fix(actions): pin exact commits instead of using mutable tags#88
Conversation
📝 WalkthroughWalkthroughGitHub Actions references across build, deployment, pre-build, test, and SonarCloud workflows are changed from version tags or unpinned references to specific commit SHAs. Existing workflow commands, inputs, and job behavior remain unchanged. ChangesCI action pinning
Estimated code review effort: 1 (Trivial) | ~5 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/build-and-deploy.yml:
- Line 10: Disable credential persistence for both checkout steps in the
workflow by adding persist-credentials: false, and apply the same setting to
every other actions/checkout step introduced in this PR unless a later step
requires authenticated Git access.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 3db522c9-7041-4023-9040-9f463e2cfa56
📒 Files selected for processing (4)
.github/workflows/build-and-deploy.yml.github/workflows/pre-build.yml.github/workflows/run-tests.yml.github/workflows/sonar-analysis.yml
| steps: | ||
| - name: Check Out Repo | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
git ls-files .github/workflows
echo
echo "== build-and-deploy.yml =="
cat -n .github/workflows/build-and-deploy.yml | sed -n '1,220p'
echo
echo "== checkout usage across workflow files =="
rg -n "actions/checkout|persist-credentials|GITHUB_TOKEN" .github/workflows -SRepository: internxt/mail-server
Length of output: 3027
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Docker and ignore files =="
git ls-files | rg '(^|/)(Dockerfile|\.dockerignore|dockerignore)$|^\.github/workflows/.*\.yml$' -n
echo
echo "== .dockerignore =="
for f in .dockerignore Dockerfile ./.dockerignore ./Dockerfile; do
if [ -f "$f" ]; then
echo "--- $f"
cat -n "$f" | sed -n '1,220p'
echo
fi
done
echo "== workflow files using checkout / git / github token =="
for f in .github/workflows/*.yml; do
echo "--- $f"
rg -n "actions/checkout|persist-credentials|git |GITHUB_TOKEN|github.token|checkout@" "$f" -n -S || true
doneRepository: internxt/mail-server
Length of output: 2910
🏁 Script executed:
#!/bin/bash
set -euo pipefail
for f in .github/workflows/pre-build.yml .github/workflows/run-tests.yml .github/workflows/sonar-analysis.yml; do
echo "== $f =="
cat -n "$f" | sed -n '1,220p'
echo
doneRepository: internxt/mail-server
Length of output: 4320
Disable checkout credential persistence. actions/checkout leaves GITHUB_TOKEN in .git/config by default, so set persist-credentials: false on both checkouts here and on the other checkout steps in this PR unless a later step needs authenticated git access.
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 9-10: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/build-and-deploy.yml at line 10, Disable credential
persistence for both checkout steps in the workflow by adding
persist-credentials: false, and apply the same setting to every other
actions/checkout step introduced in this PR unless a later step requires
authenticated Git access.
Source: Linters/SAST tools



GitHub security recommendation is to pin reference to a full 40-character commit SHA instead of using tags, e.g., uses: actions/checkout@8ade135
This is done to avoid possible supply chain attacks, which could result in token exposure.
Summary by CodeRabbit