あらゆるイメージをSHA pinningする#3016
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughPins Docker image digests and GitHub Actions to immutable SHAs across Renovate config, CI workflows, Dockerfiles, Makefile, compose, and dev/test scripts; adds Renovate regex managers to detect digest-pinned OCI image annotations. ChangesContainer and Action Digest Pinning
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related issues
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 6
🧹 Nitpick comments (1)
dev/bin/up-test-db.sh (1)
17-17: ⚡ Quick winConsider quoting the variables for defensive scripting.
While
${containername}and${port}won't cause issues in this specific context, quoting variables is a shell scripting best practice that prevents potential word splitting or globbing issues.🛡️ Proposed fix
- docker run --name ${containername} -p ${port}:3306 -e MYSQL_ROOT_PASSWORD=password -e MYSQL_DATABASE=traq -d mariadb:10.6.4@sha256:c014ba1efc5dbd711d0520c7762d57807f35549de3414eb31e942a420c8a2ed2 \ + docker run --name "${containername}" -p "${port}":3306 -e MYSQL_ROOT_PASSWORD=password -e MYSQL_DATABASE=traq -d mariadb:10.6.4@sha256:c014ba1efc5dbd711d0520c7762d57807f35549de3414eb31e942a420c8a2ed2 \🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@dev/bin/up-test-db.sh` at line 17, Update the docker run invocation to quote the shell variables to prevent word-splitting/globbing: change --name ${containername} to --name "${containername}" and -p ${port}:3306 to -p "${port}:3306" in the docker run line (the command that currently references containername and port) so the variables are safely expanded during execution.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/renovate/regex-manager.json5:
- Around line 32-44: The current regex in the "matchStrings" entry (the depName
capture group) requires at least one '/' due to
`(?<depName>[^\\s:@]+(?:/[^\\s:@]+)+)`, which excludes official Docker Hub
images like "golang"; update that capture to allow zero or more path components
(e.g., change the `+` quantifier on `(?:/[^\\s:@]+)` to `*`) so depName matches
both short names (golang) and names with namespaces/registries (org/name or
registry/org/name).
In @.github/workflows/main.yml:
- Line 48: The pinned MariaDB image line uses a digest but lacks the Renovate
annotation, so add the comment "# renovate:image-full-digest" immediately above
the image declaration (the line starting with "image:
mariadb:10.11.17@sha256:...") so Renovate recognizes and can update the
full-digest pinned image automatically.
- Line 78: The MariaDB service image line using the literal value
"mariadb:10.11.17@sha256:8acd4a5561e8897cfc8a99480f25bcecb10b726fa17b1ec7381c6ef36fa00a79"
is missing the Renovate annotation; add the comment token #
renovate:image-full-digest on that image line (e.g., append " #
renovate:image-full-digest" to the image: ... line) so Renovate recognizes the
digest-pinned image and handles updates correctly.
- Around line 86-92: Add a short explanatory note near the workflow change that
bumped the tbls action to version: v1.94.5 (uses: k1low/setup-tbls@... / key
name tbls) describing why the upgrade was made from v1.65.3 to v1.94.5 and list
any compatibility expectations or breaking changes you validated (e.g.,
schema/flag behavior, CI runtime differences, or required config changes); place
this comment adjacent to the version entry in the workflow so reviewers can
quickly see the intent and compatibility assumptions.
In @.github/workflows/swagger-change.yml:
- Around line 24-31: The Spectral Docker step ("Run spectral") uses a
digest-pinned image but is missing the Renovate annotation; add the comment
annotation "# renovate:image-full-digest" immediately after the image reference
(stoplight/spectral:6.15.1@sha256:b3d5a530f83c4a72df69e682c5ac928bc9821b5ca3c42529e81d926c80fa50ab)
so Renovate can detect and update the digest automatically, ensuring the
annotation exactly follows the image string in the same line.
In `@Dockerfile`:
- Line 24: Add a Renovate annotation comment for the digest-pinned base image
used in the Dockerfile so Renovate can detect and update the full image digest;
insert a line immediately above the FROM instruction referencing the exact image
and digest (use the same image string as in the FROM:
gcr.io/distroless/base-debian12@sha256:58695f439f772a00009c8f6be4c183f824c1f556d74b313c30900f167e4772f8)
in the form of a single comment starting with # renovate:image-full-digest
followed by the full image@sha256 value.
---
Nitpick comments:
In `@dev/bin/up-test-db.sh`:
- Line 17: Update the docker run invocation to quote the shell variables to
prevent word-splitting/globbing: change --name ${containername} to --name
"${containername}" and -p ${port}:3306 to -p "${port}:3306" in the docker run
line (the command that currently references containername and port) so the
variables are safely expanded during execution.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: b686b916-9d00-48d7-89ef-17e12a59ae4c
📒 Files selected for processing (12)
.github/renovate.json5.github/renovate/regex-manager.json5.github/workflows/main.yml.github/workflows/master.yml.github/workflows/release.yml.github/workflows/renovate.yml.github/workflows/swagger-change.ymlDockerfileMakefilecompose.yamldev/Dockerfile-frontenddev/bin/up-test-db.sh
| services: | ||
| mysql: | ||
| image: mariadb:10.11.17 | ||
| image: mariadb:10.11.17@sha256:8acd4a5561e8897cfc8a99480f25bcecb10b726fa17b1ec7381c6ef36fa00a79 |
There was a problem hiding this comment.
Missing Renovate annotation for digest-pinned image.
The MariaDB image is pinned to a specific digest, but there's no # renovate:image-full-digest annotation. Without this, Renovate won't automatically update the digest when new versions are released, defeating the automation purpose of this PR.
📝 Proposed fix
services:
mysql:
+ # renovate:image-full-digest
image: mariadb:10.11.17@sha256:8acd4a5561e8897cfc8a99480f25bcecb10b726fa17b1ec7381c6ef36fa00a79📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| image: mariadb:10.11.17@sha256:8acd4a5561e8897cfc8a99480f25bcecb10b726fa17b1ec7381c6ef36fa00a79 | |
| # renovate:image-full-digest | |
| image: mariadb:10.11.17@sha256:8acd4a5561e8897cfc8a99480f25bcecb10b726fa17b1ec7381c6ef36fa00a79 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/main.yml at line 48, The pinned MariaDB image line uses a
digest but lacks the Renovate annotation, so add the comment "#
renovate:image-full-digest" immediately above the image declaration (the line
starting with "image: mariadb:10.11.17@sha256:...") so Renovate recognizes and
can update the full-digest pinned image automatically.
There was a problem hiding this comment.
There was a problem hiding this comment.
@ramdos0207 You're right, I apologize for the incorrect comment. Renovate's built-in github-actions manager already scans workflow files matching /(^|/)(workflow-templates|\.(?:github|gitea|forgejo)/(?:workflows|actions))/.+\.ya?ml$/ natively. Furthermore, looking at the project's own .github/renovate/regex-manager.json5, the custom managers already include fileMatch patterns covering .ya?ml files — so the digest-pinned service container images will be picked up and updated automatically without needing any # renovate:image-full-digest annotation.
The suggestion was mistaken. Thank you for the correction!
(ᵔ᷅ ·̫ ᵔ᷄)
✏️ Learnings added
Learnt from: ramdos0207
Repo: traPtitech/traQ PR: 3016
File: .github/workflows/main.yml:48-48
Timestamp: 2026-05-22T16:36:08.548Z
Learning: In the traPtitech/traQ repository, the `.github/renovate/regex-manager.json5` custom managers already include `fileMatch` patterns covering `.ya?ml` files, so digest-pinned service container images in GitHub Actions workflow files (e.g., `mariadb:10.11.17sha256:...`) are updated automatically by Renovate without requiring a `# renovate:image-full-digest` annotation above each image reference.
Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.
| services: | ||
| mysql: | ||
| image: mariadb:10.11.17 | ||
| image: mariadb:10.11.17@sha256:8acd4a5561e8897cfc8a99480f25bcecb10b726fa17b1ec7381c6ef36fa00a79 |
There was a problem hiding this comment.
Missing Renovate annotation for digest-pinned image.
Same issue as line 48—the MariaDB service image lacks a # renovate:image-full-digest annotation.
📝 Proposed fix
services:
mysql:
+ # renovate:image-full-digest
image: mariadb:10.11.17@sha256:8acd4a5561e8897cfc8a99480f25bcecb10b726fa17b1ec7381c6ef36fa00a79📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| image: mariadb:10.11.17@sha256:8acd4a5561e8897cfc8a99480f25bcecb10b726fa17b1ec7381c6ef36fa00a79 | |
| # renovate:image-full-digest | |
| image: mariadb:10.11.17@sha256:8acd4a5561e8897cfc8a99480f25bcecb10b726fa17b1ec7381c6ef36fa00a79 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/main.yml at line 78, The MariaDB service image line using
the literal value
"mariadb:10.11.17@sha256:8acd4a5561e8897cfc8a99480f25bcecb10b726fa17b1ec7381c6ef36fa00a79"
is missing the Renovate annotation; add the comment token #
renovate:image-full-digest on that image line (e.g., append " #
renovate:image-full-digest" to the image: ... line) so Renovate recognizes the
digest-pinned image and handles updates correctly.
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | ||
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 | ||
| with: | ||
| name: traQ | ||
| - uses: k1low/setup-tbls@v1 | ||
| - uses: k1low/setup-tbls@f25e3d013a596865b2db90dac7ee19e9f15b5780 # v1 | ||
| with: | ||
| version: v1.65.3 | ||
| version: v1.94.5 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check recent tbls releases
gh api repos/k1LoW/tbls/releases --jq '.[].tag_name' | head -20Repository: traPtitech/traQ
Length of output: 219
tbls v1.94.5 exists upstream
version: v1.94.5 in .github/workflows/main.yml matches a released tag in k1LoW/tbls, so the referenced version is valid. The remaining gap is intent/documentation: add a short note explaining why the workflow was bumped from v1.65.3 to v1.94.5 (and any compatibility expectations).
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 86-86: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/main.yml around lines 86 - 92, Add a short explanatory
note near the workflow change that bumped the tbls action to version: v1.94.5
(uses: k1low/setup-tbls@... / key name tbls) describing why the upgrade was made
from v1.65.3 to v1.94.5 and list any compatibility expectations or breaking
changes you validated (e.g., schema/flag behavior, CI runtime differences, or
required config changes); place this comment adjacent to the version entry in
the workflow so reviewers can quickly see the intent and compatibility
assumptions.
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | ||
| - name: Run spectral | ||
| run: spectral lint docs/v3-api.yaml --ruleset .spectral.yml --verbose | ||
| run: | | ||
| docker run --rm \ | ||
| -v "${{ github.workspace }}:/work" \ | ||
| -w /work \ | ||
| stoplight/spectral:6.15.1@sha256:b3d5a530f83c4a72df69e682c5ac928bc9821b5ca3c42529e81d926c80fa50ab \ | ||
| lint docs/v3-api.yaml --ruleset .spectral.yml --verbose |
There was a problem hiding this comment.
Missing Renovate annotation for digest-pinned image.
The Spectral Docker image is pinned to a specific digest but lacks a # renovate:image-full-digest annotation. This prevents automatic updates by Renovate.
📝 Proposed fix
- name: Run spectral
run: |
+ # renovate:image-full-digest
docker run --rm \
-v "${{ github.workspace }}:/work" \
-w /work \
stoplight/spectral:6.15.1@sha256:b3d5a530f83c4a72df69e682c5ac928bc9821b5ca3c42529e81d926c80fa50ab \
lint docs/v3-api.yaml --ruleset .spectral.yml --verbose🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/swagger-change.yml around lines 24 - 31, The Spectral
Docker step ("Run spectral") uses a digest-pinned image but is missing the
Renovate annotation; add the comment annotation "# renovate:image-full-digest"
immediately after the image reference
(stoplight/spectral:6.15.1@sha256:b3d5a530f83c4a72df69e682c5ac928bc9821b5ca3c42529e81d926c80fa50ab)
so Renovate can detect and update the digest automatically, ensuring the
annotation exactly follows the image string in the same line.
| go build -o /traQ -ldflags "-s -w -X main.version=$TRAQ_VERSION -X main.revision=$TRAQ_REVISION" | ||
|
|
||
| FROM gcr.io/distroless/base:latest | ||
| FROM gcr.io/distroless/base-debian12@sha256:58695f439f772a00009c8f6be4c183f824c1f556d74b313c30900f167e4772f8 |
There was a problem hiding this comment.
Missing Renovate annotation for digest-pinned image.
The distroless base image is pinned to a specific digest but lacks a # renovate:image-full-digest annotation for automatic updates.
📝 Proposed fix
+# renovate:image-full-digest
FROM gcr.io/distroless/base-debian12@sha256:58695f439f772a00009c8f6be4c183f824c1f556d74b313c30900f167e4772f8📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| FROM gcr.io/distroless/base-debian12@sha256:58695f439f772a00009c8f6be4c183f824c1f556d74b313c30900f167e4772f8 | |
| # renovate:image-full-digest | |
| FROM gcr.io/distroless/base-debian12@sha256:58695f439f772a00009c8f6be4c183f824c1f556d74b313c30900f167e4772f8 |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@Dockerfile` at line 24, Add a Renovate annotation comment for the
digest-pinned base image used in the Dockerfile so Renovate can detect and
update the full image digest; insert a line immediately above the FROM
instruction referencing the exact image and digest (use the same image string as
in the FROM:
gcr.io/distroless/base-debian12@sha256:58695f439f772a00009c8f6be4c183f824c1f556d74b313c30900f167e4772f8)
in the form of a single comment starting with # renovate:image-full-digest
followed by the full image@sha256 value.
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Pugma
left a comment
Pugma
left a comment
There was a problem hiding this comment.
さっと目を通しました
このあたりは一度確認しておいてもらえるとよいかと 🙏
| "packageRules": [ | ||
| { | ||
| "description": "Pin Docker image digests", | ||
| "matchDatasources": ["docker"], | ||
| "pinDigests": true, | ||
| }, | ||
| ], |
There was a problem hiding this comment.
特に意図がなければこっちを使ったほうがいいかも?
https://docs.renovatebot.com/presets-docker/#dockerpindigests
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (1)
.github/workflows/swagger-change.yml (1)
24-24: ⚡ Quick winSet
persist-credentials: falseon the checkout step (defense-in-depth).After
actions/checkoutin.github/workflows/swagger-change.yml, there’s no subsequentgitusage in this workflow; disabling credential persistence reduces the chance of credentials lingering on the runner.🔒 Suggested fix
- name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/swagger-change.yml at line 24, The checkout step currently uses actions/checkout@de0fac2... without disabling credential persistence; update the step that references "uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" to include the option persist-credentials: false so that Git credentials are not left on the runner (defense-in-depth).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/main.yml:
- Line 19: The checkout steps are leaving the workflow token persisted in local
git config because actions/checkout defaults persist-credentials: true; update
each actions/checkout usage (e.g., the step using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd and the other checkout
steps) to include persist-credentials: false under with:, so each checkout step
becomes: uses: actions/checkout@... followed by with: persist-credentials: false
to prevent storing the workflow token in the repository's git config.
In @.github/workflows/master.yml:
- Line 23: Update the actions/checkout step (the uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd entry) to set
persist-credentials: false by adding a with block that specifies
persist-credentials: false so the runner won’t keep GITHUB_TOKEN credentials
after checkout.
In @.github/workflows/release.yml:
- Line 24: The checkout step using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd should explicitly
disable credential persistence: update the jobs.image checkout step that uses
"actions/checkout" to include a with: persist-credentials: false entry so the
action does not persist the GITHUB_TOKEN to the repository workspace.
In @.github/workflows/renovate.yml:
- Line 49: The actions/checkout step using the pinned action reference
"actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" is persisting the
GITHUB_TOKEN in the repo git config; update the checkout step to include a with
block that sets persist-credentials: false so the token is not stored locally
(i.e., add a with: persist-credentials: false under the actions/checkout step).
---
Nitpick comments:
In @.github/workflows/swagger-change.yml:
- Line 24: The checkout step currently uses actions/checkout@de0fac2... without
disabling credential persistence; update the step that references "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" to include the option
persist-credentials: false so that Git credentials are not left on the runner
(defense-in-depth).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 5fbcf045-4495-449e-b55e-d3a884304f46
📒 Files selected for processing (5)
.github/workflows/main.yml.github/workflows/master.yml.github/workflows/release.yml.github/workflows/renovate.yml.github/workflows/swagger-change.yml
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/setup-go@v6 | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Show the targeted sections of the workflow (around the referenced lines)
nl -ba .github/workflows/main.yml | sed -n '1,120p'
# Also show any other checkout usage in this workflow (whole file but still bounded)
echo "---- checkout occurrences in main.yml ----"
rg -n "uses:\s*actions/checkout@" .github/workflows/main.yml || true
# Search all workflows for checkout + persist-credentials usage
echo "---- checkout usage across .github/workflows ----"
rg -n "uses:\s*actions/checkout@" .github/workflows || true
echo "---- persist-credentials usage across .github/workflows ----"
rg -n "persist-credentials" .github/workflows || trueRepository: traPtitech/traQ
Length of output: 102
🌐 Web query:
actions/checkout persist-credentials default true false documentation
💡 Result:
In actions/checkout, the persist-credentials input is documented as defaulting to true (i.e., it persists the auth token/credentials unless you explicitly set persist-credentials: false). [1][2] What “persist-credentials” does: it “persist[s] the token in the local git config” so subsequent steps/scripts can run authenticated git commands; the token is removed during post-job cleanup, and you can opt out with persist-credentials: false. [1][2] So for your prompt (“default true false documentation”): the correct reading is that the default is true, and to turn it off you must set persist-credentials: false. [1][3]
Citations:
- 1: https://github.com/actions/checkout/?tab=readme-ov-file
- 2: https://github.com/actions/checkout
- 3: actions/checkout@c170eef
🏁 Script executed:
#!/bin/bash
set -euo pipefail
file=".github/workflows/main.yml"
test -f "$file" || { echo "Missing $file"; exit 1; }
echo "---- main.yml lines 1-130 (numbered) ----"
awk '{printf "%6d\t%s\n", NR, $0}' "$file" | sed -n '1,130p'
echo "---- main.yml checkout occurrences (with context) ----"
rg -n "uses:\s*actions/checkout@" "$file" -C 4 || true
echo "---- main.yml persist-credentials occurrences (with context) ----"
rg -n "persist-credentials" "$file" -C 3 || true
echo "---- checkout usage across all workflows (checkout + context) ----"
rg -n "uses:\s*actions/checkout@" .github/workflows -C 2 || true
echo "---- persist-credentials usage across all workflows (with context) ----"
rg -n "persist-credentials" .github/workflows -C 2 || trueRepository: traPtitech/traQ
Length of output: 9455
Disable token persistence in actions/checkout steps.
actions/checkout defaults persist-credentials: true; .github/workflows/main.yml has checkout steps at lines 19, 33, 55, and 86 without overriding it, needlessly persisting the workflow token in local git config.
🔒 Suggested fix
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
@@
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
@@
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
@@
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false🧰 Tools
🪛 zizmor (1.25.2)
[warning] 19-19: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/main.yml at line 19, The checkout steps are leaving the
workflow token persisted in local git config because actions/checkout defaults
persist-credentials: true; update each actions/checkout usage (e.g., the step
using actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd and the other
checkout steps) to include persist-credentials: false under with:, so each
checkout step becomes: uses: actions/checkout@... followed by with:
persist-credentials: false to prevent storing the workflow token in the
repository's git config.
| image-digest: ${{ steps.build.outputs.digest }} | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
Set persist-credentials: false for actions/checkout steps.
The workflow doesn’t perform any authenticated git write operations after checkout, so keeping default credential persistence only widens token exposure.
🔒 Suggested fix
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
@@
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 23-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/master.yml at line 23, Update the actions/checkout step
(the uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd entry) to
set persist-credentials: false by adding a with block that specifies
persist-credentials: false so the runner won’t keep GITHUB_TOKEN credentials
after checkout.
| - name: Set IMAGE_TAG env | ||
| run: echo "IMAGE_TAG=$(echo ${GITHUB_REF:11})" >> $GITHUB_ENV | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
ls -la .github/workflows || true
sed -n '1,120p' .github/workflows/release.yml | cat -n
echo '--- checkout occurrences ---'
rg -n "actions/checkout@" .github/workflows/release.yml || true
echo '--- persist-credentials occurrences ---'
rg -n "persist-credentials" .github/workflows/release.yml || true
echo '--- git write/auth hints ---'
rg -n "(git push|git config|GITHUB_TOKEN|persist-credentials|token:|permissions:)" .github/workflows/release.yml || true
echo '--- full jobs section quick scan ---'
rg -n "jobs:" -n .github/workflows/release.yml && sed -n '120,260p' .github/workflows/release.yml | cat -n || trueRepository: traPtitech/traQ
Length of output: 3947
🏁 Script executed:
#!/bin/bash
set -euo pipefail
sed -n '1,200p' .github/workflows/release.yml | cat -n
echo '--- checkout occurrences ---'
rg -n "actions/checkout@" .github/workflows/release.yml || true
echo '--- persist-credentials occurrences ---'
rg -n "persist-credentials" .github/workflows/release.yml || true
echo '--- git write/auth hints ---'
rg -n "(git push|git config|GITHUB_TOKEN|token:|permissions:|authorization:)" .github/workflows/release.yml || trueRepository: traPtitech/traQ
Length of output: 3480
Disable credential persistence for actions/checkout in release.yml.
The workflow’s only actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd step in the jobs.image job doesn’t perform any git write/auth, and it currently doesn’t set persist-credentials: false, so the default token persistence is unnecessary exposure.
🔒 Suggested fix
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 24-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml at line 24, The checkout step using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd should explicitly
disable credential persistence: update the jobs.image checkout step that uses
"actions/checkout" to include a with: persist-credentials: false entry so the
action does not persist the GITHUB_TOKEN to the repository workspace.
| app-id: ${{ secrets.RENOVATE_APP_ID }} | ||
| private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }} | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/renovate.yml"
if [ ! -f "$FILE" ]; then
echo "Missing $FILE"
exit 1
fi
echo "---- File: $FILE ----"
nl -ba "$FILE" | sed -n '1,120p'
echo "---- checkout steps ----"
rg -n "uses:\s*actions/checkout@" "$FILE" -n || true
echo "---- persist-credentials occurrences ----"
rg -n "persist-credentials" "$FILE" || trueRepository: traPtitech/traQ
Length of output: 168
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/renovate.yml"
if [ ! -f "$FILE" ]; then
echo "Missing $FILE"
exit 1
fi
echo "---- File: $FILE (first 160 lines) ----"
awk '{printf "%5d\t%s\n", NR, $0}' "$FILE" | sed -n '1,160p'
echo "---- checkout steps ----"
rg -n --context 2 "uses:\s*actions/checkout@" "$FILE" || true
echo "---- persist-credentials occurrences ----"
rg -n "persist-credentials" "$FILE" || trueRepository: traPtitech/traQ
Length of output: 2725
🌐 Web query:
actions/checkout persist-credentials default value true
💡 Result:
The GitHub Actions actions/checkout input persist-credentials defaults to true.[1] Supporting details: the actions/checkout README states that the auth token is persisted in the local git config and you can opt out by setting persist-credentials: false.[2] The action’s input definition also shows persist-credentials with a default of true.[1]
Citations:
Disable persisted checkout credentials.
In .github/workflows/renovate.yml, the actions/checkout step (line 49) doesn’t set with: persist-credentials: false, so the token will be persisted in the local git config by default.
🔒 Suggested fix
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 49-49: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/renovate.yml at line 49, The actions/checkout step using
the pinned action reference
"actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" is persisting the
GITHUB_TOKEN in the repo git config; update the checkout step to include a with
block that sets persist-credentials: false so the token is not stored locally
(i.e., add a with: persist-credentials: false under the actions/checkout step).
2 participants
サプライチェーン攻撃へのリスク対応として、あらゆるイメージをSHA pinningする
Summary by CodeRabbit