[StepSecurity] ci: Harden GitHub Actions#3888
Conversation
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request improves the security posture of the repository's CI/CD workflows by transitioning from mutable action tags to immutable commit SHAs. This change ensures that the pipeline executes a verified version of the action, protecting the build process from unexpected upstream modifications. Highlights
Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the GitHub Action publish-site-report to pin the actions/upload-artifact action to a specific commit SHA (ea165f8d65b6e75b540449e92b4886f43607fa02) for improved security and reproducibility. There are no review comments, and I have no feedback to provide.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3888 +/- ##
============================================
- Coverage 55.55% 55.54% -0.01%
+ Complexity 7026 7023 -3
============================================
Files 1103 1103
Lines 67573 67573
Branches 7581 7581
============================================
- Hits 37537 37531 -6
- Misses 27621 27626 +5
- Partials 2415 2416 +1
🚀 New features to boost your workflow:
|
|
R: @Abacn |
Abacn
left a comment
Abacn
left a comment
There was a problem hiding this comment.
Thanks, lgtm
Please follow up with test breakage if any.
There was back-of-forth moving from/to SHA and un-pinned version:
each choice has its prod/cons. Pinned version will break when its decommissioned
ack |
3 participants
Summary
This pull request is created by StepSecurity at the request of @derrickaw. Please merge the Pull Request to incorporate the requested changes. Please tag @derrickaw on your message if you have any questions related to the PR.
Security Fixes
Pinned Dependencies
GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.
Feedback
For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.
Signed-off-by: StepSecurity Bot bot@stepsecurity.io