chore(tools): integrate ratchet for GitHub Actions pinning#19818
Open
chore(tools): integrate ratchet for GitHub Actions pinning#19818
Conversation
Contributor
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- The ratchet lint command only targets
.github/workflows/*.y(a)ml; if you also keep reusable workflows or actions definitions in subdirectories (e.g..github/workflows/**or.github/actions/**), consider broadening the glob so those files are checked as well. - Wiring
github-actions-pin-checkinto thestyle-slimtarget means it will run on every style invocation; if that’s heavier or slower than desired for local dev, consider a separate target or a feature flag/variable to make it opt-in outside CI.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The ratchet lint command only targets `.github/workflows/*.y(a)ml`; if you also keep reusable workflows or actions definitions in subdirectories (e.g. `.github/workflows/**` or `.github/actions/**`), consider broadening the glob so those files are checked as well.
- Wiring `github-actions-pin-check` into the `style-slim` target means it will run on every style invocation; if that’s heavier or slower than desired for local dev, consider a separate target or a feature flag/variable to make it opt-in outside CI.
## Individual Comments
### Comment 1
<location path=".github/workflows/style.yaml" line_range="305-312" />
<code_context>
- name: Check scripts with shellcheck
run: shellcheck -P SCRIPTDIR -x ./.github/workflows/scripts/*.sh
+ github-actions-pin-check:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v6
+ - uses: ./.github/actions/job-preamble
+ with:
+ gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }}
+ - uses: actions/setup-go@v6
+ with:
+ go-version-file: go.mod
</code_context>
<issue_to_address>
**🚨 issue (security):** The new pin-check job itself uses tag-based action refs, which may conflict with the intended ratchet policy and cause self-failures.
Because this job runs ratchet with `-format actions`, these `uses: actions/checkout@v6` and `uses: actions/setup-go@v6` lines may be flagged as insufficiently pinned if the policy requires commit SHAs, causing the job to fail on its own workflow. Either pin these actions to specific SHAs (and manage updates via ratchet), or relax the policy to allow major/minor tags for this workflow.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
📝 WalkthroughSummary by CodeRabbit
WalkthroughA new GitHub Actions workflow validation feature is added using the Ratchet tool to lint and pin GitHub Actions to specific versions. This includes a CI job, Make target, and tool dependencies across workflow configuration and linter tooling files. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes 🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/style.yaml:
- Around line 305-318: The new job github-actions-pin-check was added but not
included in the needs list for slack-on-style-failure, so its failures won't
trigger Slack notifications; update the slack-on-style-failure job's needs array
to include "github-actions-pin-check" (alongside the existing entries) so the
Slack job depends on and runs after the new github-actions-pin-check job.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: e69c3485-2245-40a8-90ac-83193bda98d6
⛔ Files ignored due to path filters (1)
tools/linters/go.sumis excluded by!**/*.sum
📒 Files selected for processing (4)
.github/workflows/style.yamlMakefiletools/linters/go.modtools/linters/tools-import.go
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #19818 +/- ##
=======================================
Coverage 49.60% 49.60%
=======================================
Files 2763 2763
Lines 208271 208271
=======================================
Hits 103309 103309
Misses 97294 97294
Partials 7668 7668
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Contributor
🚀 Build Images ReadyImages are ready for commit e58415c. To use with deploy scripts: export MAIN_IMAGE_TAG=4.11.x-557-ge58415cb81 |
User request: integrate ratchet tool (github.com/sethvargo/ratchet) into lint checks to enforce SHA-based pinning of GitHub Actions references. Changes: - Added ratchet v0.10.0 to tools/linters module - Registered ratchet binary in Makefile - Added github-actions-pin-check target to style-slim - Added github-actions-pin-check CI job to style workflow Ratchet will be automatically updated by dependabot (weekly updates of tools/linters). The check currently fails with 43 unpinned refs, which is expected until actions are pinned in a follow-up PR. Partially generated with AI assistance. Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
Pin all GitHub Actions references to SHA digests and container images to SHA256 digests to prevent supply chain attacks via compromised or moved tags. Formatting is preserved - only action/image references are modified. Changes: - 249 GitHub Actions pinned to SHA digests - 21 container images pinned to SHA256 digests - 43 files changed, 270 lines modified - Original version tags preserved in comments Pinned using custom script based on ratchet v0.11.4 output to preserve original YAML formatting (no indentation changes). Partially generated with AI assistance. Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add rachet to lint our workflows and fix pin actions.
User-facing documentation
Testing and quality
Automated testing
How I validated my change
CI