chore: pin deps and security fixes

[yashmehrotra]

Summary by CodeRabbit

• Chores
  • Pinned GitHub Actions and tool versions to specific commits and digests for enhanced build reproducibility and security.
  • Updated Docker base images with immutable digests.
  • Improved internal cache hashing mechanism for better determinism.
  • Refined CI/CD permissions configuration for tighter access control.

[coderabbitai]

Walkthrough

This PR pins external dependencies and action versions to specific commits or SHA digests, updates GitHub Actions workflow permissions for release tasks, and replaces MD5 hashing with SHA-256 in file cache path generation.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows .github/workflows/benchmark.yml, .github/workflows/release.yml, .github/workflows/test.yml	Pinned actions/github-script and flanksource/deps actions to specific commit SHAs; updated benchstat installation to specific pseudo-version; refined release.yml job-level permissions to explicitly request required capabilities for semantic-release, binary, and docker jobs.
Docker Base Images build/Dockerfile, build/Dockerfile.debug	Pinned golang:1.26-bookworm base image to immutable digest SHA-256 hash.
File Scraper scrapers/file/file.go, scrapers/file/file_test.go	Replaced MD5 with SHA-256 hashing algorithm for cache path generation; updated test case expectations to reflect new hash digest outputs.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'chore: pin deps and security fixes' accurately describes the main changes: pinning GitHub Actions to specific commits/SHAs and Docker base images to digests, upgrading benchstat version, and updating the hashing algorithm for enhanced security. The title is concise and directly related to the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sec-fix

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch sec-fix

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Benchstat

Base: 3c5b31f68194a3b602dc0ed574f043255da79cf6
Head: 0777aba3dbca70dcf4c9cc311a92b20e7649fa23

📊 1 minor regression(s) (all within 5% threshold)

Benchmark	Base	Head	Change	p-value
BenchSaveResultsSeed/N=1000-4	36.05Mi	36.10Mi	+0.15%	0.026

Full benchstat output

goos: linux
goarch: amd64
pkg: github.com/flanksource/config-db/bench
cpu: AMD EPYC 7763 64-Core Processor                
                                         │ bench-base.txt │          bench-head.txt           │
                                         │     sec/op     │   sec/op     vs base              │
BenchSaveResultsSeed/N=1000-4                628.2m ±  9%   626.6m ± 7%       ~ (p=0.937 n=6)
BenchSaveResultsUpdateUnchanged/N=1000-4     734.6m ±  1%   743.9m ± 9%       ~ (p=0.485 n=6)
BenchSaveResultsUpdateChanged/N=1000-4        1.208 ± 17%    1.195 ± 9%       ~ (p=0.818 n=6)
geomean                                      823.0m         822.7m       -0.03%

                                         │ bench-base.txt │           bench-head.txt           │
                                         │      MB/s      │    MB/s     vs base                │
BenchSaveResultsSeed/N=1000-4                0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
BenchSaveResultsUpdateUnchanged/N=1000-4     0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
BenchSaveResultsUpdateChanged/N=1000-4       0.000 ± 0%     0.000 ± 0%       ~ (p=1.000 n=6) ¹
geomean                                                 ²               +0.00%               ²
¹ all samples are equal
² summaries must be >0 to compute geomean

                                         │ bench-base.txt │           bench-head.txt           │
                                         │      B/op      │     B/op      vs base              │
BenchSaveResultsSeed/N=1000-4               36.05Mi ±  0%   36.10Mi ± 0%  +0.15% (p=0.026 n=6)
BenchSaveResultsUpdateUnchanged/N=1000-4    25.61Mi ±  0%   25.56Mi ± 0%       ~ (p=0.310 n=6)
BenchSaveResultsUpdateChanged/N=1000-4      74.89Mi ± 11%   74.84Mi ± 0%       ~ (p=0.589 n=6)
geomean                                     41.04Mi         41.03Mi       -0.04%

                                         │ bench-base.txt │          bench-head.txt           │
                                         │   allocs/op    │  allocs/op   vs base              │
BenchSaveResultsSeed/N=1000-4                442.0k ±  0%   442.0k ± 0%       ~ (p=0.589 n=6)
BenchSaveResultsUpdateUnchanged/N=1000-4     314.0k ±  0%   314.0k ± 0%       ~ (p=0.240 n=6)
BenchSaveResultsUpdateChanged/N=1000-4       904.6k ± 15%   904.6k ± 0%       ~ (p=0.937 n=6)
geomean                                      500.8k         500.8k       -0.00%

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/benchmark.yml (1)

32-32: Use the exact release tag instead of the moving major tag in the inline comment.

The SHA pin to 3a2844b7e9c422d3c10d287c895573f7108da1b3 is correct, but # v9 refers to a moving major tag. Change the comment to # v9.0.0 (the exact release corresponding to this commit) to make audits clear which release was reviewed.

Also applies to: 141-141

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/benchmark.yml at line 32, Update the inline comment on the
actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 usages so it
references the exact release tag instead of the moving major tag: replace the
trailing comment text "# v9" with "# v9.0.0" for the occurrences associated with
the actions/github-script SHA (the lines that contain "uses:
actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3").

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 69-71: Remove the unnecessary OIDC permission by deleting the
"id-token: write" entry from the permissions block used by the docker job (the
block that currently contains "contents: read" and "id-token: write"); since
authentication is done via ECR_AWS_ACCESS_KEY / ECR_AWS_SECRET_ACCESS_KEY,
ensure only "contents: read" (or other minimal needed permissions) remain, and
also remove the same "id-token: write" entry in the duplicate permissions block
referenced later (the lines applying to the same docker job / release workflow).

In `@scrapers/file/file.go`:
- Line 60: The cache key is being computed from stripSecrets(uri) causing
different credentialed URIs to collide; change the hash input to the raw uri
(use uri, not stripSecrets(uri)) when computing hash (the line with hash :=
sha256.Sum256(...)) so tempDir is unique per exact URL, and keep
stripSecrets(uri) only where used for logging/debug output; ensure any
references to tempDir or getter.GetAny remain unchanged so writes stay isolated
per hashed raw URI.

---

Nitpick comments:
In @.github/workflows/benchmark.yml:
- Line 32: Update the inline comment on the
actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 usages so it
references the exact release tag instead of the moving major tag: replace the
trailing comment text "# v9" with "# v9.0.0" for the occurrences associated with
the actions/github-script SHA (the lines that contain "uses:
actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3").

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8380b1aa-ba4d-4bb5-8172-9c8704a96e58

📥 Commits

Reviewing files that changed from the base of the PR and between 3c5b31f and 0777aba.

📒 Files selected for processing (7)

• .github/workflows/benchmark.yml
• .github/workflows/release.yml
• .github/workflows/test.yml
• build/Dockerfile
• build/Dockerfile.debug
• scrapers/file/file.go
• scrapers/file/file_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Drop OIDC permission while using static AWS keys.

Line 71 grants id-token: write, but the AWS step still authenticates with ECR_AWS_ACCESS_KEY / ECR_AWS_SECRET_ACCESS_KEY. That gives every step in the docker job OIDC token access without using it. Remove it unless this job is switching to role-to-assume.

🔒 Proposed least-privilege fix

     permissions:
       contents: read
-      id-token: write

Also applies to: 104-109

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 69 - 71, Remove the unnecessary
OIDC permission by deleting the "id-token: write" entry from the permissions
block used by the docker job (the block that currently contains "contents: read"
and "id-token: write"); since authentication is done via ECR_AWS_ACCESS_KEY /
ECR_AWS_SECRET_ACCESS_KEY, ensure only "contents: read" (or other minimal needed
permissions) remain, and also remove the same "id-token: write" entry in the
duplicate permissions block referenced later (the lines applying to the same
docker job / release workflow).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Behavior change: cache key now collapses distinct credentials to the same path.

Hashing stripSecrets(uri) (instead of the raw uri) means two config entries pointing at the same host/path but with different embedded credentials now resolve to the same tempDir. Since getter.GetAny writes into that directory, concurrent or sequential scrapes for different credentialed URLs can share/overwrite each other's cached content. If that collision is intentional (dedup identical sources), consider calling it out; otherwise hash the raw uri and only use stripSecrets for logging.

Also worth noting: existing on-disk caches under the old MD5-suffixed directories will be orphaned after this change (harmless, but may warrant a one-time cleanup or a release note).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scrapers/file/file.go` at line 60, The cache key is being computed from
stripSecrets(uri) causing different credentialed URIs to collide; change the
hash input to the raw uri (use uri, not stripSecrets(uri)) when computing hash
(the line with hash := sha256.Sum256(...)) so tempDir is unique per exact URL,
and keep stripSecrets(uri) only where used for logging/debug output; ensure any
references to tempDir or getter.GetAny remain unchanged so writes stay isolated
per hashed raw URI.