Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions .github/workflows/build-and-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,16 +7,16 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check Out Repo
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

git ls-files .github/workflows
echo
echo "== build-and-deploy.yml =="
cat -n .github/workflows/build-and-deploy.yml | sed -n '1,220p'

echo
echo "== checkout usage across workflow files =="
rg -n "actions/checkout|persist-credentials|GITHUB_TOKEN" .github/workflows -S

Repository: internxt/mail-server

Length of output: 3027


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Docker and ignore files =="
git ls-files | rg '(^|/)(Dockerfile|\.dockerignore|dockerignore)$|^\.github/workflows/.*\.yml$' -n

echo
echo "== .dockerignore =="
for f in .dockerignore Dockerfile ./.dockerignore ./Dockerfile; do
  if [ -f "$f" ]; then
    echo "--- $f"
    cat -n "$f" | sed -n '1,220p'
    echo
  fi
done

echo "== workflow files using checkout / git / github token =="
for f in .github/workflows/*.yml; do
  echo "--- $f"
  rg -n "actions/checkout|persist-credentials|git |GITHUB_TOKEN|github.token|checkout@" "$f" -n -S || true
done

Repository: internxt/mail-server

Length of output: 2910


🏁 Script executed:

#!/bin/bash
set -euo pipefail

for f in .github/workflows/pre-build.yml .github/workflows/run-tests.yml .github/workflows/sonar-analysis.yml; do
  echo "== $f =="
  cat -n "$f" | sed -n '1,220p'
  echo
done

Repository: internxt/mail-server

Length of output: 4320


Disable checkout credential persistence. actions/checkout leaves GITHUB_TOKEN in .git/config by default, so set persist-credentials: false on both checkouts here and on the other checkout steps in this PR unless a later step needs authenticated git access.

🧰 Tools
🪛 zizmor (1.26.1)

[warning] 9-10: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-and-deploy.yml at line 10, Disable credential
persistence for both checkout steps in the workflow by adding
persist-credentials: false, and apply the same setting to every other
actions/checkout step introduced in this PR unless a later step requires
authenticated Git access.

Source: Linters/SAST tools

- name: Login to DockerHub
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- name: Build and push to mail-server
uses: docker/build-push-action@v5
uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
with:
context: ./
file: ./Dockerfile
Expand All @@ -29,15 +29,15 @@ jobs:
environment:
name: production
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #v4.3.1

- name: Update mail-server image
uses: steebchen/kubectl@v2.0.0
uses: steebchen/kubectl@bd911c0b014904226d4cbd571ec0f7b679c5bb7c # v2.0.0
with:
config: ${{ secrets.KUBE_CONFIG_DATA }}
command: set image --record deployment/mail-server mail-server=${{ secrets.DOCKERHUB_USERNAME }}/mail-server:${{ github.sha }} -n mail
- name: Verify mail-server rollout
uses: steebchen/kubectl@v2.0.0
uses: steebchen/kubectl@bd911c0b014904226d4cbd571ec0f7b679c5bb7c # v2.0.0
with:
config: ${{ secrets.KUBE_CONFIG_DATA }}
command: rollout status deployment/mail-server -n mail
4 changes: 2 additions & 2 deletions .github/workflows/pre-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,10 @@ jobs:
node-version: [24.x]
steps:
- name: Check Out Repo
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: ${{ matrix.node-version }}
registry-url: 'https://npm.pkg.github.com'
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/run-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,10 @@ jobs:
node-version: [24.x]
steps:
- name: Checkout repo
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: ${{ matrix.node-version }}
registry-url: 'https://npm.pkg.github.com'
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/sonar-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,12 @@ jobs:
matrix:
node-version: [24.x]
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0

- name: Set up Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: ${{ matrix.node-version }}
registry-url: 'https://npm.pkg.github.com'
Expand All @@ -37,7 +37,7 @@ jobs:
run: npm run test:cov

- name: SonarCloud Scan
uses: SonarSource/sonarqube-scan-action@v6
uses: SonarSource/sonarqube-scan-action@fd88b7d7ccbaefd23d8f36f73b59db7a3d246602 # v6.0.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
Loading