Skip to content

Pin GH Actions to commit sha#144

Merged
ibrokethecloud merged 1 commit into
harvester:pin-ci-actions-to-shafrom
votdev:pin-ci-actions-to-sha
Mar 24, 2026
Merged

Pin GH Actions to commit sha#144
ibrokethecloud merged 1 commit into
harvester:pin-ci-actions-to-shafrom
votdev:pin-ci-actions-to-sha

Conversation

@votdev
Copy link
Copy Markdown
Member

@votdev votdev commented Mar 24, 2026

Related to: harvester/harvester#10279

IMPORTANT: Please do not create a Pull Request without creating an issue first.

Problem:

Solution:

Related Issue:

Test plan:

@votdev
Pin GH Actions to commit sha
5ad7a24 
Related to: harvester/harvester#10279

Signed-off-by: Volker Theile <vtheile@suse.com>
@votdev votdev self-assigned this Mar 24, 2026
Copilot AI review requested due to automatic review settings March 24, 2026 08:38
Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins third-party GitHub Actions used by this repository’s CI/security workflows to immutable commit SHAs to reduce supply-chain risk and improve build reproducibility (ref. harvester/harvester#10279).

Changes:

  • Pin actions/checkout, Docker Buildx/QEMU/login/build-push actions in the reusable build workflow to commit SHAs.
  • Pin Trivy scanning and SARIF upload actions to commit SHAs.
  • Pin vault-secret read and FOSSA scan actions, plus CodeQL actions, to commit SHAs.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/template-build.yml Pins build/publish workflow actions (checkout, QEMU/Buildx, vault secrets, Docker login/build) to SHAs.
.github/workflows/scan.yml Pins Trivy scan workflow actions (checkout, trivy-action, upload-sarif) to SHAs.
.github/workflows/fossa.yml Pins vault secret reader and FOSSA action to SHAs.
.github/workflows/codeql-analysis.yml Pins CodeQL workflow actions (checkout + codeql init/autobuild/analyze) to SHAs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/scan.yml
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

- name: Download Rancher's VEX Hub report
run: curl -fsSO https://raw.githubusercontent.com/rancher/vexhub/refs/heads/main/reports/rancher.openvex.json
Copy link

Copilot AI Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The VEX report is downloaded from the main branch (refs/heads/main), which makes this workflow non-reproducible and introduces a supply-chain risk (the file contents can change without review). Consider pinning the URL to a specific commit SHA or a versioned release tag, or vendoring the report into the repo and updating it explicitly.

Suggested change
run: curl -fsSO https://raw.githubusercontent.com/rancher/vexhub/refs/heads/main/reports/rancher.openvex.json
run: curl -fsSO https://raw.githubusercontent.com/rancher/vexhub/2e6b9b0e4c2f5c8a4f7d3a3b0e1c9d8f7a6b5c4d/reports/rancher.openvex.json

Copilot uses AI. Check for mistakes.
@votdev
Copy link
Copy Markdown
Member Author

votdev commented Mar 24, 2026

@Mergifyio backport v1.8

@mergify
Copy link
Copy Markdown

mergify Bot commented Mar 24, 2026
edited
Loading

backport v1.8

✅ Backports have been created

Details

@votdev votdev requested a review from ibrokethecloud March 24, 2026 08:49
@ibrokethecloud ibrokethecloud merged commit 85d0a5b into harvester:pin-ci-actions-to-sha Mar 24, 2026
9 checks passed
@mergify mergify Bot mentioned this pull request Mar 24, 2026
Merged
@votdev votdev deleted the pin-ci-actions-to-sha branch March 24, 2026 09:04
votdev added a commit that referenced this pull request Mar 24, 2026
@mergify @votdev
Pin GH Actions to commit sha (backport #144) (#145)
df16e78 
Signed-off-by: Volker Theile <vtheile@suse.com>

(cherry picked from commit 85d0a5b)

Co-authored-by: Volker Theile <vtheile@suse.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ibrokethecloud ibrokethecloud ibrokethecloud approved these changes

Assignees

@votdev votdev

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@votdev @ibrokethecloud