Skip to content

ci: pin workflow actions to digests, add CodeQL, optimize Renovate config#70

Merged
rmednitzer merged 3 commits into
mainfrom
claude/cool-wozniak-h14ny
Jun 4, 2026
Merged

ci: pin workflow actions to digests, add CodeQL, optimize Renovate config#70
rmednitzer merged 3 commits into
mainfrom
claude/cool-wozniak-h14ny

Conversation

@rmednitzer

Copy link
Copy Markdown
Owner

What

  • Pin every GitHub Actions reference to a full-length commit SHA. This repo had ~39 unpinned uses: across lint, eval, release, security, and test workflows (a supply-chain gap; the rest of the fleet is fully pinned). Each is now pinned to the commit the tag resolved to, with a # vX comment so Renovate can keep them current. SHAs were resolved authoritatively via git ls-remote against each upstream action, or reused from already-vetted pins elsewhere in the fleet.
  • Add .github/workflows/codeql.yml (CodeQL code scanning; the existing security.yml covers SBOM + CVE scan + Trivy + TruffleHog but not CodeQL).
  • Renovate (renovate.json5): per-ecosystem grouping (GitHub Actions, Python, containers/charts) and osvVulnerabilityAlerts. config:best-practices retained, so helpers:pinGitHubActionDigests keeps the new pins current.

Validation

renovate-config-validator passes. All workflow YAML parse-checked; every uses: is now SHA-pinned (verified 0 remaining). Pinned lines stay within the repo's yamllint 120-char limit.

https://claude.ai/code/session_01T9fVNb8hxqQctC8A7krAtF


Generated by Claude Code

…nfig

Pin every GitHub Actions reference in the workflows to a full-length commit SHA (supply-chain hardening). Add a CodeQL code-scanning workflow. Optimize Renovate with per-ecosystem grouping (Actions, Python, containers/charts) and osvVulnerabilityAlerts.

https://claude.ai/code/session_01T9fVNb8hxqQctC8A7krAtF
Copilot AI review requested due to automatic review settings June 4, 2026 12:25

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens CI supply-chain security and dependency hygiene by SHA-pinning GitHub Actions, introducing a dedicated CodeQL workflow, and refining Renovate’s update grouping and vulnerability alert settings.

Changes:

  • Pin uses: references in existing workflows (lint/eval/test/security/release) to full commit SHAs with version comments for Renovate tracking.
  • Add a new .github/workflows/codeql.yml workflow to run CodeQL on pushes/PRs to main and on a weekly schedule.
  • Update renovate.json5 to enable OSV alerts, keep vulnerability alert labeling, and group updates by ecosystem/manager.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
renovate.json5 Adjusts Renovate limits and adds per-ecosystem grouping + OSV vulnerability alerts.
.github/workflows/test.yml Pins actions/checkout and actions/setup-python to commit SHAs.
.github/workflows/security.yml Pins actions/checkout and actions/download-artifact to commit SHAs.
.github/workflows/release.yml Pins Docker, Cosign, and provenance actions to commit SHAs.
.github/workflows/lint.yml Pins checkout/setup-python/helm/markdownlint actions to commit SHAs.
.github/workflows/eval.yml Pins checkout/setup-python and artifact upload actions to commit SHAs.
.github/workflows/codeql.yml Adds CodeQL scanning workflow with SHA-pinned CodeQL actions.

Comment thread .github/workflows/codeql.yml Outdated
contents: read
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
Comment thread .github/workflows/codeql.yml Outdated
with:
languages: python
queries: security-extended
- uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4
The added advanced CodeQL workflow failed with a CodeQL configuration error: this repository already has CodeQL default setup enabled, and advanced + default setup cannot coexist. Default setup already provides code scanning, so the redundant workflow is removed.

https://claude.ai/code/session_01T9fVNb8hxqQctC8A7krAtF
Add matchUpdateTypes so major image/chart bumps stay separate from routine updates, consistent with the other per-ecosystem groups.

https://claude.ai/code/session_01T9fVNb8hxqQctC8A7krAtF
@rmednitzer rmednitzer merged commit 71ab191 into main Jun 4, 2026
21 checks passed
@rmednitzer rmednitzer deleted the claude/cool-wozniak-h14ny branch June 4, 2026 12:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants