ci: S24.14 harden workflow supply chain + sweep all actions to Node 24#485
Conversation
📝 WalkthroughWalkthroughThis PR hardens the CI supply chain across all GitHub Actions workflows by disabling credential persistence on checkout steps and SHA-pinning all previously floating action versions to satisfy zizmor compliance and Node 24 compatibility requirements. ChangesCI Supply-Chain Hardening
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
☀️ Quality Summary 🚦 build-linux-gcc: 100% successful (✔️ 1344 passed) Created by Quality Monitor v1.14.0 (#f3859fd). More details are shown in the GitHub Checks Result. |
Adds `persist-credentials: false` to all 26 `actions/checkout` steps (25 in ci.yml, 1 in sbom.yml) so the checkout's GITHUB_TOKEN is not persisted in .git/config for later steps — the BDD compose lanes bind-mount the repo root into containers. Closes the zizmor `artipacked` finding deferred from #476. SHA-pins the three remaining tag-pinned actions so the workflow tree is zizmor `unpinned-uses`-clean: - dorny/test-reporter@v3 -> a43b3a5 # v3.0.0 - actions/cache@v4 -> (then bumped to v5, see below) - uhafner/quality-monitor@v1 -> 778e3a6 # v1.14.0 Sweeps the entire workflow tree (ci.yml, sbom.yml, release-please.yml) off the deprecated Node 20 runtime (forced off the runner from 2026-06-16) to the node24 release of each action: - actions/upload-artifact -> 043fb46 # v7.0.1 - actions/download-artifact -> 3e5f45b # v8.0.1 - actions/cache -> 27d5ce7 # v5.0.5 - actions/github-script -> ed59741 # v8.0.0 - actions/deploy-pages -> cd2ce8f # v5.0.0 - googleapis/release-please-action -> 45996ed # v5.0.0 Verified node24-clean: every pinned SHA's action.yml resolves to using:node24 (or composite/docker); no node20 and no unpinned uses remain. Behaviour notes (acceptable pre-release): download-artifact@v8 defaults a hash mismatch to a hard error; release-please-action@v5 marks node24 a breaking change but it is only the runtime bump. The deploy-pages and release-please lanes run on main only, so this PR's CI does not exercise them. Closes #477 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
7f64340 to
a66712e
Compare
☀️ Quality Summary 🚦 build-linux-gcc: 100% successful (✔️ 1344 passed) Created by Quality Monitor v1.14.0 (#f3859fd). More details are shown in the GitHub Checks Result. |
Purpose
Closes #477 (S24.14 — CI supply-chain hardening). Resolves the two zizmor findings
deferred from the S28.09 (#476) review, and folds in a full sweep of the workflow
tree off the deprecated Node 20 runtime (GitHub forces Node 20 off the runner from
2026-06-16). Pre-release, so action major-version breaking-changes are acceptable.
Change Description
1.
persist-credentials: falseon everyactions/checkout(zizmorartipacked)ci.yml(were bare- uses:with nowith:block — each gains one).sbom.yml(appended under its existingwith: { fetch-depth: 0 }).GITHUB_TOKENis no longer written into.git/config; the BDDcompose lanes bind-mount the repo root into containers, so this removes a
credential from those first-party containers.
2. SHA-pin the remaining tag-pinned actions (zizmor
unpinned-uses)dorny/test-reporter@v3→a43b3a5…# v3.0.0 (×13)uhafner/quality-monitor@v1→778e3a6…# v1.14.0 (×1)actions/cache@v4→ pinned, then bumped to v5 in (3) below.3. Node 24 runtime sweep (deprecation warning) — every JS action bumped to the
node24 release of its major; verified node24-clean (a script parses all three
workflows, fetches each pinned SHA's
action.yml, asserts nousing: node20):actions/upload-artifact→043fb46…# v7.0.1 — ci.yml + sbom.ymlactions/download-artifact→3e5f45b…# v8.0.1 — ci.yml + sbom.ymlactions/cache→27d5ce7…# v5.0.5 — ci.ymlactions/github-script→ed59741…# v8.0.0 — ci.ymlactions/deploy-pages→cd2ce8f…# v5.0.0 — ci.yml (main-only lane)googleapis/release-please-action→45996ed…# v5.0.0 — release-please.yml (main-only)Behaviour notes (acceptable pre-release):
download-artifact@v8defaults adownload hash mismatch to a hard error (was a warning) and moved to ESM;
release-please-action@v5marks node24 a "breaking change" but it is only theruntime bump (no config-schema change).
Test Evidence
python3 yaml.safe_loadparses all three workflow files.ci.ymlcheckouts and 1/1sbom.ymlcheckout carrywith.persist-credentials: false; 0 missing.grepfor anyuses:without a 40-hex SHA across all workflows → none.deploy-coverage-pages(deploy-pages) andrelease-pleaserun onmainonly — worth a glance on the first post-merge runs.Areas Affected
.github/workflows/ci.yml.github/workflows/sbom.yml.github/workflows/release-please.ymlDEVLOG.md