-
Notifications
You must be signed in to change notification settings - Fork 2
chore(deps): update github artifact actions (major) #1892
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -62,7 +62,7 @@ jobs: | |
|
|
||
| - name: Upload diagnostics | ||
| if: ${{ failure() }} | ||
| uses: actions/upload-artifact@v6 | ||
| uses: actions/upload-artifact@v7 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: # First, find and read the workflow file
git ls-files ".github/workflows/*.yml" | head -20Repository: openshift/bpfman-operator Length of output: 243 🏁 Script executed: # Read the specific file mentioned
cat -n .github/workflows/olm_bundle_test.ymlRepository: openshift/bpfman-operator Length of output: 4553 🏁 Script executed: # Also check if there are any other workflow files with upload-artifact
rg "upload-artifact" .github/workflows/ -nRepository: openshift/bpfman-operator Length of output: 473 🏁 Script executed: # Check for any workflow configuration or policy files
git ls-files ".github/" | grep -E "(policy|config|settings)" | head -20Repository: openshift/bpfman-operator Length of output: 51 🏁 Script executed: # Check all workflow files for any actions pinned to commit SHAs
rg "@[a-f0-9]{40}" .github/workflows/ -nRepository: openshift/bpfman-operator Length of output: 422 🏁 Script executed: # Check for any security configuration or policy docs
git ls-files | grep -iE "(security|policy|readme)" | head -20Repository: openshift/bpfman-operator Length of output: 947 🏁 Script executed: # Check if there are any other actions using SHAs in this file specifically
grep -n "@[a-f0-9]" .github/workflows/olm_bundle_test.ymlRepository: openshift/bpfman-operator Length of output: 51 🏁 Script executed: # Check the git history to see if there was an attempted policy enforcement
git log --oneline -20 -- .github/workflows/ | head -20Repository: openshift/bpfman-operator Length of output: 122 Pin both Both updated Also applies to: 128-128 🧰 Tools🪛 zizmor (1.25.2)[error] 65-65: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||
| with: | ||
| name: olm-bundle-integration-test-diag | ||
| path: /tmp/ktf-diag* | ||
|
|
@@ -125,7 +125,7 @@ jobs: | |
|
|
||
| - name: Upload diagnostics | ||
| if: ${{ failure() }} | ||
| uses: actions/upload-artifact@v6 | ||
| uses: actions/upload-artifact@v7 | ||
| with: | ||
| name: olm-bundle-lifecycle-test-diag | ||
| path: /tmp/ktf-diag* | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -137,7 +137,7 @@ jobs: | |
| run: make test | ||
|
|
||
| - name: Archive Go code coverage results | ||
| uses: actions/upload-artifact@v6 | ||
| uses: actions/upload-artifact@v7 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: # Check if the file exists and read the relevant sections
if [ -f .github/workflows/pull_request.yml ]; then
echo "=== Lines around 140 ==="
sed -n '135,145p' .github/workflows/pull_request.yml | cat -n
echo ""
echo "=== Lines around 228 ==="
sed -n '223,233p' .github/workflows/pull_request.yml | cat -n
echo ""
echo "=== Full file line count ==="
wc -l .github/workflows/pull_request.yml
else
echo "File not found"
fiRepository: openshift/bpfman-operator Length of output: 866 🏁 Script executed: # Search for all instances of upload-artifact and download-artifact in the workflow
echo "=== All artifact action uses ==="
rg "actions/(upload|download)-artifact" .github/workflows/pull_request.yml -nRepository: openshift/bpfman-operator Length of output: 194 🌐 Web query:
💡 Result: Pinning GitHub Actions to a full-length commit SHA is a critical security best practice for protecting CI/CD pipelines against supply chain attacks [1][2][3]. Why Pinning to a Commit SHA is Essential GitHub Actions referenced by tags (e.g., Citations:
🌐 Web query:
💡 Result: For GitHub Actions action actions/upload-artifact, the latest version as of today (2026-05-20) is v7.0.1 (released 2026-04-10). [1] If you meant “latest version released around 2025”, that would be a different version line (for example, the repo shows a v4.6.0 release on 2025-01-09). [2] Example (recommended): uses: actions/upload-artifact@v7 Citations:
🌐 Web query:
💡 Result: The latest version of the official GitHub Action actions/download-artifact (as of 2026-05-20) is v8.0.1, and the “latest” tag points to v8.[1] Examples: - uses: actions/download-artifact@v8 - uses: actions/download-artifact@v8.0.1 - uses: actions/download-artifact@latest What changed in the 2025+ timeframe (relevant context): v7.0.0 (released 2025-12-12) updated the action runtime to run on Node.js 24 by default.[2] v8.0.0 (released 2026-02-26) migrated the action package to ESM and introduced breaking behavior changes around digest/hash mismatch handling (now errors by default) and decompression behavior.[3] Citations:
Pin artifact actions to commit SHAs in PR workflow.
Also applies to: 228-228 🧰 Tools🪛 zizmor (1.25.2)[error] 140-140: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||
| with: | ||
| name: coverage-go | ||
| path: cover.out | ||
|
|
@@ -225,7 +225,7 @@ jobs: | |
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - name: Download golang coverage artifacts | ||
| uses: actions/download-artifact@v6 | ||
| uses: actions/download-artifact@v8 | ||
| with: | ||
| name: coverage-go | ||
|
|
||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -60,7 +60,7 @@ jobs: | |
| # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF | ||
| # format to the repository Actions tab. | ||
| - name: "Upload artifact" | ||
| uses: actions/upload-artifact@v6 | ||
| uses: actions/upload-artifact@v7 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: cat -n .github/workflows/scorecard.yml | head -80Repository: openshift/bpfman-operator Length of output: 3636 🌐 Web query:
💡 Result: Pinning GitHub Actions to a full-length commit SHA is a critical security best practice for mitigating supply chain attacks [1][2]. Because tags and branches are mutable—meaning they can be force-updated or hijacked by malicious actors to point to compromised code—pinning to an immutable commit SHA ensures that your workflows consistently execute the exact, verified code you intend [1][3][4]. Key aspects of this practice as of 2026 include: Security Rationale Mutable references (e.g., Citations:
Pin
🧰 Tools🪛 zizmor (1.25.2)[error] 63-63: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||
| with: | ||
| name: SARIF file | ||
| path: results.sarif | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
Repository: openshift/bpfman-operator
Length of output: 562
🌐 Web query:
GitHub Actions pinning commit SHA security best practice policy💡 Result:
Pinning GitHub Actions to a full-length commit SHA is a critical security best practice designed to mitigate supply chain attacks [1][2][3]. Why Pinning to Commit SHA is Required Unlike version tags (e.g.,
@v4), which are mutable labels that can be moved, deleted, or force-pushed to point to different code, a commit SHA is an immutable identifier [2][4][5]. By pinning to a specific SHA, you ensure that your workflow executes the exact, verified code you intend, protecting your environment from malicious code injection if an action's repository or maintainer account is compromised [1][6][7]. GitHub Policy and Enforcement GitHub now supports organization-level and repository-level policies that allow administrators to enforce SHA pinning [1][8]. When this policy is enabled, any workflow attempting to use an action referenced by a tag or branch will fail, requiring all actions—including those in the dependency tree—to be pinned to a full-length commit SHA [1][5]. Best Practices for Implementation 1. Use Full-Length SHAs: Always use the full-length commit SHA (40 characters) rather than a shortened version to ensure uniqueness and security [3][9]. 2. Include Version Comments: To maintain readability and facilitate updates, append the original version tag as a comment in your workflow file [6][8][7]: uses: actions/checkout@b4ffde6 # v4.1.1 3. Automate Updates: Because SHA pinning requires manual or automated maintenance to receive updates, use tools like Dependabot or Renovate to monitor for new versions and propose updates to your pinned SHAs [1][10][7]. 4. Verify Sources: When pinning, ensure the SHA originates from the official, trusted repository and not a fork [3][11]. 5. Audit Workflows: Use tools or scripts to scan your repositories for unpinned actions to ensure compliance with security standards [10][9][12]. By adopting this practice, you move from a model of implicit trust in external maintainers to a model of verifiable, immutable dependency management [2][5].Citations:
Pin
actions/upload-artifactto a commit SHA.Using a floating major tag (
@v7) keeps this step mutable and violates the unpinned-actions policy. Please pin to a full commit digest (and keep the version in a trailing comment for readability).🧰 Tools
🪛 zizmor (1.25.2)
[error] 98-98: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents