Skip to content

GitHub Actions pinning #277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lucperkins merged 4 commits into from
Jun 1, 2026
Merged

GitHub Actions pinning #277

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b0cad10
Apply pinning to GitHub Actions
lucperkins May 11, 2026
13b6410
Update action hashes
lucperkins May 28, 2026
b263ecc
Merge remote-tracking branch 'origin/main' into actions-pinning
lucperkins May 28, 2026
63fa407
Add zizmor checking workflow
lucperkins May 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 13 additions & 3 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,16 @@
version: 2

updates:
- package-ecosystem: "github-actions"
directory: "/"
- package-ecosystem: github-actions
directory: /
schedule:
interval: "daily"
interval: weekly
cooldown:
default-days: 7
groups:
actions:
patterns: ["*"]
ignore:
- dependency-name: DeterminateSystems/*
commit-message:
prefix: ci
7 changes: 4 additions & 3 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,16 +12,17 @@ jobs:
id-token: write
contents: read
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Check Nixpkgs
uses: DeterminateSystems/flake-checker-action@main

@coderabbitai coderabbitai Bot May 28, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin remaining @main actions to immutable SHAs.

DeterminateSystems/flake-checker-action@main and DeterminateSystems/flakehub-cache-action@main are still mutable refs. This leaves a supply-chain gap in an otherwise pinned workflow.

Suggested change 
-      - name: Check Nixpkgs
-        uses: DeterminateSystems/flake-checker-action@main
+      - name: Check Nixpkgs
+        uses: DeterminateSystems/flake-checker-action@<commit-sha> # <version>

...

-      - name: Enable FlakeHub Cache
-        uses: DeterminateSystems/flakehub-cache-action@main
+      - name: Enable FlakeHub Cache
+        uses: DeterminateSystems/flakehub-cache-action@<commit-sha> # <version>

Also applies to: 28-28

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 20, Replace mutable refs for the two GitHub
Actions so they use immutable commit SHAs: locate the uses entries for
DeterminateSystems/flake-checker-action@main and
DeterminateSystems/flakehub-cache-action@main and change each `@main` to the
corresponding pinned SHA (the full 40-char commit hash for the exact release you
want to depend on), ensuring you update both occurrences (the
flake-checker-action line and the flakehub-cache-action line) so both actions
are pinned to immutable SHAs.

with:
fail-mode: true

- name: Install Determinate Nix
uses: DeterminateSystems/determinate-nix-action@v3
uses: DeterminateSystems/determinate-nix-action@4eea0b33e3d1f02ecfe37cf16e7204c424009606 # v3.21.0

- name: Enable FlakeHub Cache
uses: DeterminateSystems/flakehub-cache-action@main
Expand All @@ -32,7 +33,7 @@ jobs:
echo "directory=$(nix develop --command npm config get cache | tr -d '\n')" >> $GITHUB_OUTPUT

- name: Set up npm cache
uses: actions/cache@v5
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ${{ steps.npm-cache-directory.outputs.directory }}
key: update-flake-lock-npm-cache-${{ hashFiles('**/package-lock.json') }}
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/update.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,10 @@ jobs:
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: DeterminateSystems/determinate-nix-action@v3
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: DeterminateSystems/determinate-nix-action@4eea0b33e3d1f02ecfe37cf16e7204c424009606 # v3.21.0
- uses: DeterminateSystems/update-flake-lock@main

@coderabbitai coderabbitai Bot May 28, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

update-flake-lock step is still unpinned (@main).

This step should also use a commit SHA to keep the workflow fully immutable and consistent with the pinning objective.

Suggested change 
-      - uses: DeterminateSystems/update-flake-lock@main
+      - uses: DeterminateSystems/update-flake-lock@<commit-sha> # <version>
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/update.yml at line 21, The workflow step currently
references the action as DeterminateSystems/update-flake-lock@main; replace the
unpinned ref with a specific commit SHA (e.g.,
DeterminateSystems/update-flake-lock@<commit-sha>) so the `update-flake-lock`
step is immutable—locate the line containing "uses:
DeterminateSystems/update-flake-lock@main" and swap `@main` for the chosen
commit SHA, committing the updated workflow file.

with:
pr-title: "Update Nix flake inputs" # Title of PR to be created
Expand Down
7 changes: 5 additions & 2 deletions .github/workflows/validate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,15 @@ on:
jobs:
validate:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Validate YAML
uses: nwisbeta/validate-yaml-schema@v2.0.0
uses: nwisbeta/validate-yaml-schema@c3734e647d2a3beb98b9132330067e900fdbd1a2 # v2.0.0
with:
yamlSchemasJson: |
{
Expand Down
25 changes: 25 additions & 0 deletions .github/workflows/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: zizmor

on:
push:
branches:
- main
pull_request:

jobs:
zizmor:
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Run zizmor
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
with:
config: .github/zizmor.yml
5 changes: 5 additions & 0 deletions .github/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
rules:
unpinned-uses:
config:
policies:
DeterminateSystems/*: ref-pin
2 changes: 1 addition & 1 deletion action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,7 +208,7 @@ runs:
run: rm -f pr_body.txt pr_body.template
- name: Create PR
id: create-pr
uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
with:
base: ${{ inputs.base }}
branch: ${{ inputs.branch }}
Expand Down
Loading