chore(repo): pin GitHub Actions to SHAs and drop persisted tokens#8632
chore(repo): pin GitHub Actions to SHAs and drop persisted tokens#8632jacekradko wants to merge 1 commit into
Conversation
Convert every `uses:` reference in `.github/workflows/**` and `.github/actions/**` from a mutable tag to an immutable commit SHA, with the tag preserved as a trailing comment so the version is still readable. Extend the Renovate config generator to manage the `.github/**` paths (previously outside `includePaths`) with `pinDigests: true`, so the SHAs stay current automatically. Set `persist-credentials: false` on every `actions/checkout` step that does not require the persisted `GITHUB_TOKEN`. The release job in `release.yml` is intentionally left alone: it sets a `token:` input explicitly so `changesets/action` can push the Version PR.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
🦋 Changeset detectedLatest commit: aa7e007 The changes in this PR will be included in the next version bump. This PR includes changesets to release 0 packagesWhen changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
@clerk/astro
@clerk/backend
@clerk/chrome-extension
@clerk/clerk-js
@clerk/dev-cli
@clerk/expo
@clerk/expo-passkeys
@clerk/express
@clerk/fastify
@clerk/hono
@clerk/localizations
@clerk/nextjs
@clerk/nuxt
@clerk/react
@clerk/react-router
@clerk/shared
@clerk/tanstack-react-start
@clerk/testing
@clerk/ui
@clerk/upgrade
@clerk/vue
commit: |
📝 WalkthroughWalkthroughThis pull request systematically hardens the repository's GitHub Actions infrastructure by pinning all action dependencies to specific commit SHAs instead of using floating version tags. The changeset introduces this hardening across reusable composite actions and all GitHub workflows. Renovate is configured to automatically manage digest pinning for GitHub Actions updates. Several checkout steps now explicitly set Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/ci.yml (1)
443-457:⚠️ Potential issue | 🟠 Major | ⚡ Quick winRemove secret logging from the cert-writing script (security blocker).
At Line 452,
console.log('rootCa', rootCa);logs data coming fromINTEGRATION_ROOT_CA(a GitHub secret). This can leak sensitive material to workflow logs and must be removed before merge.Suggested fix
- console.log('rootCa', rootCa); fs.writeFileSync(path.join(process.env.GITHUB_WORKSPACE, 'integration/certs', 'rootCA.pem'), rootCa);🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml around lines 443 - 457, Remove the secret logging by deleting the console.log that prints the INTEGRATION_ROOT_CA value: remove the line that calls console.log('rootCa', rootCa) in the actions/github-script block so secrets (rootCa and any certs) are not written to workflow logs; keep the fs.writeFileSync calls (path.join(..., 'integration/certs', 'rootCA.pem') and the loop writing cert files) but do not emit their contents to console.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 443-457: Remove the secret logging by deleting the console.log
that prints the INTEGRATION_ROOT_CA value: remove the line that calls
console.log('rootCa', rootCa) in the actions/github-script block so secrets
(rootCa and any certs) are not written to workflow logs; keep the
fs.writeFileSync calls (path.join(..., 'integration/certs', 'rootCA.pem') and
the loop writing cert files) but do not emit their contents to console.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: 5a25bc4d-ee01-489b-9368-46570b84b532
📒 Files selected for processing (18)
.changeset/harden-gh-actions.md.github/actions/ensure-stable-pr/action.yml.github/actions/init-blacksmith/action.yml.github/actions/init/action.yml.github/workflows/ci.yml.github/workflows/e2e-cleanups.yml.github/workflows/e2e-staging.yml.github/workflows/labeler.yml.github/workflows/lock-threads.yml.github/workflows/major-version-check.yml.github/workflows/mobile-e2e.yml.github/workflows/nightly-checks.yml.github/workflows/pr-title-linter.yml.github/workflows/release-preflight.yml.github/workflows/release.yml.github/workflows/validate-renovate-config.ymlrenovate.json5scripts/renovate-config-generator.mjs
1 participant
This is the repo-wide follow-up to a security finding that flagged a single workflow for using mutable action tags and leaving
GITHUB_TOKENpersisted in.git/configafteractions/checkout. Fixing one file would have left the broader posture unchanged, so this PR addresses the whole.github/surface in one pass.Three coordinated pieces:
.github/workflows/**and.github/actions/**is now pinned to an immutable commit SHA, with the original tag preserved as a# v4comment. 73uses:references across 12 workflows and 4 composite actions.includePathsnow covers.github/**, and a new package rule appliespinDigests: trueplus aGitHub Actionsgroup, so the SHAs stay current automatically and won't quietly rot.renovate.json5is regenerated fromscripts/renovate-config-generator.mjs; do not hand-edit.persist-credentials: falseis set on everyactions/checkoutthat doesn't need the persisted token (20 sites). The one site that does,release.ymlline 45, is intentionally left alone: it setstoken:explicitly sochangesets/actioncan push the Version PR back to the repo. The existing comment block above thattoken:input already documents why.step-security/harden-runnerwould be the natural next layer but needs an audit-mode rollout before enforcement, deferred to a separate PR.