ci: pin workflow actions to digests, add CodeQL, optimize Renovate config#70
Merged
Conversation
…nfig Pin every GitHub Actions reference in the workflows to a full-length commit SHA (supply-chain hardening). Add a CodeQL code-scanning workflow. Optimize Renovate with per-ecosystem grouping (Actions, Python, containers/charts) and osvVulnerabilityAlerts. https://claude.ai/code/session_01T9fVNb8hxqQctC8A7krAtF
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens CI supply-chain security and dependency hygiene by SHA-pinning GitHub Actions, introducing a dedicated CodeQL workflow, and refining Renovate’s update grouping and vulnerability alert settings.
Changes:
- Pin
uses:references in existing workflows (lint/eval/test/security/release) to full commit SHAs with version comments for Renovate tracking. - Add a new
.github/workflows/codeql.ymlworkflow to run CodeQL on pushes/PRs tomainand on a weekly schedule. - Update
renovate.json5to enable OSV alerts, keep vulnerability alert labeling, and group updates by ecosystem/manager.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| renovate.json5 | Adjusts Renovate limits and adds per-ecosystem grouping + OSV vulnerability alerts. |
| .github/workflows/test.yml | Pins actions/checkout and actions/setup-python to commit SHAs. |
| .github/workflows/security.yml | Pins actions/checkout and actions/download-artifact to commit SHAs. |
| .github/workflows/release.yml | Pins Docker, Cosign, and provenance actions to commit SHAs. |
| .github/workflows/lint.yml | Pins checkout/setup-python/helm/markdownlint actions to commit SHAs. |
| .github/workflows/eval.yml | Pins checkout/setup-python and artifact upload actions to commit SHAs. |
| .github/workflows/codeql.yml | Adds CodeQL scanning workflow with SHA-pinned CodeQL actions. |
| contents: read | ||
| steps: | ||
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 | ||
| - uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4 |
| with: | ||
| languages: python | ||
| queries: security-extended | ||
| - uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4 |
The added advanced CodeQL workflow failed with a CodeQL configuration error: this repository already has CodeQL default setup enabled, and advanced + default setup cannot coexist. Default setup already provides code scanning, so the redundant workflow is removed. https://claude.ai/code/session_01T9fVNb8hxqQctC8A7krAtF
Add matchUpdateTypes so major image/chart bumps stay separate from routine updates, consistent with the other per-ecosystem groups. https://claude.ai/code/session_01T9fVNb8hxqQctC8A7krAtF
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
uses:acrosslint,eval,release,security, andtestworkflows (a supply-chain gap; the rest of the fleet is fully pinned). Each is now pinned to the commit the tag resolved to, with a# vXcomment so Renovate can keep them current. SHAs were resolved authoritatively viagit ls-remoteagainst each upstream action, or reused from already-vetted pins elsewhere in the fleet..github/workflows/codeql.yml(CodeQL code scanning; the existingsecurity.ymlcovers SBOM + CVE scan + Trivy + TruffleHog but not CodeQL).renovate.json5): per-ecosystem grouping (GitHub Actions, Python, containers/charts) andosvVulnerabilityAlerts.config:best-practicesretained, sohelpers:pinGitHubActionDigestskeeps the new pins current.Validation
renovate-config-validatorpasses. All workflow YAML parse-checked; everyuses:is now SHA-pinned (verified 0 remaining). Pinned lines stay within the repo'syamllint120-char limit.https://claude.ai/code/session_01T9fVNb8hxqQctC8A7krAtF
Generated by Claude Code