Pin resolvable release workflow actions#126
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9d0588cb25
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Replace unresolved major action aliases with existing upstream tags for cosign-installer and Scorecard, and keep workflow contract tests aligned. Verification: pnpm exec vitest run test/release-workflow.test.ts test/security-workflow.test.ts; pnpm lint; actionlint .github/workflows/release-image.yml .github/workflows/rg-release.yml .github/workflows/scorecard.yml
jmcte
force-pushed
the
codex/fix-release-action-pins
branch
from
9d0588c to
8fe2da1
Compare
|
Addressed the automated Scorecard feedback in 8fe2da1 by moving write permissions off the workflow scope and onto the scorecard job, matching the scorecard-action v2 permission restrictions. Re-ran: pnpm exec vitest run test/release-workflow.test.ts test/security-workflow.test.ts; pnpm lint; actionlint .github/workflows/release-image.yml .github/workflows/rg-release.yml .github/workflows/scorecard.yml. |
athena-omt
added
area:ai
athena-omt
left a comment
athena-omt
left a comment
There was a problem hiding this comment.
I’m confirming the existing Scorecard blocker rather than repeating the bot’s point: .github/workflows/scorecard.yml still grants id-token: write and security-events: write at workflow scope. The Scorecard v2 docs require “No workflow level write permissions” and say only the job running ossf/scorecard-action may use id-token: write, so this can still reject published results on push/schedule/manual runs. Please move the write permissions onto the scorecard job and keep the workflow-level permissions read-only.
athena-omt
added
state:needs-repair
pheidon
left a comment
pheidon
left a comment
There was a problem hiding this comment.
Reviewed the workflow pinning changes and aligned tests. The pinned cosign-installer v4.1.2 and scorecard-action v2.4.3 releases resolve upstream, Scorecard write permissions are now scoped to the scorecard job with workflow-level contents read, and CI/security checks are green. No blockers found.
3 participants
Summary
sigstore/cosign-installer@v4.1.2tagossf/scorecard-action@v2.4.3tagVerification
pnpm exec vitest run test/release-workflow.test.ts test/security-workflow.test.tspassedpnpm lintpassedactionlint .github/workflows/release-image.yml .github/workflows/rg-release.yml .github/workflows/scorecard.ymlpassedIssue Link
No issue is linked. This is a post-merge CI/release repair for the release workflows that failed after PR #123 merged and closed the governed issue batch.