Conversation
Update actions, SHA-pin third-party actions (create-pull-request, action-slack-notify), add persist-credentials: false, add permissions blocks, remove redundant scheduling guard step. Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Christoph Blecker <admin@toph.ca>
github-actions
bot
added
needs-triage
Kusari Analysis Results:Caution Flagged Issues Detected The dependency analysis found no issues. However, the code analysis identified 7 high-severity findings across 4 GitHub Actions workflow files where actions are referenced using mutable version tags (e.g., @v6) instead of immutable commit SHA hashes. This is a confirmed supply chain security risk: if any of these tags are moved or compromised by a malicious actor, the workflows will silently execute arbitrary code. The risk is significantly elevated because several of these workflows operate with elevated permissions (contents: write, pull-requests: write), meaning a compromised action could push malicious code to the repository or open fraudulent pull requests. Action items to resolve: Pin all GitHub Actions references to their full-length commit SHAs (e.g., actions/checkout@<full-sha> instead of actions/checkout@v6) in all 4 affected workflow files: discover-cncf-repos.yml, sync-cncf-projects.yml, sync-pcc-and-audit-statuses.yml, and update_mailing_list.yml. Note View full detailed analysis result for more information on the output and the checks that were run. Required Code Mitigationsactions/checkout@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.actions/setup-go@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.actions/checkout@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.actions/setup-go@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.actions/checkout@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.actions/setup-python@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.actions/checkout@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.
Found this helpful? Give it a 👍 or 👎 reaction! |
![kusari-inspector[bot]](https://avatars.githubusercontent.com/in/1220830?s=60&v=4){kind=small}
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
actions/checkout@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.
There was a problem hiding this comment.
Intentional. First-party GitHub Actions (actions/*) are referenced by major version tag rather than SHA pin. Dependabot is being added (#205) to manage version updates.
|
|
||
| - name: Setup Go | ||
| uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 | ||
| uses: actions/setup-go@v6 |
There was a problem hiding this comment.
actions/setup-go@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.
There was a problem hiding this comment.
Intentional. First-party GitHub Actions (actions/*) are referenced by major version tag rather than SHA pin. Dependabot is being added (#205) to manage version updates.
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
actions/checkout@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.
There was a problem hiding this comment.
Intentional. First-party GitHub Actions (actions/*) are referenced by major version tag rather than SHA pin. Dependabot is being added (#205) to manage version updates.
|
|
||
| - name: Setup Go | ||
| uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 | ||
| uses: actions/setup-go@v6 |
There was a problem hiding this comment.
actions/setup-go@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.
There was a problem hiding this comment.
Intentional. First-party GitHub Actions (actions/*) are referenced by major version tag rather than SHA pin. Dependabot is being added (#205) to manage version updates.
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
actions/checkout@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.
There was a problem hiding this comment.
Intentional. First-party GitHub Actions (actions/*) are referenced by major version tag rather than SHA pin. Dependabot is being added (#205) to manage version updates.
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v5 | ||
| uses: actions/setup-python@v6 |
There was a problem hiding this comment.
actions/setup-python@v6 is not pinned to a specific commit hash. Pin this action to a full-length commit SHA to prevent supply chain attacks.
There was a problem hiding this comment.
Intentional. First-party GitHub Actions (actions/*) are referenced by major version tag rather than SHA pin. Dependabot is being added (#205) to manage version updates.
| remind: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: "Guard: only run on 4th Thursday" |
There was a problem hiding this comment.
Were you removing this because in CRON you trust?
There was a problem hiding this comment.
Yup. Was this because something went bad?
2 participants
Summary
persist-credentials: falseand permissions blocksTest plan