Skip to content

fix(ci): pin GitHub Actions to SHA digests#2920

Merged
migmartri merged 6 commits into
chainloop-dev:mainfrom
migmartri:fix/pin-github-actions-digests
Mar 22, 2026
Merged

fix(ci): pin GitHub Actions to SHA digests#2920
migmartri merged 6 commits into
chainloop-dev:mainfrom
migmartri:fix/pin-github-actions-digests

Conversation

@migmartri

@migmartri migmartri commented Mar 22, 2026

Copy link
Copy Markdown
Member

Closes #2921

Summary

  • Pin all external GitHub Action references to commit SHA digests instead of mutable version tags across 5 workflow files, preventing supply chain attacks via tag reassignment
  • Remove unused chainloop-chainloop-github-release contract

Pin all external GitHub Action references to commit SHA digests
instead of mutable version tags to prevent supply chain attacks
via tag reassignment.

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 5 files

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
Add Chainloop contract and GitHub Actions workflow for PR attestation
on the chainloop-platform project. Enforces commit signatures, PR
description quality, and GitHub issue linking.

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri migmartri changed the title fix(ci): pin GitHub Actions to SHA digests fix(ci): pin GitHub Actions to SHA digests and add PR validation Mar 22, 2026

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 issues found across 3 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/pr_validation.yaml">

<violation number="1" location=".github/workflows/pr_validation.yaml:18">
P2: Avoid granting `id-token: write` at workflow scope; set minimal workflow permissions and declare `id-token: write` on the specific job that needs it.

(Based on your team's feedback about GitHub Actions permissions scoping.) [FEEDBACK_USED]</violation>

<violation number="2" location=".github/workflows/pr_validation.yaml:36">
P1: Pin and verify the Chainloop CLI installation instead of executing an unpinned remote script, otherwise the installed binary can change unexpectedly between runs.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

Comment thread .github/workflows/pr_validation.yaml Outdated
Comment thread .github/workflows/pr_validation.yaml Outdated
Move permissions to job level with read-all at workflow level,
remove --collectors aiconfig flag, and fix project name to chainloop.

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
OIDC id-token is not available for fork PRs, making keyless
attestation impossible for external contributions.

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri migmartri changed the title fix(ci): pin GitHub Actions to SHA digests and add PR validation fix(ci): pin GitHub Actions to SHA digests Mar 22, 2026
@migmartri migmartri merged commit 770f7df into chainloop-dev:main Mar 22, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Pin GitHub Actions to SHA digests and add PR validation workflow

2 participants