Skip to content

Pin GitHub Actions to commit SHAs and harden Renovate config#120

Merged
titouanmathis merged 2 commits into
mainfrom
fix/pin-github-actions
Jul 1, 2026
Merged

Pin GitHub Actions to commit SHAs and harden Renovate config#120
titouanmathis merged 2 commits into
mainfrom
fix/pin-github-actions

Conversation

@titouanmathis

Copy link
Copy Markdown
Contributor

Problem

The Semgrep Security Scan job was failing with 27 findings — all in CI configuration, none in application code:

  • 24× github-actions-mutable-action-tag in ci.yml, publish.yml, security.yml — workflow steps referenced mutable tags (@v4, @v5, @v1). A mutable tag can be silently repointed by the action owner, which was the vector in the tj-actions/changed-files compromise.
  • renovate-missing-minimum-release-age in renovate.json — no cooldown before proposing/auto-merging newly published versions.

These pre-existed on main (not introduced by any recent PR).

Fix

  • Pin all 24 uses: to full 40-char commit SHAs with # vX version comments. Pinned the current major of each action (no version bumps — those are left to Renovate so they get tested independently):
    • actions/checkout@v4, actions/setup-node@v4, actions/upload-artifact@v4, actions/download-artifact@v4, codecov/codecov-action@v5, ncipollo/release-action@v1
  • Add helpers:pinGitHubActionDigests to Renovate's extends so it keeps the pinned digests updated automatically (pinning and Renovate are complementary, not in conflict).
  • Set minimumReleaseAge: "7 days" globally and within each package rule. The Semgrep rule (p/owasp-top-ten) requires ≥ 7 days, so all cooldowns — including security updates — are set to 7 days.

Verification

Ran the exact CI Semgrep command locally via Docker: 0 findings (down from 27), exit 0. No application code changed.

titouanmathis and others added 2 commits July 1, 2026 15:12
Semgrep flagged mutable action tags (supply-chain risk) and a missing
Renovate minimum release age. Pin all workflow actions to full commit
SHAs with version comments, add the helpers:pinGitHubActionDigests
Renovate preset to keep digests maintained, and set a 7-day
minimumReleaseAge across package rules to clear the scan.

Co-authored-by: Claude <claude@anthropic.com>
Co-authored-by: Claude <claude@anthropic.com>
@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.45%. Comparing base (7f77c8e) to head (59776db).
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #120   +/-   ##
=======================================
  Coverage   99.45%   99.45%           
=======================================
  Files         235      235           
  Lines        4033     4033           
  Branches     1027     1031    +4     
=======================================
  Hits         4011     4011           
  Misses         22       22           
Flag Coverage Δ
unittests 99.45% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@titouanmathis
titouanmathis merged commit 2d93d33 into main Jul 1, 2026
8 checks passed
@titouanmathis
titouanmathis deleted the fix/pin-github-actions branch July 1, 2026 13:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant