-
Notifications
You must be signed in to change notification settings - Fork 0
chore(ci): use reusable github actions workflows #31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,27 +6,5 @@ on: | |
| - '*' | ||
|
|
||
| jobs: | ||
| # Job: Create release | ||
| release: | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| release-notes-url: ${{ steps.create-release.outputs.url }} | ||
| steps: | ||
| - uses: actions/checkout@v7 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| # Check if tag is valid | ||
| - name: Check tag | ||
| run: | | ||
| if ! [[ ${{ github.ref }} =~ ^refs/tags/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Create release | ||
| - name: Create release | ||
| id: create-release | ||
| uses: softprops/action-gh-release@v3 | ||
| with: | ||
| generate_release_notes: true | ||
| uses: konradmichalik/reusable-github-actions/.github/workflows/release.yml@main | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: cat -n .github/workflows/release.yml | head -20Repository: move-elevator/deployer-tools Length of output: 293 🌐 Web query:
💡 Result: The security best practice for GitHub Actions reusable workflows is to pin all references to a full-length commit SHA [1][2][3]. Using a tag or branch (e.g., Citations:
🌐 Web query:
💡 Result: The unpinned-uses audit is a security check provided by zizmor, a static analysis tool for GitHub Actions [1][2]. Its primary purpose is to identify and flag GitHub Actions or reusable workflows that are not pinned to a specific, immutable SHA reference [1][3]. Key details of the unpinned-uses audit include: Functionality and Configuration: The rule ensures that actions are pinned by SHA hash, which protects against supply chain attacks where a tagged or branch-based reference (like v1 or main) is updated with malicious code [1][4]. As of zizmor v1.20.0, the default policy requires hash-pinning for all actions, including official GitHub actions [1][5]. Users can customize this behavior via a zizmor.yml configuration file, where they can define granular policies (e.g., allowing ref-pinning for trusted organizations) using pattern matching [1]. Audit Policies: The audit supports three primary policies for matched patterns: - hash-pin: Requires the action to be pinned by a full SHA reference [1]. - ref-pin: Allows pinning by symbolic reference (e.g., tags or branches) or SHA reference [1]. - any: Requires no specific pinning [1]. Execution Requirements: The audit does not require online access to perform the initial detection of unpinned uses [6]. However, if you wish to use the tool's auto-fix feature to automatically resolve findings by pinning them to the latest SHA, online access and a GitHub token are required to fetch the commit hashes [6]. If you wish to revert to a more permissive policy for first-party actions (like those under actions/) after the v1.20.0 change, you can add the following to your zizmor.yml file [1][5]: rules: unpinned-uses: config: policies: actions/: ref-pin github/: ref-pin dependabot/: ref-pin Citations:
Pin the release reusable workflow reference to a commit hash. Line 10 references Suggested fix- uses: konradmichalik/reusable-github-actions/.github/workflows/release.yml@main
+ uses: konradmichalik/reusable-github-actions/.github/workflows/release.yml@<FULL_40_CHAR_COMMIT_SHA>🧰 Tools🪛 zizmor (1.25.2)[error] 10-10: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI AgentsSource: Linters/SAST tools |
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| <?php | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| use ComposerUnused\ComposerUnused\Configuration\Configuration; | ||
| use ComposerUnused\ComposerUnused\Configuration\NamedFilter; | ||
|
|
||
| return static function (Configuration $config): Configuration { | ||
| // These packages are consumed via Deployer's recipe loading mechanism, | ||
| // not through PHP `use`/autoload, so composer-unused cannot detect them. | ||
| return $config | ||
| ->addNamedFilter(NamedFilter::fromString('deployer/deployer')) | ||
| ->addNamedFilter(NamedFilter::fromString('sourcebroker/deployer-extended')); | ||
| }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
Repository: move-elevator/deployer-tools
Length of output: 221
🏁 Script executed:
Repository: move-elevator/deployer-tools
Length of output: 542
🏁 Script executed:
Repository: move-elevator/deployer-tools
Length of output: 465
🏁 Script executed:
Repository: move-elevator/deployer-tools
Length of output: 4116
🏁 Script executed:
Repository: move-elevator/deployer-tools
Length of output: 542
🌐 Web query:
zizmor github actions security linter💡 Result:
zizmor is a security-focused static analysis tool designed specifically for GitHub Actions [1][2]. Written in Rust, it aims to identify and help remediate potential vulnerabilities within CI/CD configurations [2][3]. Key features of zizmor include: Security Auditing: It detects common security issues such as template injection vulnerabilities, accidental credential exposure, excessive runner permissions, and the use of known vulnerable actions [2][4]. Integration Options: zizmor-action: The official GitHub Action for automated integration. It supports uploading results to GitHub Advanced Security (where available) or printing them directly to the console [5][6]. Manual Integration: Users can run zizmor directly in their workflows using various output formats, including SARIF (for code scanning integration), JSON, or plain text [6]. Developer-Friendly: It is designed with a high signal-to-noise ratio and supports multiple "personas" (like pedantic or auditor) to adjust sensitivity [1]. Offline Capability: zizmor functions as an offline-native tool, though it can optionally utilize a GitHub API token to fetch remote workflows or interact with GitHub's ecosystem [1][7]. Compatibility: It can be integrated into broader linter frameworks such as Super-Linter and MegaLinter [6]. Official documentation and resources are available at https://zizmor.sh/ and the source code can be found in the zizmorcore/zizmor repository on GitHub [1][2].
Citations:
🌐 Web query:
github reusable workflows pinning commit sha best practice💡 Result:
The best practice for referencing reusable workflows in GitHub Actions is to pin them to a full-length commit SHA [1][2][3]. Using mutable references like branch names or tags is a significant security risk, as a compromised upstream repository could allow an attacker to inject malicious code that your workflows would automatically execute [1][2][4]. Key recommendations and best practices include: Pin to full SHA: Always reference reusable workflows using a 40-character commit SHA [2][4]. This ensures immutability and guarantees that the exact code you audited is the code that runs, protecting against supply chain attacks such as malicious tag re-pointing [1][4]. Maintain readability with comments: While the reference must be a SHA, it is a common best practice to append the intended version tag as a comment for readability and easier maintenance, for example: uses: owner/repo/.github/workflows/workflow.yml@a1b2c3d4e5f6g7h8i9j0k1l2 # v1.0.0 [4][5]. Use organization policies: If using GitHub Enterprise, configure the organization-level policy to Require actions to be pinned to a full-length commit SHA [1][3]. This enforcement mechanism prevents accidental use of mutable references and ensures consistent security standards across your organization [3]. Implement drift audits: Because organization policies may not recursively verify nested reusable workflows, implement periodic audits or CI checks to walk the dependency tree of your workflows [1]. Tools or custom scripts can be used to parse YAML files, resolve the references, and fail builds that contain unpinned refs [1]. Leverage automation: Use tools like Dependabot or specialized CI utilities (e.g., pinact) to help manage and update these pinned references, ensuring that you can receive security patches and feature updates while maintaining control over when upgrades occur [3][5]. Note on same-repo workflows: Reusable workflows located within the same repository (e.g.,./.github/workflows/my-workflow.yml) are implicitly pinned to the commit SHA of the caller, so they do not require explicit SHA pinning [4]. Cross-repository references, however, must always be explicitly pinned [4].
Citations:
Pin reusable workflow to an immutable commit SHA.
Line 9 uses
@main, which is mutable and creates a supply-chain security risk. GitHub's recommended best practice is to pin reusable workflows to a full 40-character commit SHA to prevent supply-chain attacks. The same issue also exists in.github/workflows/release.ymlat line 10.Suggested fix for cgl.yml
Apply the same fix to
.github/workflows/release.ymlline 10.📝 Committable suggestion
🧰 Tools
🪛 zizmor (1.25.2)
[error] 9-9: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Source: Linters/SAST tools