fix(ci): resolve actionlint errors blocking Workflow Lint CI#778
Conversation
- actionlint.yml: inline action SHAs directly in uses: fields (env context is not allowed in uses: — fixes 4 [expression] errors) - python-app.yml: upgrade actions/setup-python from v3 to v5 (v3/v4 are too old for current GitHub Actions runners) - actionlint.yml: add actionlint_flags to suppress the 'models' permission scope warning (real GitHub Models API permission not yet known to actionlint v1.7.7)
There was a problem hiding this comment.
Sorry @Copilot, you have reached your weekly rate limit of 500000 diff characters.
Please try again later or upgrade to continue using Sourcery
|
@Bryan-Roe Thanks for sending me some feedback. Unfortunately, I hit an error while trying to use the custom Copilot setup steps configured for this repository. The error I am seeing is: Once you or someone with the necessary access fixes the problem, please let me know in a comment and I'll try again. Thanks! |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
| - uses: actions/checkout@v4 | ||
| - name: Set up Python 3.10 | ||
| uses: actions/setup-python@v3 | ||
| uses: actions/setup-python@v5 |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.
You can view more details about this finding in the Semgrep AppSec Platform.
There was a problem hiding this comment.
Pull request overview
This PR fixes the failing Workflow Lint (actionlint) CI by addressing three classes of errors: (1) env-context references inside uses: fields (not supported by GitHub Actions), (2) an outdated actions/setup-python version, and (3) a false-positive models permission warning from the older bundled actionlint. It is a CI-hygiene change scoped to two workflow files with no runtime/application impact.
Changes:
- Replaced four
uses: action@${{ env.SHA }}references inactionlint.ymlwith literal pinned SHAs (version comments preserved), aligning with the established repo pattern seen in other workflows. - Upgraded
actions/setup-pythonfromv3tov5inpython-app.yml. - Added
actionlint_flagstoactionlint.ymlto suppress themodelspermission false positive — however, the escaping of this flag value is incorrect (see review comment).
Reviewed changes
Copilot reviewed 4 out of 6 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.github/workflows/actionlint.yml |
Inlined pinned SHAs into uses: fields and added an -ignore flag to suppress the models permission warning; the -ignore value's escaping is broken by the action's unquoted expansion. |
.github/workflows/python-app.yml |
Bumped actions/setup-python from v3 to v5. |
| filter_mode: nofilter | ||
| # Suppress the "models" permission warning: it is a real GitHub Models API | ||
| # scope but is not yet in actionlint's known-permissions list. | ||
| actionlint_flags: '-ignore "unknown permission scope \"models\""' |
|
@Bryan-Roe Thanks for sending me some feedback. Unfortunately, I hit an error while trying to use the custom Copilot setup steps configured for this repository. The error I am seeing is: Once you or someone with the necessary access fixes the problem, please let me know in a comment and I'll try again. Thanks! |
| steps: | ||
| - name: Harden runner | ||
| uses: step-security/harden-runner@${{ env.HARDEN_RUNNER_SHA }} | ||
| uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.2 |
| # Exclude vendored third-party scripts (dotnet-install.sh is the | ||
| # Microsoft .NET installer) and generated agent-template directories. | ||
| ignore_paths: dotnet-install.sh my-agent-0b2avt | ||
| # Only fail CI on error-severity findings; warnings in our own | ||
| # scripts are reported but do not block the build. | ||
| severity: error |
The
actionlintworkflow has been failing due to three classes of errors across workflow files.Changes
actionlint.yml— inline pinned SHAs inuses:fields (4 errors)envcontext (${{ env.VAR }}) is not available inuses:— GitHub evaluates action refs before context expansion. Replaced all fouruses: action@${{ env.SHA }}references with the literal SHA values (version comments preserved).python-app.yml— upgradeactions/setup-pythonfromv3→v5v3(andv4) are flagged by actionlint as too old for current GitHub Actions runners.actionlint.yml— suppress false[permissions]error formodels: readmodelsis a real GitHub Models API permission scope, not yet in actionlint v1.7.7's known-permissions list. Addedactionlint_flagsto pass-ignoreat runtime rather than removing the permission fromsummary.yml.