ci: pin remaining GitHub Actions to commit SHAs#7336
ci: pin remaining GitHub Actions to commit SHAs#7336karmada-bot merged 1 commit intokarmada-io:masterfrom
Conversation
karmada-bot
added
the
kind/cleanup
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
karmada-bot
added
the
size/L
There was a problem hiding this comment.
Pull request overview
This PR hardens CI supply-chain security by pinning third-party GitHub Actions references in workflows to immutable commit SHAs (instead of floating tags/branches), improving reproducibility and reducing exposure to upstream tag retargeting incidents (e.g., the Trivy compromise in #7314).
Changes:
- Replaced
uses: owner/action@<tag>references across workflows withuses: owner/action@<commit_sha>. - Pinned additional third-party actions used for releases, artifact handling, image publishing, scanning, and e2e pipelines.
- Added inline comments annotating the original tag/version next to the pinned SHA.
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/update-helm-index.yml | Pins checkout + helm setup actions to SHAs for helm index publishing workflow. |
| .github/workflows/swr-released-image.yml | Pins checkout + setup-go actions for SWR release image workflow. |
| .github/workflows/swr-latest-image.yml | Pins checkout + setup-go actions for SWR latest image workflow. |
| .github/workflows/release.yml | Pins multiple release/provenance-related actions (checkout, setup-go, artifacts, GH release, SLSA generator, etc.). |
| .github/workflows/installation-operator.yaml | Pins free-disk-space, checkout, setup-go, artifact upload actions for operator install/e2e. |
| .github/workflows/installation-cli.yaml | Pins free-disk-space, checkout, setup-go, artifact upload actions for CLI install/e2e. |
| .github/workflows/installation-chart.yaml | Pins actions used in chart installation/testing (checkout, setup-go, helm/kustomize/python, chart-testing). |
| .github/workflows/fossa.yml | Pins checkout and FOSSA action for license/compliance scanning. |
| .github/workflows/dockerhub-released-image.yml | Pins actions used for DockerHub released-image publishing (checkout, setup-go, cosign, qemu/buildx, login). |
| .github/workflows/dockerhub-released-chart.yml | Pins actions used for DockerHub released-chart publishing (checkout, setup-go, login). |
| .github/workflows/dockerhub-latest-image.yml | Pins actions used for DockerHub latest-image publishing (checkout, setup-go, cosign, qemu/buildx, login). |
| .github/workflows/dockerhub-latest-chart.yml | Pins actions used for DockerHub latest-chart publishing (checkout, setup-go, login). |
| .github/workflows/ci.yml | Pins core CI actions (checkout, setup-go, protoc setup, codecov, artifacts, free-disk-space). |
| .github/workflows/ci-schedule.yml | Pins scheduled CI actions (free-disk-space, checkout, setup-go, retry, artifacts). |
| .github/workflows/ci-schedule-compatibility.yaml | Pins scheduled compatibility workflow actions (free-disk-space, checkout, setup-go, retry, artifacts). |
| .github/workflows/ci-performance-compare.yaml | Pins actions for perf comparison workflow (free-disk-space, checkout, setup-go, artifacts download/upload). |
| .github/workflows/ci-image-scanning.yaml | Pins actions for image scanning workflow (checkout, setup-go, SARIF upload). |
| .github/workflows/ci-image-scanning-on-schedule.yml | Pins actions for scheduled image scanning workflow (checkout, setup-go, SARIF upload). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| actions: read # for detecting the Github Actions environment | ||
| id-token: write # Needed for provenance signing and ID | ||
| contents: write # Needed for release uploads | ||
| # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator |
There was a problem hiding this comment.
The inline documentation says the SLSA generator workflow "must be referenced by a tag", but this PR switches the reference to a commit SHA. Either update the comment to reflect that pinning by SHA is intentional/allowed (or revert to a tag if the upstream requirement is strict) to avoid misleading future edits.
| # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
| # Pinned to the commit corresponding to tag v2.1.0 for security. See: https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator |
There was a problem hiding this comment.
I‘ll take a look at this inline documentation
There was a problem hiding this comment.
There was a problem hiding this comment.
Thanks. I've reverted this change and kept it unchanged.
Given this is the only GitHub Action that doesn't pin to a SHA, and there is an ongoing effort from the slsa-framework community (slsa-framework/slsa-verifier#12), I suggest opening an issue to track this. Once the upstream support pinned version, we should update it accordingly.
There was a problem hiding this comment.
OK. Please help to create the issue.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #7336 +/- ##
==========================================
- Coverage 42.03% 42.01% -0.02%
==========================================
Files 874 874
Lines 53551 53556 +5
==========================================
- Hits 22511 22504 -7
- Misses 29349 29360 +11
- Partials 1691 1692 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
RainbowMango
force-pushed
the
pr_pin_all_action_sha
branch
from
7b14981 to
4fc4663
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 18 out of 18 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
RainbowMango
force-pushed
the
pr_pin_all_action_sha
branch
2 times, most recently
from
9e99fd6 to
ae2e932
Compare
This hardens workflow supply-chain security and improves reproducibility. Signed-off-by: RainbowMango <qdurenhongcai@gmail.com>
RainbowMango
force-pushed
the
pr_pin_all_action_sha
branch
from
ae2e932 to
42346bc
Compare
|
/gemini review |
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 18 out of 18 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@RainbowMango Any more updates? If it's ready, let's merge. |
|
Yes, let's do it. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: zhzhuang-zju The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
karmada-bot
added
the
approved
This hardens workflow supply-chain security and improves reproducibility.
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
This pull request updates all GitHub Actions workflow files to use specific commit SHAs for third-party actions instead of version tags. This change improves the security and reliability of the CI/CD pipeline by ensuring that the workflows use immutable, reviewed versions of each action, preventing unexpected changes from upstream updates.
These changes help prevent supply chain attacks and ensure that CI builds are reproducible and predictable.
Which issue(s) this PR fixes:
Fixes #7314
Special notes for your reviewer:
This is a follow-up of #7316 and a replacement of #5396
Does this PR introduce a user-facing change?: