Skip to content

fix(actions): pin exact commits instead of using mutable tags#88

Merged
sg-gs merged 1 commit into
masterfrom
pin_actions
Jul 10, 2026
Merged

fix(actions): pin exact commits instead of using mutable tags#88
sg-gs merged 1 commit into
masterfrom
pin_actions

Conversation

@TamaraFinogina

@TamaraFinogina TamaraFinogina commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

GitHub security recommendation is to pin reference to a full 40-character commit SHA instead of using tags, e.g., uses: actions/checkout@8ade135

This is done to avoid possible supply chain attacks, which could result in token exposure.

Summary by CodeRabbit

  • Chores
    • Pinned build, deployment, testing, and code-analysis automation actions to specific versions.
    • Preserved existing build, deployment, test, and analysis workflows while improving execution consistency and security.

@TamaraFinogina TamaraFinogina self-assigned this Jul 10, 2026
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

GitHub Actions references across build, deployment, pre-build, test, and SonarCloud workflows are changed from version tags or unpinned references to specific commit SHAs. Existing workflow commands, inputs, and job behavior remain unchanged.

Changes

CI action pinning

Layer / File(s) Summary
Build and deployment action pinning
.github/workflows/build-and-deploy.yml
Build, checkout, Docker, and kubectl actions use pinned commit SHAs while retaining existing commands and inputs.
Validation and analysis action pinning
.github/workflows/pre-build.yml, .github/workflows/run-tests.yml, .github/workflows/sonar-analysis.yml
Checkout, Node setup, and SonarQube scan actions use pinned commit SHAs in preparation, testing, and analysis workflows.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: pinning GitHub Actions to exact commits instead of mutable tags.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch pin_actions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sonarqubecloud

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-and-deploy.yml:
- Line 10: Disable credential persistence for both checkout steps in the
workflow by adding persist-credentials: false, and apply the same setting to
every other actions/checkout step introduced in this PR unless a later step
requires authenticated Git access.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3db522c9-7041-4023-9040-9f463e2cfa56

📥 Commits

Reviewing files that changed from the base of the PR and between c522624 and 91b3468.

📒 Files selected for processing (4)
  • .github/workflows/build-and-deploy.yml
  • .github/workflows/pre-build.yml
  • .github/workflows/run-tests.yml
  • .github/workflows/sonar-analysis.yml

steps:
- name: Check Out Repo
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files .github/workflows
echo
echo "== build-and-deploy.yml =="
cat -n .github/workflows/build-and-deploy.yml | sed -n '1,220p'

echo
echo "== checkout usage across workflow files =="
rg -n "actions/checkout|persist-credentials|GITHUB_TOKEN" .github/workflows -S

Repository: internxt/mail-server

Length of output: 3027


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Docker and ignore files =="
git ls-files | rg '(^|/)(Dockerfile|\.dockerignore|dockerignore)$|^\.github/workflows/.*\.yml$' -n

echo
echo "== .dockerignore =="
for f in .dockerignore Dockerfile ./.dockerignore ./Dockerfile; do
  if [ -f "$f" ]; then
    echo "--- $f"
    cat -n "$f" | sed -n '1,220p'
    echo
  fi
done

echo "== workflow files using checkout / git / github token =="
for f in .github/workflows/*.yml; do
  echo "--- $f"
  rg -n "actions/checkout|persist-credentials|git |GITHUB_TOKEN|github.token|checkout@" "$f" -n -S || true
done

Repository: internxt/mail-server

Length of output: 2910


🏁 Script executed:

#!/bin/bash
set -euo pipefail

for f in .github/workflows/pre-build.yml .github/workflows/run-tests.yml .github/workflows/sonar-analysis.yml; do
  echo "== $f =="
  cat -n "$f" | sed -n '1,220p'
  echo
done

Repository: internxt/mail-server

Length of output: 4320


Disable checkout credential persistence. actions/checkout leaves GITHUB_TOKEN in .git/config by default, so set persist-credentials: false on both checkouts here and on the other checkout steps in this PR unless a later step needs authenticated git access.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 9-10: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-and-deploy.yml at line 10, Disable credential
persistence for both checkout steps in the workflow by adding
persist-credentials: false, and apply the same setting to every other
actions/checkout step introduced in this PR unless a later step requires
authenticated Git access.

Source: Linters/SAST tools

@sg-gs sg-gs merged commit 9b4db20 into master Jul 10, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants