From ebc910f1c221c5e586da08c4cce18a0f1150c96c Mon Sep 17 00:00:00 2001 From: David Dashti Date: Sun, 14 Jun 2026 19:51:59 +0200 Subject: [PATCH 1/2] fix(ci): repoint three more broken SHA pins in security-scan.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit VSCode's GitHub Actions extension surfaced three pins that don't resolve in the upstream repos — same broken-prefix-then-diverged pattern as the trufflehog and EnricoMi fixes (see commits 67301aa, 71d41b9). The pins live in `security-scan.yml`, which runs on a different trigger than the PR workflows, so these never failed during PR #9. - gitleaks/gitleaks-action: pin annotated v2.3.7 but the SHA was invalid. Funny detail: the broken SHA `ff98106e4c7b2bc287eb9b...` shares the first 12 chars with the real v2.3.9 SHA `ff98106e4c7b... 2bc287b24...`. Bumped to v2.3.9 (latest in the v2.x line — staying in-major to avoid v3.0.0 breaking changes). - actions/dependency-review-action: pin annotated v4.5.0 was invalid. Bumped to v4.9.0 (latest in v4.x — v5.0.0 may have breaking changes). - gaurav-nelson/github-action-markdown-link-check: pin annotated v1.0.15 was invalid. Bumped to 1.0.17 (latest 1.x; the upstream tag is annotated, so dereferenced to commit SHA `3c3b66f...`). Verified all three new SHAs against `gh api repos/X/git/commits/SHA` before pinning. Audited all 12 other action pins in the workflows directory while at it — all resolve cleanly. --- .github/workflows/security-scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 8fb6f64..d6f6d34 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -23,7 +23,7 @@ jobs: fetch-depth: 0 - name: Run Gitleaks - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287eb9b730d02a6ea74a31e29 # v2.3.7 + uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true @@ -106,7 +106,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Dependency Review - uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3571e49be25ba84783 # v4.5.0 + uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 continue-on-error: true with: fail-on-severity: moderate @@ -209,7 +209,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Check markdown links - uses: gaurav-nelson/github-action-markdown-link-check@fc0405b50847c4904cc6aca4eb08004975a5b4a4 # v1.0.15 + uses: gaurav-nelson/github-action-markdown-link-check@3c3b66f1f7d0900e37b71eca45b63ea9eedfce31 # 1.0.17 with: use-quiet-mode: 'yes' config-file: '.github/markdown-link-check-config.json' From 2d6fdb0cee52c98326b5d7e75cdadf8e6494f66b Mon Sep 17 00:00:00 2001 From: David Dashti Date: Sun, 14 Jun 2026 19:59:32 +0200 Subject: [PATCH 2/2] fix(ci): bump trivy-action to v0.36.0 in advisory mode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `Trivy Filesystem Scan` has been failing 54 consecutive runs on main since at least 2025-10-15. The currently-pinned `trivy-action@v0.29.0` transitively references `aquasecurity/setup-trivy@v0.2.2`, which GitHub Actions can no longer resolve — the job aborts during "Set up job", before checkout, before the scan even starts. This was masked on PRs because the broken SHA pins in #10 made everyone assume CI churn was pin-related; it wasn't. Changes: - Bump `aquasecurity/trivy-action` from v0.29.0 to v0.36.0 (SHA `ed142fd...`). v0.36.0 is the current release post-March-2026 trivy-action supply-chain incident — earlier 0.0.1-0.34.2 had their tags re-pointed during the compromise and should be avoided. - Add `TRIVY_DB_REPOSITORY` / `TRIVY_JAVA_DB_REPOSITORY` env vars to point at the public.ecr.aws mirrors. GHCR rate-limits hitting trivy-action runs is the dominant CI failure mode in 2025-2026 (trivy-action#389); the AWS ECR mirror sidesteps it. - Set `ignore-unfixed: true`, `exit-code: 0`, `continue-on-error: true`. This makes Trivy advisory: findings still appear in the GitHub Security tab via the existing SARIF upload, but they don't gate merges. For a single-developer toolkit with no production blast radius, that's the right altitude. Adding to PR #10 because both fixes touch security-scan.yml and the broader theme is the same: stale CI plumbing exposed once the trufflehog pin fix from PR #9 unblocked the workflow chain. --- .github/workflows/security-scan.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index d6f6d34..4c5b123 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -121,13 +121,23 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Run Trivy - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 + continue-on-error: true + env: + # Use the ECR mirror to dodge GHCR rate limits (the dominant + # trivy-action CI failure mode in 2025-2026). + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db with: scan-type: 'fs' scan-ref: '.' format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' + # Advisory mode on a personal toolkit: findings surface in the + # GitHub Security tab via SARIF upload below, but don't gate merges. + ignore-unfixed: 'true' + exit-code: '0' - name: Upload Trivy results uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0