Skip to content

ci: S24.14 harden workflow supply chain + sweep all actions to Node 24#485

Merged
DavidCozens merged 1 commit into
mainfrom
ci/s24.14-supply-chain-hardening
May 30, 2026
Merged

ci: S24.14 harden workflow supply chain + sweep all actions to Node 24#485
DavidCozens merged 1 commit into
mainfrom
ci/s24.14-supply-chain-hardening

Conversation

@DavidCozens

@DavidCozens DavidCozens commented May 30, 2026

Copy link
Copy Markdown
Owner

Purpose

Closes #477 (S24.14 — CI supply-chain hardening). Resolves the two zizmor findings
deferred from the S28.09 (#476) review, and folds in a full sweep of the workflow
tree off the deprecated Node 20 runtime (GitHub forces Node 20 off the runner from
2026-06-16). Pre-release, so action major-version breaking-changes are acceptable.

Change Description

1. persist-credentials: false on every actions/checkout (zizmor artipacked)

  • 25 steps in ci.yml (were bare - uses: with no with: block — each gains one).
  • 1 step in sbom.yml (appended under its existing with: { fetch-depth: 0 }).
  • The checkout's GITHUB_TOKEN is no longer written into .git/config; the BDD
    compose lanes bind-mount the repo root into containers, so this removes a
    credential from those first-party containers.

2. SHA-pin the remaining tag-pinned actions (zizmor unpinned-uses)

  • dorny/test-reporter@v3a43b3a5… # v3.0.0 (×13)
  • uhafner/quality-monitor@v1778e3a6… # v1.14.0 (×1)
  • actions/cache@v4 → pinned, then bumped to v5 in (3) below.
  • Every action is now SHA-pinned across all three workflows.

3. Node 24 runtime sweep (deprecation warning) — every JS action bumped to the
node24 release of its major; verified node24-clean (a script parses all three
workflows, fetches each pinned SHA's action.yml, asserts no using: node20):

  • actions/upload-artifact043fb46… # v7.0.1 — ci.yml + sbom.yml
  • actions/download-artifact3e5f45b… # v8.0.1 — ci.yml + sbom.yml
  • actions/cache27d5ce7… # v5.0.5 — ci.yml
  • actions/github-scripted59741… # v8.0.0 — ci.yml
  • actions/deploy-pagescd2ce8f… # v5.0.0 — ci.yml (main-only lane)
  • googleapis/release-please-action45996ed… # v5.0.0 — release-please.yml (main-only)

Behaviour notes (acceptable pre-release): download-artifact@v8 defaults a
download hash mismatch to a hard error (was a warning) and moved to ESM;
release-please-action@v5 marks node24 a "breaking change" but it is only the
runtime bump (no config-schema change).

Test Evidence

  • python3 yaml.safe_load parses all three workflow files.
  • 25/25 ci.yml checkouts and 1/1 sbom.yml checkout carry
    with.persist-credentials: false; 0 missing.
  • grep for any uses: without a 40-hex SHA across all workflows → none.
  • Node-runtime audit of every pinned SHA → all node24 / composite / docker; no node20.
  • First PR run (pre-sweep) was fully green; this run re-validates after the bumps.
  • Not exercised on PR: deploy-coverage-pages (deploy-pages) and
    release-please run on main only — worth a glance on the first post-merge runs.

Areas Affected

  • .github/workflows/ci.yml
  • .github/workflows/sbom.yml
  • .github/workflows/release-please.yml
  • DEVLOG.md

@coderabbitai

coderabbitai Bot commented May 30, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

This PR hardens the CI supply chain across all GitHub Actions workflows by disabling credential persistence on checkout steps and SHA-pinning all previously floating action versions to satisfy zizmor compliance and Node 24 compatibility requirements.

Changes

CI Supply-Chain Hardening

Layer / File(s) Summary
Checkout credential isolation
.github/workflows/ci.yml, .github/workflows/sbom.yml
All actions/checkout steps across 25 jobs now set persist-credentials: false to prevent .git credentials from being mounted into containers.
Test reporter action pinning
.github/workflows/ci.yml
dorny/test-reporter SHA-pinned to v3.0.0 commit across 13 jobs that report JUnit XML results.
Artifact actions SHA-pinning and version bumps
.github/workflows/ci.yml, .github/workflows/sbom.yml
actions/upload-artifact bumped to v7.0.1 and actions/download-artifact bumped to v8.0.1 across 26 artifact transfer steps for Node 24 compatibility, all with SHA pins.
Cache and quality monitor action pinning
.github/workflows/ci.yml
actions/cache SHA-pinned to v4.3.0 (2 Windows jobs) and uhafner/quality-monitor SHA-pinned to v1.14.0 in the pull-request summary job.
Hardening decisions documentation
DEVLOG.md
New entry (2026-05-30 / S24.14) documents the full hardening scope, deferred questions about artifact download digest mismatch behavior, and Node 24 opt-in fallback considerations.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

  • DavidCozens/solid-syslog#195: Both PRs modify the SBOM GitHub Actions workflow, specifically updating actions/checkout credential persistence settings and pinning actions/upload-artifact / actions/download-artifact to compatible versions.

Poem

🐰 With credentials locked tight in the vault so secure,
SHA pins on our actions make the supply chain pure.
Node 24 ready, zizmor approves with delight,
CI's hardened and hardened—defence in the night! 🔒✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Linked Issues check ✅ Passed All objectives from #477 are met: persist-credentials added to 25 checkout steps in ci.yml and 1 in sbom.yml; remaining tag-pinned actions SHA-pinned (dorny/test-reporter, actions/cache, uhafner/quality-monitor); artifact actions updated to Node 24 SHAs; full zizmor compliance achieved.
Out of Scope Changes check ✅ Passed All changes are directly scoped to CI hardening (#477): workflows updated for credentials security, action pinning, and Node 24 compliance; DEVLOG.md appropriately documents changes; no unrelated modifications present.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The title clearly and concisely summarizes the two main changes: CI supply-chain hardening via persist-credentials and Node 24 artifact actions updates, matching the PR's primary objectives.
Description check ✅ Passed The description thoroughly covers all required template sections: Purpose (issue #477 closure, zizmor findings), Change Description (three detailed subsections with implementation details), Test Evidence (comprehensive testing approach), and Areas Affected (all modified files listed).

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/s24.14-supply-chain-hardening

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

Copy link
Copy Markdown
Contributor

☀️   Quality Summary

   🚦   build-linux-gcc: 100% successful (✔️ 1344 passed)
   🚦   build-freertos-host-tdd-plustcp: 100% successful (✔️ 1652 passed)
   🚦   build-linux-clang: 100% successful (✔️ 1296 passed)
   🚦   sanitize-linux-gcc: 100% successful (✔️ 1296 passed)
   🚦   integration-linux-openssl: 100% successful (✔️ 9 passed)
   🚦   integration-linux-mbedtls: 100% successful (✔️ 7 passed)
   🚦   integration-windows-openssl: 100% successful (✔️ 9 passed)
   🚦   bdd-linux-syslog-ng: 94% successful (✔️ 46 passed, 🙈 3 skipped)
   🚦   bdd-windows-otel: 90% successful (✔️ 44 passed, 🙈 5 skipped)
   🚦   bdd-freertos-qemu-plustcp: 86% successful (✔️ 42 passed, 🙈 7 skipped)
   🚦   bdd-freertos-qemu-lwip: 65% successful (✔️ 32 passed, 🙈 17 skipped)
   🚦   build-windows-msvc: 100% successful (✔️ 1149 passed)
   🚦   build-linux-tunable-override: 100% successful (✔️ 1296 passed)
   ⚠️   Clang-Tidy: No warnings
   ⚠️   CPPCheck: No warnings


Created by Quality Monitor v1.14.0 (#f3859fd). More details are shown in the GitHub Checks Result.

Adds `persist-credentials: false` to all 26 `actions/checkout` steps (25 in
ci.yml, 1 in sbom.yml) so the checkout's GITHUB_TOKEN is not persisted in
.git/config for later steps — the BDD compose lanes bind-mount the repo root
into containers. Closes the zizmor `artipacked` finding deferred from #476.

SHA-pins the three remaining tag-pinned actions so the workflow tree is
zizmor `unpinned-uses`-clean:
  - dorny/test-reporter@v3      -> a43b3a5 # v3.0.0
  - actions/cache@v4            -> (then bumped to v5, see below)
  - uhafner/quality-monitor@v1  -> 778e3a6 # v1.14.0

Sweeps the entire workflow tree (ci.yml, sbom.yml, release-please.yml) off the
deprecated Node 20 runtime (forced off the runner from 2026-06-16) to the
node24 release of each action:
  - actions/upload-artifact            -> 043fb46 # v7.0.1
  - actions/download-artifact          -> 3e5f45b # v8.0.1
  - actions/cache                      -> 27d5ce7 # v5.0.5
  - actions/github-script              -> ed59741 # v8.0.0
  - actions/deploy-pages               -> cd2ce8f # v5.0.0
  - googleapis/release-please-action   -> 45996ed # v5.0.0

Verified node24-clean: every pinned SHA's action.yml resolves to using:node24
(or composite/docker); no node20 and no unpinned uses remain.

Behaviour notes (acceptable pre-release): download-artifact@v8 defaults a hash
mismatch to a hard error; release-please-action@v5 marks node24 a breaking
change but it is only the runtime bump. The deploy-pages and release-please
lanes run on main only, so this PR's CI does not exercise them.

Closes #477

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@DavidCozens DavidCozens force-pushed the ci/s24.14-supply-chain-hardening branch from 7f64340 to a66712e Compare May 30, 2026 12:47
@DavidCozens DavidCozens changed the title ci: S24.14 harden workflow supply chain + Node 24 artifact actions ci: S24.14 harden workflow supply chain + sweep all actions to Node 24 May 30, 2026
@github-actions

Copy link
Copy Markdown
Contributor

☀️   Quality Summary

   🚦   build-linux-gcc: 100% successful (✔️ 1344 passed)
   🚦   build-freertos-host-tdd-plustcp: 100% successful (✔️ 1652 passed)
   🚦   build-linux-clang: 100% successful (✔️ 1296 passed)
   🚦   sanitize-linux-gcc: 100% successful (✔️ 1296 passed)
   🚦   integration-linux-openssl: 100% successful (✔️ 9 passed)
   🚦   integration-linux-mbedtls: 100% successful (✔️ 7 passed)
   🚦   integration-windows-openssl: 100% successful (✔️ 9 passed)
   🚦   bdd-linux-syslog-ng: 94% successful (✔️ 46 passed, 🙈 3 skipped)
   🚦   bdd-windows-otel: 90% successful (✔️ 44 passed, 🙈 5 skipped)
   🚦   bdd-freertos-qemu-plustcp: 86% successful (✔️ 42 passed, 🙈 7 skipped)
   🚦   bdd-freertos-qemu-lwip: 65% successful (✔️ 32 passed, 🙈 17 skipped)
   🚦   build-windows-msvc: 100% successful (✔️ 1149 passed)
   🚦   build-linux-tunable-override: 100% successful (✔️ 1296 passed)
   ⚠️   Clang-Tidy: No warnings
   ⚠️   CPPCheck: No warnings


Created by Quality Monitor v1.14.0 (#f3859fd). More details are shown in the GitHub Checks Result.

@DavidCozens DavidCozens merged commit aca4373 into main May 30, 2026
27 checks passed
@DavidCozens DavidCozens deleted the ci/s24.14-supply-chain-hardening branch May 30, 2026 12:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

S24.14: CI supply-chain hardening — persist-credentials + SHA-pin remaining actions

1 participant