chore(security): uses pinned versions of actions#2698
Conversation
📝 WalkthroughWalkthroughThis PR updates six GitHub Actions workflow files across the repository to pin action dependencies to specific commit SHAs instead of floating major-version tags. The changes improve supply chain security and workflow reproducibility without altering any CI logic, configuration, or behavior. ChangesGitHub Actions Workflow Version Pinning
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Caution Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted. Error details |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/npm-release.yml:
- Around line 33-35: The checkout step in the npm-release job uses
actions/checkout (the block with "uses: actions/checkout@...") but only sets
fetch-depth; add persist-credentials: false to the checkout step's with
configuration to disable persisting the GitHub token/credentials for later steps
so credentials are not left configured after checkout.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: ec17ab90-fc97-4cc1-b880-f328e095f10b
📒 Files selected for processing (6)
.github/workflows/codeql.yml.github/workflows/npm-release.yml.github/workflows/playwright.yml.github/workflows/rl-secure.yml.github/workflows/snyk.yml.github/workflows/test.yml
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| with: | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify checkout steps in workflows that don't explicitly disable credential persistence.
# Expected: no matches after remediation.
rg -n -C2 'uses:\s*actions/checkout@' .github/workflows \
| sed -n 'p'
echo "---- potential missing persist-credentials:false ----"
python - <<'PY'
import pathlib, re
for p in pathlib.Path(".github/workflows").glob("*.yml"):
txt = p.read_text()
for m in re.finditer(r'(?ms)^\s*-\s+uses:\s*actions/checkout@[^\n]+\n(?:\s+with:\n(?:\s{10,}.+\n)*)?', txt):
block = m.group(0)
if "persist-credentials: false" not in block:
line = txt[:m.start()].count("\n")+1
print(f"{p}:{line}")
PYRepository: auth0/nextjs-auth0
Length of output: 2974
🏁 Script executed:
#!/bin/bash
set -euo pipefail
nl -ba .github/workflows/npm-release.yml | sed -n '1,120p'Repository: auth0/nextjs-auth0
Length of output: 105
🏁 Script executed:
#!/bin/bash
set -euo pipefail
cat -n .github/workflows/npm-release.yml | sed -n '1,140p'Repository: auth0/nextjs-auth0
Length of output: 3577
Disable persisted checkout credentials in npm-release job.
actions/checkout in .github/workflows/npm-release.yml sets fetch-depth but doesn’t disable credential persistence, so credentials may remain configured for later steps.
Suggested patch
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
+ persist-credentials: false
fetch-depth: 0🧰 Tools
🪛 zizmor (1.25.2)
[warning] 33-37: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/npm-release.yml around lines 33 - 35, The checkout step in
the npm-release job uses actions/checkout (the block with "uses:
actions/checkout@...") but only sets fetch-depth; add persist-credentials: false
to the checkout step's with configuration to disable persisting the GitHub
token/credentials for later steps so credentials are not left configured after
checkout.
Source: Linters/SAST tools
This pull request updates the GitHub Actions workflow files to use pinned commit SHAs for all third-party actions, improving security and reproducibility.
Summary by CodeRabbit