Skip to content

chore(security): uses pinned versions of actions#2698

Open
jcchavezs wants to merge 1 commit into
auth0:mainfrom
jcchavezs:pin-gh-actions
Open

chore(security): uses pinned versions of actions#2698
jcchavezs wants to merge 1 commit into
auth0:mainfrom
jcchavezs:pin-gh-actions

Conversation

@jcchavezs

@jcchavezs jcchavezs commented Jun 9, 2026

Copy link
Copy Markdown

This pull request updates the GitHub Actions workflow files to use pinned commit SHAs for all third-party actions, improving security and reproducibility.

Summary by CodeRabbit

  • Chores
    • Pinned GitHub Actions dependencies to specific commit hashes across all CI/CD workflows, including code quality analysis, testing, npm release, and security scanning. This improves build reproducibility and strengthens supply chain security by eliminating reliance on floating version tags.

@jcchavezs jcchavezs requested a review from a team as a code owner June 9, 2026 16:00
@coderabbitai

coderabbitai Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

This PR updates six GitHub Actions workflow files across the repository to pin action dependencies to specific commit SHAs instead of floating major-version tags. The changes improve supply chain security and workflow reproducibility without altering any CI logic, configuration, or behavior.

Changes

GitHub Actions Workflow Version Pinning

Layer / File(s) Summary
CodeQL workflow action pinning
.github/workflows/codeql.yml
CodeQL workflow checkout and all codeql-action steps (init, autobuild, analyze) are pinned to specific commit SHAs; CodeQL config inputs unchanged.
NPM release workflow checkout pinning
.github/workflows/npm-release.yml
Release job checkout step pinned to a specific commit SHA instead of the v6 tag.
Playwright workflow action pinning
.github/workflows/playwright.yml
Checkout, setup-node, and upload-artifact steps pinned to specific commit SHAs instead of floating tags.
RL Secure workflow action pinning
.github/workflows/rl-secure.yml
Checkout, pnpm action-setup, and setup-node steps pinned to commit SHAs; scanner execution logic unchanged.
Snyk workflow action pinning
.github/workflows/snyk.yml
Checkout and pnpm action-setup steps pinned to commit SHAs; scanning behavior unchanged.
Test workflow action pinning
.github/workflows/test.yml
Build, coverage, and lint jobs pin checkout, pnpm action-setup, and setup-node to commit SHAs; build job also pins cache/save. Node version and pnpm cache config unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

github_actions, dependencies

Suggested reviewers

  • Piyush-85

Poem

🐰 With SHAs pinned and versions clear,
Our workflows now have no fear!
No floating tags to drift astray,
Security saves the CI day.
Reproducible paths, shiny and bright,
GitHub Actions done just right! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: pinning GitHub Actions to specific versions for improved security, which is the core focus of all workflow file modifications in this changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai

coderabbitai Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details
{"name":"HttpError","status":500,"request":{"method":"PATCH","url":"https://api.github.com/repos/auth0/nextjs-auth0/issues/comments/4661604634","headers":{"accept":"application/vnd.github.v3+json","user-agent":"octokit.js/0.0.0-development octokit-core.js/7.0.6 Node.js/24","authorization":"token [REDACTED]","content-type":"application/json; charset=utf-8"},"body":{"body":"<!-- This is an auto-generated comment: summarize by coderabbit.ai -->\n<!-- review_stack_entry_start -->\n\n[![Review Change Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/auth0/nextjs-auth0/pull/2698?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)\n\n<!-- review_stack_entry_end -->\n<!-- This is an auto-generated comment: review in progress by coderabbit.ai -->\n\n> [!NOTE]\n> Currently processing new changes in this PR. This may take a few minutes, please wait...\n> \n> <details>\n> <summary>⚙️ Run configuration</summary>\n> \n> **Configuration used**: defaults\n> \n> **Review profile**: CHILL\n> \n> **Plan**: Pro Plus\n> \n> **Run ID**: `ec17ab90-fc97-4cc1-b880-f328e095f10b`\n> \n> </details>\n> \n> <details>\n> <summary>📥 Commits</summary>\n> \n> Reviewing files that changed from the base of the PR and between 843575e08905a57f7489ab705e358406b75c0a04 and 5433d508aa3be8ed0460cd2417196da25a32370c.\n> \n> </details>\n> \n> <details>\n> <summary>📒 Files selected for processing (6)</summary>\n> \n> * `.github/workflows/codeql.yml`\n> * `.github/workflows/npm-release.yml`\n> * `.github/workflows/playwright.yml`\n> * `.github/workflows/rl-secure.yml`\n> * `.github/workflows/snyk.yml`\n> * `.github/workflows/test.yml`\n> \n> </details>\n> \n> ```ascii\n>  ________________________\n> < GLaDOS? I can fix her! >\n>  ------------------------\n>   \\\n>    \\   (\\__/)\n>        (•ㅅ•)\n>        /   づ\n> ```\n\n<!-- end of auto-generated comment: review in progress by coderabbit.ai -->\n\n<!-- finishing_touch_checkbox_start -->\n\n<details>\n<summary>✨ Finishing Touches</summary>\n\n<details>\n<summary>🧪 Generate unit tests (beta)</summary>\n\n- [ ] <!-- {\"checkboxId\": \"f47ac10b-58cc-4372-a567-0e02b2c3d479\", \"radioGroupId\": \"utg-output-choice-group-unknown_comment_id\"} -->   Create PR with unit tests\n\n</details>\n\n</details>\n\n<!-- finishing_touch_checkbox_end -->\n<!-- tips_start -->\n\n---\n\nThanks for using [CodeRabbit](https://coderabbit.ai?utm_source=oss&utm_medium=github&utm_campaign=auth0/nextjs-auth0&utm_content=2698)! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.\n\n<details>\n<summary>❤️ Share</summary>\n\n- [X](https://twitter.com/intent/tweet?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A&url=https%3A//coderabbit.ai)\n- [Mastodon](https://mastodon.social/share?text=I%20just%20used%20%40coderabbitai%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20the%20proprietary%20code.%20Check%20it%20out%3A%20https%3A%2F%2Fcoderabbit.ai)\n- [Reddit](https://www.reddit.com/submit?title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&text=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code.%20Check%20it%20out%3A%20https%3A//coderabbit.ai)\n- [LinkedIn](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fcoderabbit.ai&mini=true&title=Great%20tool%20for%20code%20review%20-%20CodeRabbit&summary=I%20just%20used%20CodeRabbit%20for%20my%20code%20review%2C%20and%20it%27s%20fantastic%21%20It%27s%20free%20for%20OSS%20and%20offers%20a%20free%20trial%20for%20proprietary%20code)\n\n</details>\n\n\n<sub>Comment `@coderabbitai help` to get the list of available commands and usage tips.</sub>\n\n<!-- tips_end -->"},"request":{"retryCount":3,"signal":{},"retries":3,"retryAfter":16}}}

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/npm-release.yml:
- Around line 33-35: The checkout step in the npm-release job uses
actions/checkout (the block with "uses: actions/checkout@...") but only sets
fetch-depth; add persist-credentials: false to the checkout step's with
configuration to disable persisting the GitHub token/credentials for later steps
so credentials are not left configured after checkout.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: ec17ab90-fc97-4cc1-b880-f328e095f10b

📥 Commits

Reviewing files that changed from the base of the PR and between 843575e and 5433d50.

📒 Files selected for processing (6)
  • .github/workflows/codeql.yml
  • .github/workflows/npm-release.yml
  • .github/workflows/playwright.yml
  • .github/workflows/rl-secure.yml
  • .github/workflows/snyk.yml
  • .github/workflows/test.yml

Comment on lines +33 to 35
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
fetch-depth: 0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify checkout steps in workflows that don't explicitly disable credential persistence.
# Expected: no matches after remediation.
rg -n -C2 'uses:\s*actions/checkout@' .github/workflows \
  | sed -n 'p'
echo "---- potential missing persist-credentials:false ----"
python - <<'PY'
import pathlib, re
for p in pathlib.Path(".github/workflows").glob("*.yml"):
    txt = p.read_text()
    for m in re.finditer(r'(?ms)^\s*-\s+uses:\s*actions/checkout@[^\n]+\n(?:\s+with:\n(?:\s{10,}.+\n)*)?', txt):
        block = m.group(0)
        if "persist-credentials: false" not in block:
            line = txt[:m.start()].count("\n")+1
            print(f"{p}:{line}")
PY

Repository: auth0/nextjs-auth0

Length of output: 2974


🏁 Script executed:

#!/bin/bash
set -euo pipefail

nl -ba .github/workflows/npm-release.yml | sed -n '1,120p'

Repository: auth0/nextjs-auth0

Length of output: 105


🏁 Script executed:

#!/bin/bash
set -euo pipefail
cat -n .github/workflows/npm-release.yml | sed -n '1,140p'

Repository: auth0/nextjs-auth0

Length of output: 3577


Disable persisted checkout credentials in npm-release job.

actions/checkout in .github/workflows/npm-release.yml sets fetch-depth but doesn’t disable credential persistence, so credentials may remain configured for later steps.

Suggested patch
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
+          persist-credentials: false
           fetch-depth: 0
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 33-37: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/npm-release.yml around lines 33 - 35, The checkout step in
the npm-release job uses actions/checkout (the block with "uses:
actions/checkout@...") but only sets fetch-depth; add persist-credentials: false
to the checkout step's with configuration to disable persisting the GitHub
token/credentials for later steps so credentials are not left configured after
checkout.

Source: Linters/SAST tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant