Provide GitHub Actions pinning#1838
Conversation
📝 WalkthroughWalkthroughThis pull request hardens the repository's CI/CD security posture across eight GitHub Actions workflows by pinning all third-party action references to commit SHAs instead of floating version tags, scoping job-level permissions restrictively, and disabling credential persistence. Dependabot configuration is upgraded to version 2 with weekly scheduling and pinning enforcement. A new Zizmor security scanning workflow is integrated to continuously validate action pinning. ChangesGitHub Actions Security Hardening
Zizmor Security Scanning Integration
🎯 3 (Moderate) | ⏱️ ~25 minutes
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
|
|
||
| jobs: | ||
| build-x86_64-linux: | ||
| permissions: |
There was a problem hiding this comment.
How does this interact with the permissions that we set in these individual workflows?
There was a problem hiding this comment.
Actionable comments posted: 3
♻️ Duplicate comments (3)
.github/workflows/build-aarch64-linux.yml (1)
18-19:⚠️ Potential issue | 🔴 Critical | ⚡ Quick winDeterminateSystems actions remain unpinned.
Same issue as in
build-aarch64-darwin.yml: these actions use@maininstead of pinned commit SHAs, violating the zizmorref-pinpolicy forDeterminateSystems/*.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/build-aarch64-linux.yml around lines 18 - 19, The workflow currently references unpinned actions DeterminateSystems/determinate-nix-action@main and DeterminateSystems/flakehub-cache-action@main; replace both `@main` refs with specific commit SHAs (pin to an immutable ref) for DeterminateSystems/determinate-nix-action and DeterminateSystems/flakehub-cache-action so the CI complies with the zizmor ref-pin policy—update the action uses to the chosen commit SHAs and verify the SHAs point to the intended releases/commits before committing..github/workflows/ci.yml (1)
36-36:⚠️ Potential issue | 🔴 Critical | ⚡ Quick winDeterminateSystems actions remain unpinned throughout this workflow.
Multiple DeterminateSystems actions use
@maintags instead of pinned commit SHAs:
DeterminateSystems/flake-checker-action@main(line 36)DeterminateSystems/determinate-nix-action@main(lines 41, 82, 120, 201, 243, 326, 364, 445, 469, 541)DeterminateSystems/flakehub-cache-action@main(lines 42, 548)DeterminateSystems/nix-installer-action@main(lines 82, 120, 201, 243, 326, 364, 445, 469, 541)This violates the zizmor
ref-pinpolicy forDeterminateSystems/*.Also applies to: 41-41, 82-82, 120-120, 201-201, 243-243, 326-326, 364-364, 445-445, 469-469, 541-541, 548-548
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml at line 36, The workflow uses unpinned DeterminateSystems actions (e.g., DeterminateSystems/flake-checker-action@main, DeterminateSystems/determinate-nix-action@main, DeterminateSystems/flakehub-cache-action@main, DeterminateSystems/nix-installer-action@main); replace each `@main` reference with a pinned commit SHA (or a stable tag) for every occurrence so the CI complies with the ref-pin policy—search for those action names in the CI file and update all instances to use specific SHAs instead of `@main`, ensuring consistency across every listed occurrence..github/workflows/build-x86_64-linux.yml (1)
18-19:⚠️ Potential issue | 🔴 Critical | ⚡ Quick winDeterminateSystems actions remain unpinned.
Same issue as in other build workflows: these actions use
@maininstead of pinned commit SHAs, violating the zizmorref-pinpolicy forDeterminateSystems/*.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/build-x86_64-linux.yml around lines 18 - 19, The workflow references DeterminateSystems actions with unpinned refs (uses: DeterminateSystems/determinate-nix-action@main and uses: DeterminateSystems/flakehub-cache-action@main); update each uses line to pin a specific immutable commit SHA (replace `@main` with @<commit-sha>) for both DeterminateSystems/determinate-nix-action and DeterminateSystems/flakehub-cache-action to comply with the ref-pin policy and avoid floating references.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/build-aarch64-darwin.yml:
- Around line 18-19: Replace loose refs for DeterminateSystems actions with
pinned commit SHAs: find usages of
"DeterminateSystems/determinate-nix-action@main" and
"DeterminateSystems/flakehub-cache-action@main" (and other
DeterminateSystems/*`@main` occurrences) and update each to the corresponding
repository commit SHA (obtained from the action repo’s commit history) instead
of `@main`; ensure every workflow file that references these actions uses the
exact SHA string (e.g., @<full-commit-sha>) so it satisfies the ref-pin policy.
In @.github/workflows/release-prs.yml:
- Around line 53-54: The workflow is missing the GitHub OIDC permission required
by aws-actions/configure-aws-credentials when using the role-to-assume option;
update the permissions block (which currently only has contents: read) to
include id-token: write so the OIDC id-token can be issued, ensuring the release
job's call to aws-actions/configure-aws-credentials (role-to-assume) can
authenticate successfully.
In @.github/workflows/update.yml:
- Line 21: Replace the mutable GitHub Action ref
"DeterminateSystems/update-flake-lock@main" with an immutable commit SHA for
that repo; locate the workflow step using the string
DeterminateSystems/update-flake-lock@main and change it to
DeterminateSystems/update-flake-lock@<commit-sha> (use the specific commit SHA
you want to pin) so the action is SHA-pinned like the other `uses:` entries.
---
Duplicate comments:
In @.github/workflows/build-aarch64-linux.yml:
- Around line 18-19: The workflow currently references unpinned actions
DeterminateSystems/determinate-nix-action@main and
DeterminateSystems/flakehub-cache-action@main; replace both `@main` refs with
specific commit SHAs (pin to an immutable ref) for
DeterminateSystems/determinate-nix-action and
DeterminateSystems/flakehub-cache-action so the CI complies with the zizmor
ref-pin policy—update the action uses to the chosen commit SHAs and verify the
SHAs point to the intended releases/commits before committing.
In @.github/workflows/build-x86_64-linux.yml:
- Around line 18-19: The workflow references DeterminateSystems actions with
unpinned refs (uses: DeterminateSystems/determinate-nix-action@main and uses:
DeterminateSystems/flakehub-cache-action@main); update each uses line to pin a
specific immutable commit SHA (replace `@main` with @<commit-sha>) for both
DeterminateSystems/determinate-nix-action and
DeterminateSystems/flakehub-cache-action to comply with the ref-pin policy and
avoid floating references.
In @.github/workflows/ci.yml:
- Line 36: The workflow uses unpinned DeterminateSystems actions (e.g.,
DeterminateSystems/flake-checker-action@main,
DeterminateSystems/determinate-nix-action@main,
DeterminateSystems/flakehub-cache-action@main,
DeterminateSystems/nix-installer-action@main); replace each `@main` reference with
a pinned commit SHA (or a stable tag) for every occurrence so the CI complies
with the ref-pin policy—search for those action names in the CI file and update
all instances to use specific SHAs instead of `@main`, ensuring consistency across
every listed occurrence.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: b4d441cf-41eb-4ca1-8c46-331eda5a9cf0
📒 Files selected for processing (11)
.github/dependabot.yml.github/workflows/build-aarch64-darwin.yml.github/workflows/build-aarch64-linux.yml.github/workflows/build-x86_64-linux.yml.github/workflows/ci.yml.github/workflows/release-branches.yml.github/workflows/release-prs.yml.github/workflows/release-tags.yml.github/workflows/update.yml.github/workflows/zizmor.yml.github/zizmor.yml
| uses: DeterminateSystems/determinate-nix-action@main | ||
| - uses: DeterminateSystems/flakehub-cache-action@main |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Find all unpinned DeterminateSystems action references
rg -n --type yaml 'uses:\s+DeterminateSystems/[^@]+@(?!main$|[a-f0-9]{40})' .github/workflows/ || echo "No pinned DeterminateSystems actions found"
echo "---"
echo "Unpinned DeterminateSystems actions (using `@main` or tags):"
rg -n --type yaml 'uses:\s+DeterminateSystems/.*@(main|v\d)' .github/workflows/Repository: DeterminateSystems/nix-installer
Length of output: 2479
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== .github/zizmor.yml ==="
ls -la .github/zizmor.yml || true
sed -n '1,200p' .github/zizmor.yml || true
echo
echo "=== Re-scan for DeterminateSystems actions pinned to `@main` or version tags ==="
# Use PCRE2 so lookarounds work if needed, but we’ll also use simpler patterns.
rg -n --type yaml --pcre2 'uses:\s+DeterminateSystems/[^@\s]+@(main|v\d+(?:\.\d+)*)\b' .github/workflows/ || true
echo
echo "=== Re-scan for DeterminateSystems actions that are NOT pinned to a 40-hex SHA ==="
rg -n --type yaml --pcre2 'uses:\s+DeterminateSystems/[^@\s]+@(?![a-f0-9]{40}\b)[^@\s]+' .github/workflows/ || trueRepository: DeterminateSystems/nix-installer
Length of output: 4397
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== .github/zizmor.yml ==="
ls -la .github/zizmor.yml || true
sed -n '1,200p' .github/zizmor.yml || true
echo
echo "=== Re-scan for DeterminateSystems actions pinned to `@main` or version tags ==="
# Use PCRE2 so lookarounds work if needed, but we’ll also use simpler patterns.
rg -n --type yaml --pcre2 'uses:\s+DeterminateSystems/[^@\s]+@(main|v\d+(?:\.\d+)*)\b' .github/workflows/ || true
echo
echo "=== Re-scan for DeterminateSystems actions that are NOT pinned to a 40-hex SHA ==="
rg -n --type yaml --pcre2 'uses:\s+DeterminateSystems/[^@\s]+@(?![a-f0-9]{40}\b)[^@\s]+' .github/workflows/ || trueRepository: DeterminateSystems/nix-installer
Length of output: 4397
Pin DeterminateSystems GitHub Actions to commit SHAs (zizmor ref-pin policy)
.github/zizmor.yml requires DeterminateSystems/*: ref-pin, but .github/workflows/build-aarch64-darwin.yml uses @main:
uses: DeterminateSystems/determinate-nix-action@main
- uses: DeterminateSystems/flakehub-cache-action@mainSame issue exists in multiple workflows (e.g., .github/workflows/build-x86_64-linux.yml, .github/workflows/build-aarch64-linux.yml, .github/workflows/ci.yml, .github/workflows/update.yml, .github/workflows/propose-release.yml).
Pin these actions to specific commit SHAs
Replace @main with the action repo commit SHA:
- - uses: DeterminateSystems/determinate-nix-action@main
+ - uses: DeterminateSystems/determinate-nix-action@<commit-sha> # vX.Y.Z
- - uses: DeterminateSystems/flakehub-cache-action@main
+ - uses: DeterminateSystems/flakehub-cache-action@<commit-sha> # vX.Y.Z🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/build-aarch64-darwin.yml around lines 18 - 19, Replace
loose refs for DeterminateSystems actions with pinned commit SHAs: find usages
of "DeterminateSystems/determinate-nix-action@main" and
"DeterminateSystems/flakehub-cache-action@main" (and other
DeterminateSystems/*`@main` occurrences) and update each to the corresponding
repository commit SHA (obtained from the action repo’s commit history) instead
of `@main`; ensure every workflow file that references these actions uses the
exact SHA string (e.g., @<full-commit-sha>) so it satisfies the ref-pin policy.
| permissions: | ||
| contents: read |
There was a problem hiding this comment.
Missing id-token: write permission for AWS OIDC authentication.
The release job uses aws-actions/configure-aws-credentials with role-to-assume (line 98), which requires OIDC authentication via GitHub's id-token. The current permissions only grant contents: read, causing authentication to fail at runtime.
🔐 Add the required permission
release:
permissions:
contents: read
+ id-token: write📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| permissions: | |
| contents: read | |
| permissions: | |
| contents: read | |
| id-token: write |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release-prs.yml around lines 53 - 54, The workflow is
missing the GitHub OIDC permission required by
aws-actions/configure-aws-credentials when using the role-to-assume option;
update the permissions block (which currently only has contents: read) to
include id-token: write so the OIDC id-token can be issued, ensuring the release
job's call to aws-actions/configure-aws-credentials (role-to-assume) can
authenticate successfully.
| with: | ||
| persist-credentials: false | ||
| - uses: DeterminateSystems/determinate-nix-action@4eea0b33e3d1f02ecfe37cf16e7204c424009606 # v3.21.0 | ||
| - uses: DeterminateSystems/update-flake-lock@main |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify mutable action refs in this workflow.
rg -nP 'uses:\s+\S+@(main|master|v\d+(?:\.\d+){0,2})\b' .github/workflows/update.ymlRepository: DeterminateSystems/nix-installer
Length of output: 135
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Context around line 21 =="
nl -ba .github/workflows/update.yml | sed -n '1,80p'
echo
echo "== Mutable action refs in this workflow =="
rg -nP 'uses:\s+\S+@(main|master|v\d+(?:\.\d+){0,2})\b' .github/workflows/update.yml || trueRepository: DeterminateSystems/nix-installer
Length of output: 166
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Context around line 21 (15-30) =="
awk 'NR>=15 && NR<=30 {printf "%d:%s\n", NR, $0}' .github/workflows/update.yml
echo
echo "== Mutable action refs in this workflow =="
rg -nP 'uses:\s+\S+@(main|master|v\d+(?:\.\d+){0,2})\b' .github/workflows/update.yml || trueRepository: DeterminateSystems/nix-installer
Length of output: 789
Pin update-flake-lock to an immutable commit SHA.
In .github/workflows/update.yml, line 21 still uses a mutable ref (DeterminateSystems/update-flake-lock@main), which breaks the workflow’s otherwise-pinned action strategy (other uses: entries are already SHA-pinned).
- uses: DeterminateSystems/update-flake-lock@main🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/update.yml at line 21, Replace the mutable GitHub Action
ref "DeterminateSystems/update-flake-lock@main" with an immutable commit SHA for
that repo; locate the workflow step using the string
DeterminateSystems/update-flake-lock@main and change it to
DeterminateSystems/update-flake-lock@<commit-sha> (use the specific commit SHA
you want to pin) so the action is SHA-pinned like the other `uses:` entries.
Description
Checklist
cargo fmtnix buildnix flake checkValidating with
install.determinate.systemsIf a maintainer has added the
upload to s3label to this PR, it will become available for installation viainstall.determinate.systems:Summary by CodeRabbit
Release Notes