Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/integration_test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ jobs:
## Upload diagnostics if integration test step failed.
- name: Upload diagnostics
if: ${{ failure() }}
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/integration_test.yml | sed -n '90,106p'

Repository: openshift/bpfman-operator

Length of output: 562


🌐 Web query:

GitHub Actions pinning commit SHA security best practice policy

💡 Result:

Pinning GitHub Actions to a full-length commit SHA is a critical security best practice designed to mitigate supply chain attacks [1][2][3]. Why Pinning to Commit SHA is Required Unlike version tags (e.g., @v4), which are mutable labels that can be moved, deleted, or force-pushed to point to different code, a commit SHA is an immutable identifier [2][4][5]. By pinning to a specific SHA, you ensure that your workflow executes the exact, verified code you intend, protecting your environment from malicious code injection if an action's repository or maintainer account is compromised [1][6][7]. GitHub Policy and Enforcement GitHub now supports organization-level and repository-level policies that allow administrators to enforce SHA pinning [1][8]. When this policy is enabled, any workflow attempting to use an action referenced by a tag or branch will fail, requiring all actions—including those in the dependency tree—to be pinned to a full-length commit SHA [1][5]. Best Practices for Implementation 1. Use Full-Length SHAs: Always use the full-length commit SHA (40 characters) rather than a shortened version to ensure uniqueness and security [3][9]. 2. Include Version Comments: To maintain readability and facilitate updates, append the original version tag as a comment in your workflow file [6][8][7]: uses: actions/checkout@b4ffde6 # v4.1.1 3. Automate Updates: Because SHA pinning requires manual or automated maintenance to receive updates, use tools like Dependabot or Renovate to monitor for new versions and propose updates to your pinned SHAs [1][10][7]. 4. Verify Sources: When pinning, ensure the SHA originates from the official, trusted repository and not a fork [3][11]. 5. Audit Workflows: Use tools or scripts to scan your repositories for unpinned actions to ensure compliance with security standards [10][9][12]. By adopting this practice, you move from a model of implicit trust in external maintainers to a model of verifiable, immutable dependency management [2][5].

Citations:


Pin actions/upload-artifact to a commit SHA.

Using a floating major tag (@v7) keeps this step mutable and violates the unpinned-actions policy. Please pin to a full commit digest (and keep the version in a trailing comment for readability).

🧰 Tools
🪛 zizmor (1.25.2)

[error] 98-98: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/integration_test.yml at line 98, Replace the floating tag
"actions/upload-artifact@v7" with the action pinned to its full commit SHA
(e.g., "actions/upload-artifact@<full-sha>") and keep the current v7 tag in a
trailing comment for readability; update the workflow step that references
actions/upload-artifact@v7 so it uses the full commit digest instead of the
major tag to comply with the unpinned-actions policy.

with:
name: kubernetes-integration-test-diag
path: /tmp/ktf-diag*
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/olm_bundle_test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ jobs:

- name: Upload diagnostics
if: ${{ failure() }}
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# First, find and read the workflow file
git ls-files ".github/workflows/*.yml" | head -20

Repository: openshift/bpfman-operator

Length of output: 243


🏁 Script executed:

# Read the specific file mentioned
cat -n .github/workflows/olm_bundle_test.yml

Repository: openshift/bpfman-operator

Length of output: 4553


🏁 Script executed:

# Also check if there are any other workflow files with upload-artifact
rg "upload-artifact" .github/workflows/ -n

Repository: openshift/bpfman-operator

Length of output: 473


🏁 Script executed:

# Check for any workflow configuration or policy files
git ls-files ".github/" | grep -E "(policy|config|settings)" | head -20

Repository: openshift/bpfman-operator

Length of output: 51


🏁 Script executed:

# Check all workflow files for any actions pinned to commit SHAs
rg "@[a-f0-9]{40}" .github/workflows/ -n

Repository: openshift/bpfman-operator

Length of output: 422


🏁 Script executed:

# Check for any security configuration or policy docs
git ls-files | grep -iE "(security|policy|readme)" | head -20

Repository: openshift/bpfman-operator

Length of output: 947


🏁 Script executed:

# Check if there are any other actions using SHAs in this file specifically
grep -n "@[a-f0-9]" .github/workflows/olm_bundle_test.yml

Repository: openshift/bpfman-operator

Length of output: 51


🏁 Script executed:

# Check the git history to see if there was an attempted policy enforcement
git log --oneline -20 -- .github/workflows/ | head -20

Repository: openshift/bpfman-operator

Length of output: 122


Pin both upload-artifact steps to commit SHAs for security consistency.

Both updated uses: actions/upload-artifact@v7 entries use mutable version tags. Pin each to a commit SHA for consistency with the security approach already used in other workflows (e.g., scorecard.yml) and to prevent unintended upstream changes.

Also applies to: 128-128

🧰 Tools
🪛 zizmor (1.25.2)

[error] 65-65: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/olm_bundle_test.yml at line 65, Replace both mutable uses
entries "uses: actions/upload-artifact@v7" with their corresponding pinned
commit SHAs (e.g., "uses: actions/upload-artifact@<commit-sha>") in the
.github/workflows/olm_bundle_test.yml file; locate the two occurrences of the
exact string "uses: actions/upload-artifact@v7" and update each to the known
good commit SHA for actions/upload-artifact to ensure immutable, audited
references consistent with other workflows.

with:
name: olm-bundle-integration-test-diag
path: /tmp/ktf-diag*
Expand Down Expand Up @@ -125,7 +125,7 @@ jobs:

- name: Upload diagnostics
if: ${{ failure() }}
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@v7
with:
name: olm-bundle-lifecycle-test-diag
path: /tmp/ktf-diag*
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/pull_request.yml
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ jobs:
run: make test

- name: Archive Go code coverage results
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# Check if the file exists and read the relevant sections
if [ -f .github/workflows/pull_request.yml ]; then
  echo "=== Lines around 140 ==="
  sed -n '135,145p' .github/workflows/pull_request.yml | cat -n
  echo ""
  echo "=== Lines around 228 ==="
  sed -n '223,233p' .github/workflows/pull_request.yml | cat -n
  echo ""
  echo "=== Full file line count ==="
  wc -l .github/workflows/pull_request.yml
else
  echo "File not found"
fi

Repository: openshift/bpfman-operator

Length of output: 866


🏁 Script executed:

# Search for all instances of upload-artifact and download-artifact in the workflow
echo "=== All artifact action uses ==="
rg "actions/(upload|download)-artifact" .github/workflows/pull_request.yml -n

Repository: openshift/bpfman-operator

Length of output: 194


🌐 Web query:

GitHub Actions pinning commit SHA immutable security best practice

💡 Result:

Pinning GitHub Actions to a full-length commit SHA is a critical security best practice for protecting CI/CD pipelines against supply chain attacks [1][2][3]. Why Pinning to a Commit SHA is Essential GitHub Actions referenced by tags (e.g., @v4) or branches (e.g., @main) are mutable, meaning the underlying code can be changed by the repository owner or an attacker who gains unauthorized access [4][2][5]. If an action is compromised, tag-based references will automatically pull and execute the malicious code in your workflows [1][5]. Pinning to a full-length commit SHA ensures that your workflow always executes the exact, immutable code you have audited and verified, regardless of any subsequent changes to tags or branches in the action's repository [4][2][3]. How to Implement SHA Pinning To pin an action, replace the tag or branch reference with the full-length commit SHA [3][6]. It is highly recommended to include the original version tag as a comment to maintain readability and facilitate updates [7][8]: uses: actions/checkout@f43a0e5 # v4.1.1 You can find the commit SHA for a specific tag by checking the action's repository on GitHub, using the git ls-remote command, or inspecting the Setup Job section of a previous workflow run log [9][6]. Organizational Enforcement GitHub now supports organization-level and repository-level policies that can enforce SHA pinning [1][7]. When enabled, any workflow attempting to use an action referenced by a tag or branch will fail, ensuring that all dependencies are immutable [4][7]. This policy also evaluates the entire dependency tree, meaning any sub-actions called by your primary actions must also be pinned to SHAs [4]. Best Practices for Maintenance While SHA pinning provides immutability, it does not automatically protect against vulnerabilities discovered in the pinned version [10]. To maintain a secure posture: - Use automated tools like Dependabot or Renovate to manage and update your pinned actions [4][9][8]. - Consider implementing a cooldown period (e.g., 7–14 days) before adopting new action versions to allow time for potential supply chain attacks to be discovered and mitigated [10]. - Prioritize using actions from verified creators and GitHub-maintained repositories [3][10].

Citations:


🌐 Web query:

actions/upload-artifact latest version 2025

💡 Result:

For GitHub Actions action actions/upload-artifact, the latest version as of today (2026-05-20) is v7.0.1 (released 2026-04-10). [1] If you meant “latest version released around 2025”, that would be a different version line (for example, the repo shows a v4.6.0 release on 2025-01-09). [2] Example (recommended): uses: actions/upload-artifact@v7

Citations:


🌐 Web query:

actions/download-artifact latest version 2025

💡 Result:

The latest version of the official GitHub Action actions/download-artifact (as of 2026-05-20) is v8.0.1, and the “latest” tag points to v8.[1] Examples: - uses: actions/download-artifact@v8 - uses: actions/download-artifact@v8.0.1 - uses: actions/download-artifact@latest What changed in the 2025+ timeframe (relevant context): v7.0.0 (released 2025-12-12) updated the action runtime to run on Node.js 24 by default.[2] v8.0.0 (released 2026-02-26) migrated the action package to ESM and introduced breaking behavior changes around digest/hash mismatch handling (now errors by default) and decompression behavior.[3]

Citations:


Pin artifact actions to commit SHAs in PR workflow.

actions/upload-artifact@v7 and actions/download-artifact@v8 use mutable semantic version tags. Pin both to immutable commit SHAs to prevent supply chain attacks where unauthorized changes to the action repositories could execute compromised code in your workflows.

Also applies to: 228-228

🧰 Tools
🪛 zizmor (1.25.2)

[error] 140-140: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pull_request.yml at line 140, Replace mutable action tags
with immutable commit SHAs for the artifact actions: locate usages of
actions/upload-artifact@v7 and actions/download-artifact@v8 in the PR workflow
and change them to the corresponding commit SHA refs (e.g.,
actions/upload-artifact@<commit-sha> and actions/download-artifact@<commit-sha>)
so the workflow always runs a fixed, audited revision; verify you use the exact
commit SHAs from the action repositories' releases and update both occurrences
of these action references in the workflow.

with:
name: coverage-go
path: cover.out
Expand Down Expand Up @@ -225,7 +225,7 @@ jobs:
runs-on: ubuntu-24.04
steps:
- name: Download golang coverage artifacts
uses: actions/download-artifact@v6
uses: actions/download-artifact@v8
with:
name: coverage-go

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/scorecard.yml | head -80

Repository: openshift/bpfman-operator

Length of output: 3636


🌐 Web query:

GitHub Actions security best practices pin commit SHA 2025 2026

💡 Result:

Pinning GitHub Actions to a full-length commit SHA is a critical security best practice for mitigating supply chain attacks [1][2]. Because tags and branches are mutable—meaning they can be force-updated or hijacked by malicious actors to point to compromised code—pinning to an immutable commit SHA ensures that your workflows consistently execute the exact, verified code you intend [1][3][4]. Key aspects of this practice as of 2026 include: Security Rationale Mutable references (e.g., @v4, @main, @latest) are vulnerable to tag-poisoning and repository compromise [5][3]. If an action's repository is compromised, an attacker can update a tag to include malicious code, which would then be automatically pulled into any workflow using that tag [6][7]. Pinning to a full-length (40-character) commit SHA eliminates this risk because the SHA is cryptographically immutable; any modification to the underlying code would result in a hash mismatch, causing the workflow to fail rather than execute malicious code [1][5][4]. Enforcement and Policy As of August 2025, GitHub supports organization-level and repository-level policies that allow administrators to mandate SHA pinning [6][8]. When this policy is enabled, any workflow attempting to use an action referenced by a tag or branch will fail [6][9]. This policy evaluates the entire action dependency tree, including internal sub-actions, providing comprehensive governance [9]. Implementation Best Practices To maintain security without sacrificing maintainability, follow these conventions: 1. Use full-length SHAs: Always use the full 40-character commit hash, not a shortened version [1][2]. 2. Include version comments: To maintain readability and facilitate updates, append the original version tag as a comment [5][10][4]. Example: uses: actions/checkout@b4ffde6 # v4.1.1 3. Automate updates: Use tools like Dependabot or Renovate to automatically monitor for new releases and open pull requests to update your pinned SHAs [5][3][11]. This balances the security of immutability with the need to keep dependencies current [5][4]. Verification You can identify the correct SHA for a specific tag by checking the action's repository on GitHub, using the git ls-remote command, or inspecting the Setup Job logs in a previous workflow run [12][13]. Organizations are encouraged to use these methods to achieve 100% SHA-pinning coverage across all workflows [12][3].

Citations:


Pin actions/upload-artifact to a commit SHA instead of the mutable v7 tag.

uses: actions/upload-artifact@v7 uses a mutable version tag, which is vulnerable to tag-poisoning and repository compromise attacks. Pin to a full-length commit SHA with the version as a comment (e.g., uses: actions/upload-artifact@b4ffde65f46336ab88eb53be808477a3936bae11 # v7). This aligns with security policy and the pattern already applied to other actions in this workflow.

🧰 Tools
🪛 zizmor (1.25.2)

[error] 63-63: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/scorecard.yml at line 63, The workflow is using a mutable
tag for the upload-artifact action (uses: actions/upload-artifact@v7); replace
the mutable tag with the action's full commit SHA while preserving the
human-readable version as a comment (e.g., uses:
actions/upload-artifact@<full-commit-sha> # v7) to prevent tag-poisoning—locate
the uses: actions/upload-artifact@v7 entry and pin it to the corresponding
full-length commit SHA from the actions/upload-artifact repository.

with:
name: SARIF file
path: results.sarif
Expand Down