned ref (tag or commit SHA), ensuring each uses: DeterminateSystems/<action>@<sha-or-tag> is updated consistently so the Zizmor job (uses: zizmorcore/zizmor-action...) will pass on pull_request.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Around line 92-94: The workflow checks out with actions/checkout@... using
persist-credentials: false, then the "Fix hash mismatches" step runs git commit
&& git push origin "$GITHUB_HEAD_REF" without re-authenticating; fix it by
either setting persist-credentials: true on that checkout or add a step before
the push that reconfigures origin to include the GITHUB_TOKEN (e.g., git remote
set-url origin https://x-access-token:$GITHUB_TOKEN@github.com/${{
github.repository }}.git) so the git push in the "Fix hash mismatches" step
succeeds.
---
Outside diff comments:
In @.github/workflows/zizmor.yml:
- Around line 3-26: Zizmor is configured to block unpinned action refs via
rules.unpinned-uses.config.policies but your workflows still reference
DeterminateSystems/*`@main`; locate all uses: entries that match
DeterminateSystems/* (e.g., in .github/workflows/ci.yml and other
.github/workflows/*.yml) and replace the unpinned ref (e.g., `@main`) with a
pinned ref (tag or commit SHA), ensuring each uses:
DeterminateSystems/<action>@<sha-or-tag> is updated consistently so the Zizmor
job (uses: zizmorcore/zizmor-action...) will pass on pull_request.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 123a2da2-3d0d-4097-a65b-16a5c4c4680b
📒 Files selected for processing (7)
.github/dependabot.yml.github/workflows/ci.yml.github/workflows/flakehub-cache.yml.github/workflows/flakehub-publish-rolling.yml.github/workflows/update-flake-lock.yml.github/workflows/zizmor.yml.github/zizmor.yml
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| with: | ||
| persist-credentials: false |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify that checkout credentials are disabled while git push is still used
rg -nC3 'persist-credentials:\s*false|git push origin' .github/workflows/ci.yml
# Verify there is no explicit authenticated remote setup before push
rg -nC3 'git remote set-url|x-access-token|https://.*github.com' .github/workflows/ci.ymlRepository: DeterminateSystems/zero-to-nix
Length of output: 56
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "== file = $FILE =="
ls -l "$FILE" || true
echo "== line 60-160 =="
sed -n '60,160p' "$FILE" | nl -ba -w3 -s':'
echo "== full grep matches =="
echo "--- persist-credentials ---"
rg -n "persist-credentials" "$FILE" || true
echo "--- git push ---"
rg -n "git push" "$FILE" || true
echo "--- git remote set-url ---"
rg -n "git remote set-url" "$FILE" || true
echo "--- token/x-access-token/https://github.com ---"
rg -n "x-access-token|https://.*github.com|GITHUB_TOKEN" "$FILE" || trueRepository: DeterminateSystems/zero-to-nix
Length of output: 265
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "== file = $FILE =="
ls -l "$FILE" || true
echo "== line 60-160 =="
sed -n '60,160p' "$FILE" | nl -ba -w3 -s':'
echo "== full grep matches =="
echo "--- persist-credentials ---"
rg -n "persist-credentials" "$FILE" || true
echo "--- git push ---"
rg -n "git push" "$FILE" || true
echo "--- git remote set-url ---"
rg -n "git remote set-url" "$FILE" || true
echo "--- token/x-access-token/https://github.com ---"
rg -n "x-access-token|https://.*github.com|GITHUB_TOKEN" "$FILE" || trueRepository: DeterminateSystems/zero-to-nix
Length of output: 265
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "== grep basics =="
echo "-- persist-credentials --"
rg -n "persist-credentials" "$FILE" || true
echo "-- git push --"
rg -n "git push" "$FILE" || true
echo "-- git remote set-url --"
rg -n "git remote set-url" "$FILE" || true
echo "-- token/https --"
rg -n "x-access-token|https://github\.com|GITHUB_TOKEN" "$FILE" || true
echo "== show around 70-140 with sed+awk line numbers =="
sed -n '70,140p' "$FILE" | awk '{printf "%4d:%s\n", NR+69, $0}'Repository: DeterminateSystems/zero-to-nix
Length of output: 2633
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
wc -l "$FILE"
echo "== top 80 =="
sed -n '1,80p' "$FILE"
echo "== around token at line 1-70 and 40-70 =="
sed -n '1,70p' "$FILE" | nl -ba 2>/dev/null || sed -n '1,70p' "$FILE" # fallback if nl missing
echo "== around lines 85-140 =="
sed -n '85,140p' "$FILE"
echo "== search for reconfig/auth commands =="
rg -n "git (config|remote)|extraheader|http(s)?:\\/\\/github\\.com|credential|token\\b|GITHUB_TOKEN" "$FILE"Repository: DeterminateSystems/zero-to-nix
Length of output: 6260
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "Lines: $(wc -l < "$FILE")"
echo "---- top 90 ----"
sed -n '1,90p' "$FILE"
echo "---- around Fix hash mismatches ----"
sed -n '90,150p' "$FILE"
echo "---- auth-related searches ----"
rg -n "git (config|remote|credential)|extraheader|http(s)?:\\/\\/github\\.com|x-access-token|GITHUB_TOKEN" "$FILE" || trueRepository: DeterminateSystems/zero-to-nix
Length of output: 4318
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "Lines: $(wc -l < "$FILE")"
echo "---- top 90 ----"
sed -n '1,90p' "$FILE"
echo "---- around Fix hash mismatches ----"
sed -n '90,150p' "$FILE"
echo "---- auth-related searches ----"
rg -n "git (config|remote|credential)|extraheader|http(s)?:\\/\\/github\\.com|x-access-token|GITHUB_TOKEN" "$FILE" || trueRepository: DeterminateSystems/zero-to-nix
Length of output: 4318
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "Lines: $(wc -l < "$FILE")"
echo "---- top 90 ----"
sed -n '1,90p' "$FILE"
echo "---- around Fix hash mismatches ----"
sed -n '90,150p' "$FILE"
echo "---- auth-related searches ----"
rg -n "git (config|remote|credential)|extraheader|http(s)?:\\/\\/github\\.com|x-access-token|GITHUB_TOKEN" "$FILE" || trueRepository: DeterminateSystems/zero-to-nix
Length of output: 4318
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yml"
echo "== git remote / set-url =="
rg -n "git remote|remote set-url" "$FILE" || true
echo "== extraheader / credential helpers / http auth =="
rg -n "extraheader|credential|http\\.|GIT_ASKPASS|GITHUB_TOKEN" "$FILE" || true
echo "== x-access-token or token in URL =="
rg -n "x-access-token|github\\.com/.*@" "$FILE" || true
echo "== any other checkout steps (re-persist credentials) =="
rg -n "uses: actions/checkout" "$FILE"
echo "== show around second persist-credentials (near line 94) =="
sed -n '80,140p' "$FILE"Repository: DeterminateSystems/zero-to-nix
Length of output: 2321
Fix git push auth when using persist-credentials: false in ci workflow
build-shells-and-templates checks out with persist-credentials: false, but the later Fix hash mismatches step commits and runs git push origin "$GITHUB_HEAD_REF". There’s no authenticated origin reconfiguration (e.g., git remote set-url with a token) in this workflow before the push, so the fallback push path can fail.
Suggested patch
- name: Fix hash mismatches
if: failure() && github.event_name == 'pull_request'
id: fix-hashes
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
+ git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}`@github.com/`${GITHUB_REPOSITORY}.git"
git stash --include-untracked
git fetch --depth=1 origin "$GITHUB_HEAD_REF"
git checkout -B "$GITHUB_HEAD_REF" "${{ github.event.pull_request.head.sha }}"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yml around lines 92 - 94, The workflow checks out with
actions/checkout@... using persist-credentials: false, then the "Fix hash
mismatches" step runs git commit && git push origin "$GITHUB_HEAD_REF" without
re-authenticating; fix it by either setting persist-credentials: true on that
checkout or add a step before the push that reconfigures origin to include the
GITHUB_TOKEN (e.g., git remote set-url origin
https://x-access-token:$GITHUB_TOKEN@github.com/${{ github.repository }}.git) so
the git push in the "Fix hash mismatches" step succeeds.
Summary by CodeRabbit