Skip to content

Provide GitHub Actions pinning#1838

Open
lucperkins wants to merge 1 commit into
mainfrom
actions-pinning
Open

Provide GitHub Actions pinning#1838
lucperkins wants to merge 1 commit into
mainfrom
actions-pinning

Conversation

@lucperkins

@lucperkins lucperkins commented Jun 4, 2026

Copy link
Copy Markdown
Member
Description
Checklist
  • Formatted with cargo fmt
  • Built with nix build
  • Ran flake checks with nix flake check
  • Added or updated relevant tests (leave unchecked if not applicable)
  • Added or updated relevant documentation (leave unchecked if not applicable)
  • Linked to related issues (leave unchecked if not applicable)
Validating with install.determinate.systems

If a maintainer has added the upload to s3 label to this PR, it will become available for installation via install.determinate.systems:

curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix/pr/$PR_NUMBER | sh -s -- install

Summary by CodeRabbit

Release Notes

  • Chores
    • Strengthened CI/CD security by pinning GitHub Actions to specific versions and implementing job-level permission scoping
    • Updated dependency management to check for updates weekly with automated grouping of similar changes
    • Integrated new automated security scanning into the build and release workflows
    • Enhanced credential handling practices across deployment pipelines

@coderabbitai

coderabbitai Bot commented Jun 4, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This pull request hardens the repository's CI/CD security posture across eight GitHub Actions workflows by pinning all third-party action references to commit SHAs instead of floating version tags, scoping job-level permissions restrictively, and disabling credential persistence. Dependabot configuration is upgraded to version 2 with weekly scheduling and pinning enforcement. A new Zizmor security scanning workflow is integrated to continuously validate action pinning.

Changes

GitHub Actions Security Hardening

Layer / File(s) Summary
Dependabot configuration
.github/dependabot.yml
Configuration upgraded to version 2 with weekly GitHub Actions updates, grouped patterns, ignore rules for DeterminateSystems/*, and ci commit prefix.
Build workflow hardening
.github/workflows/build-aarch64-darwin.yml, .github/workflows/build-aarch64-linux.yml, .github/workflows/build-x86_64-linux.yml
Explicit job-level permissions added, actions/checkout pinned to v6.0.3 with persist-credentials: false, and actions/upload-artifact pinned to v7.0.1 across all three build architectures.
CI workflow hardening
.github/workflows/ci.yml
Top-level permissions removed and replaced with job-level contents: read for build/check jobs. Eight jobs updated to pin actions/checkout to v6.0.3 with credential persistence disabled, and download-artifact steps pinned to v8.0.1.
Release branch workflow hardening
.github/workflows/release-branches.yml
Build jobs add contents: read permissions. Release job pins actions/checkout, actions/download-artifact, and AWS credentials action to commit SHAs. Shell variables compute REF_NAME, BRANCH, and GIT_ISH for S3 and install URL configuration.
Release PR workflow hardening
.github/workflows/release-prs.yml
All build and release jobs add contents: read permissions. Release job pins actions/checkout to v6.0.3, all three actions/download-artifact steps to v8.0.1, and AWS credentials to v6.2.0.
Release tags workflow and gh CLI publishing
.github/workflows/release-tags.yml
Build jobs add contents: read permissions and all action references pinned to commit SHAs. Release publication step replaces softprops/action-gh-release with inline gh release create script that globs artifacts/**, validates artifact and nix-installer.sh presence, and exits explicitly on missing files.
Update workflow action pinning
.github/workflows/update.yml
actions/checkout and DeterminateSystems/determinate-nix-action pinned to commit SHAs instead of version tags.

Zizmor Security Scanning Integration

Layer / File(s) Summary
Zizmor workflow and configuration
.github/workflows/zizmor.yml, .github/zizmor.yml
New zizmor workflow runs on main pushes and pull requests with minimal least-privilege permissions (security-events: write, contents: read, actions: read). Checks out repository with persist-credentials: false and executes pinned Zizmor action against configuration file that enforces unpinned-uses rule with ref-pin policy for DeterminateSystems/*.

🎯 3 (Moderate) | ⏱️ ~25 minutes

🐰 Workflows locked down tight with hashes and pins,
Permissions trimmed slim where each job begins,
Zizmor now watches to catch wayward refs,
No floaty versions in this security fest!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Provide GitHub Actions pinning' accurately describes the primary change: pinning GitHub Actions to specific commit SHAs across multiple workflows and configuration files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch actions-pinning

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Comment thread .github/workflows/ci.yml

jobs:
build-x86_64-linux:
permissions:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this interact with the permissions that we set in these individual workflows?

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

♻️ Duplicate comments (3)
.github/workflows/build-aarch64-linux.yml (1)

18-19: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

DeterminateSystems actions remain unpinned.

Same issue as in build-aarch64-darwin.yml: these actions use @main instead of pinned commit SHAs, violating the zizmor ref-pin policy for DeterminateSystems/*.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-aarch64-linux.yml around lines 18 - 19, The workflow
currently references unpinned actions
DeterminateSystems/determinate-nix-action@main and
DeterminateSystems/flakehub-cache-action@main; replace both `@main` refs with
specific commit SHAs (pin to an immutable ref) for
DeterminateSystems/determinate-nix-action and
DeterminateSystems/flakehub-cache-action so the CI complies with the zizmor
ref-pin policy—update the action uses to the chosen commit SHAs and verify the
SHAs point to the intended releases/commits before committing.
.github/workflows/ci.yml (1)

36-36: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

DeterminateSystems actions remain unpinned throughout this workflow.

Multiple DeterminateSystems actions use @main tags instead of pinned commit SHAs:

  • DeterminateSystems/flake-checker-action@main (line 36)
  • DeterminateSystems/determinate-nix-action@main (lines 41, 82, 120, 201, 243, 326, 364, 445, 469, 541)
  • DeterminateSystems/flakehub-cache-action@main (lines 42, 548)
  • DeterminateSystems/nix-installer-action@main (lines 82, 120, 201, 243, 326, 364, 445, 469, 541)

This violates the zizmor ref-pin policy for DeterminateSystems/*.

Also applies to: 41-41, 82-82, 120-120, 201-201, 243-243, 326-326, 364-364, 445-445, 469-469, 541-541, 548-548

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 36, The workflow uses unpinned
DeterminateSystems actions (e.g., DeterminateSystems/flake-checker-action@main,
DeterminateSystems/determinate-nix-action@main,
DeterminateSystems/flakehub-cache-action@main,
DeterminateSystems/nix-installer-action@main); replace each `@main` reference with
a pinned commit SHA (or a stable tag) for every occurrence so the CI complies
with the ref-pin policy—search for those action names in the CI file and update
all instances to use specific SHAs instead of `@main`, ensuring consistency across
every listed occurrence.
.github/workflows/build-x86_64-linux.yml (1)

18-19: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

DeterminateSystems actions remain unpinned.

Same issue as in other build workflows: these actions use @main instead of pinned commit SHAs, violating the zizmor ref-pin policy for DeterminateSystems/*.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-x86_64-linux.yml around lines 18 - 19, The workflow
references DeterminateSystems actions with unpinned refs (uses:
DeterminateSystems/determinate-nix-action@main and uses:
DeterminateSystems/flakehub-cache-action@main); update each uses line to pin a
specific immutable commit SHA (replace `@main` with @<commit-sha>) for both
DeterminateSystems/determinate-nix-action and
DeterminateSystems/flakehub-cache-action to comply with the ref-pin policy and
avoid floating references.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-aarch64-darwin.yml:
- Around line 18-19: Replace loose refs for DeterminateSystems actions with
pinned commit SHAs: find usages of
"DeterminateSystems/determinate-nix-action@main" and
"DeterminateSystems/flakehub-cache-action@main" (and other
DeterminateSystems/*`@main` occurrences) and update each to the corresponding
repository commit SHA (obtained from the action repo’s commit history) instead
of `@main`; ensure every workflow file that references these actions uses the
exact SHA string (e.g., @<full-commit-sha>) so it satisfies the ref-pin policy.

In @.github/workflows/release-prs.yml:
- Around line 53-54: The workflow is missing the GitHub OIDC permission required
by aws-actions/configure-aws-credentials when using the role-to-assume option;
update the permissions block (which currently only has contents: read) to
include id-token: write so the OIDC id-token can be issued, ensuring the release
job's call to aws-actions/configure-aws-credentials (role-to-assume) can
authenticate successfully.

In @.github/workflows/update.yml:
- Line 21: Replace the mutable GitHub Action ref
"DeterminateSystems/update-flake-lock@main" with an immutable commit SHA for
that repo; locate the workflow step using the string
DeterminateSystems/update-flake-lock@main and change it to
DeterminateSystems/update-flake-lock@<commit-sha> (use the specific commit SHA
you want to pin) so the action is SHA-pinned like the other `uses:` entries.

---

Duplicate comments:
In @.github/workflows/build-aarch64-linux.yml:
- Around line 18-19: The workflow currently references unpinned actions
DeterminateSystems/determinate-nix-action@main and
DeterminateSystems/flakehub-cache-action@main; replace both `@main` refs with
specific commit SHAs (pin to an immutable ref) for
DeterminateSystems/determinate-nix-action and
DeterminateSystems/flakehub-cache-action so the CI complies with the zizmor
ref-pin policy—update the action uses to the chosen commit SHAs and verify the
SHAs point to the intended releases/commits before committing.

In @.github/workflows/build-x86_64-linux.yml:
- Around line 18-19: The workflow references DeterminateSystems actions with
unpinned refs (uses: DeterminateSystems/determinate-nix-action@main and uses:
DeterminateSystems/flakehub-cache-action@main); update each uses line to pin a
specific immutable commit SHA (replace `@main` with @<commit-sha>) for both
DeterminateSystems/determinate-nix-action and
DeterminateSystems/flakehub-cache-action to comply with the ref-pin policy and
avoid floating references.

In @.github/workflows/ci.yml:
- Line 36: The workflow uses unpinned DeterminateSystems actions (e.g.,
DeterminateSystems/flake-checker-action@main,
DeterminateSystems/determinate-nix-action@main,
DeterminateSystems/flakehub-cache-action@main,
DeterminateSystems/nix-installer-action@main); replace each `@main` reference with
a pinned commit SHA (or a stable tag) for every occurrence so the CI complies
with the ref-pin policy—search for those action names in the CI file and update
all instances to use specific SHAs instead of `@main`, ensuring consistency across
every listed occurrence.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b4d441cf-41eb-4ca1-8c46-331eda5a9cf0

📥 Commits

Reviewing files that changed from the base of the PR and between 9a5e37a and 3afbc36.

📒 Files selected for processing (11)
  • .github/dependabot.yml
  • .github/workflows/build-aarch64-darwin.yml
  • .github/workflows/build-aarch64-linux.yml
  • .github/workflows/build-x86_64-linux.yml
  • .github/workflows/ci.yml
  • .github/workflows/release-branches.yml
  • .github/workflows/release-prs.yml
  • .github/workflows/release-tags.yml
  • .github/workflows/update.yml
  • .github/workflows/zizmor.yml
  • .github/zizmor.yml

Comment on lines 18 to 19
uses: DeterminateSystems/determinate-nix-action@main
- uses: DeterminateSystems/flakehub-cache-action@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find all unpinned DeterminateSystems action references

rg -n --type yaml 'uses:\s+DeterminateSystems/[^@]+@(?!main$|[a-f0-9]{40})' .github/workflows/ || echo "No pinned DeterminateSystems actions found"

echo "---"
echo "Unpinned DeterminateSystems actions (using `@main` or tags):"
rg -n --type yaml 'uses:\s+DeterminateSystems/.*@(main|v\d)' .github/workflows/

Repository: DeterminateSystems/nix-installer

Length of output: 2479


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== .github/zizmor.yml ==="
ls -la .github/zizmor.yml || true
sed -n '1,200p' .github/zizmor.yml || true

echo
echo "=== Re-scan for DeterminateSystems actions pinned to `@main` or version tags ==="
# Use PCRE2 so lookarounds work if needed, but we’ll also use simpler patterns.
rg -n --type yaml --pcre2 'uses:\s+DeterminateSystems/[^@\s]+@(main|v\d+(?:\.\d+)*)\b' .github/workflows/ || true

echo
echo "=== Re-scan for DeterminateSystems actions that are NOT pinned to a 40-hex SHA ==="
rg -n --type yaml --pcre2 'uses:\s+DeterminateSystems/[^@\s]+@(?![a-f0-9]{40}\b)[^@\s]+' .github/workflows/ || true

Repository: DeterminateSystems/nix-installer

Length of output: 4397


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== .github/zizmor.yml ==="
ls -la .github/zizmor.yml || true
sed -n '1,200p' .github/zizmor.yml || true

echo
echo "=== Re-scan for DeterminateSystems actions pinned to `@main` or version tags ==="
# Use PCRE2 so lookarounds work if needed, but we’ll also use simpler patterns.
rg -n --type yaml --pcre2 'uses:\s+DeterminateSystems/[^@\s]+@(main|v\d+(?:\.\d+)*)\b' .github/workflows/ || true

echo
echo "=== Re-scan for DeterminateSystems actions that are NOT pinned to a 40-hex SHA ==="
rg -n --type yaml --pcre2 'uses:\s+DeterminateSystems/[^@\s]+@(?![a-f0-9]{40}\b)[^@\s]+' .github/workflows/ || true

Repository: DeterminateSystems/nix-installer

Length of output: 4397


Pin DeterminateSystems GitHub Actions to commit SHAs (zizmor ref-pin policy)

.github/zizmor.yml requires DeterminateSystems/*: ref-pin, but .github/workflows/build-aarch64-darwin.yml uses @main:

uses: DeterminateSystems/determinate-nix-action@main
- uses: DeterminateSystems/flakehub-cache-action@main

Same issue exists in multiple workflows (e.g., .github/workflows/build-x86_64-linux.yml, .github/workflows/build-aarch64-linux.yml, .github/workflows/ci.yml, .github/workflows/update.yml, .github/workflows/propose-release.yml).

Pin these actions to specific commit SHAs

Replace @main with the action repo commit SHA:

-      - uses: DeterminateSystems/determinate-nix-action@main
+      - uses: DeterminateSystems/determinate-nix-action@<commit-sha> # vX.Y.Z
-      - uses: DeterminateSystems/flakehub-cache-action@main
+      - uses: DeterminateSystems/flakehub-cache-action@<commit-sha> # vX.Y.Z
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-aarch64-darwin.yml around lines 18 - 19, Replace
loose refs for DeterminateSystems actions with pinned commit SHAs: find usages
of "DeterminateSystems/determinate-nix-action@main" and
"DeterminateSystems/flakehub-cache-action@main" (and other
DeterminateSystems/*`@main` occurrences) and update each to the corresponding
repository commit SHA (obtained from the action repo’s commit history) instead
of `@main`; ensure every workflow file that references these actions uses the
exact SHA string (e.g., @<full-commit-sha>) so it satisfies the ref-pin policy.

Comment on lines +53 to +54
permissions:
contents: read

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Missing id-token: write permission for AWS OIDC authentication.

The release job uses aws-actions/configure-aws-credentials with role-to-assume (line 98), which requires OIDC authentication via GitHub's id-token. The current permissions only grant contents: read, causing authentication to fail at runtime.

🔐 Add the required permission
   release:
     permissions:
       contents: read
+      id-token: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
contents: read
permissions:
contents: read
id-token: write
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-prs.yml around lines 53 - 54, The workflow is
missing the GitHub OIDC permission required by
aws-actions/configure-aws-credentials when using the role-to-assume option;
update the permissions block (which currently only has contents: read) to
include id-token: write so the OIDC id-token can be issued, ensuring the release
job's call to aws-actions/configure-aws-credentials (role-to-assume) can
authenticate successfully.

with:
persist-credentials: false
- uses: DeterminateSystems/determinate-nix-action@4eea0b33e3d1f02ecfe37cf16e7204c424009606 # v3.21.0
- uses: DeterminateSystems/update-flake-lock@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify mutable action refs in this workflow.
rg -nP 'uses:\s+\S+@(main|master|v\d+(?:\.\d+){0,2})\b' .github/workflows/update.yml

Repository: DeterminateSystems/nix-installer

Length of output: 135


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Context around line 21 =="
nl -ba .github/workflows/update.yml | sed -n '1,80p'

echo
echo "== Mutable action refs in this workflow =="
rg -nP 'uses:\s+\S+@(main|master|v\d+(?:\.\d+){0,2})\b' .github/workflows/update.yml || true

Repository: DeterminateSystems/nix-installer

Length of output: 166


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Context around line 21 (15-30) =="
awk 'NR>=15 && NR<=30 {printf "%d:%s\n", NR, $0}' .github/workflows/update.yml

echo
echo "== Mutable action refs in this workflow =="
rg -nP 'uses:\s+\S+@(main|master|v\d+(?:\.\d+){0,2})\b' .github/workflows/update.yml || true

Repository: DeterminateSystems/nix-installer

Length of output: 789


Pin update-flake-lock to an immutable commit SHA.

In .github/workflows/update.yml, line 21 still uses a mutable ref (DeterminateSystems/update-flake-lock@main), which breaks the workflow’s otherwise-pinned action strategy (other uses: entries are already SHA-pinned).

      - uses: DeterminateSystems/update-flake-lock@main
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update.yml at line 21, Replace the mutable GitHub Action
ref "DeterminateSystems/update-flake-lock@main" with an immutable commit SHA for
that repo; locate the workflow step using the string
DeterminateSystems/update-flake-lock@main and change it to
DeterminateSystems/update-flake-lock@<commit-sha> (use the specific commit SHA
you want to pin) so the action is SHA-pinned like the other `uses:` entries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants