QT/sure
1
0
Fork 0
mirror of https://github.com/we-promise/sure.git synced 2026-06-01 16:59:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(ci): pin GitHub Actions to commit SHAs (#1811) (#1870)

Browse Source 
* chore(ci): pin GitHub Actions to commit SHAs (#1811)

Follow-up to #1810. The Node-24 upgrade left every workflow on mutable
tag refs (`actions/checkout@v5`, `actions/download-artifact@v7`, etc.)
which superagent-security[bot] flagged on the ci.yml + publish.yml
reviews.

Pin all 18 external actions to the commit SHA they currently resolve to
and add a trailing `# vMAJOR.MINOR.PATCH` comment so reviewers can see
the version. Local reusable-workflow refs (`uses: ./.github/...`) are
left alone — pinning those would defeat the point.

Closes #1811

* chore(ci): address review — persist-credentials + setup-node consistency (#1811)

Two pieces of follow-up feedback on the SHA-pinning PR:

- @coderabbitai (P1 nitpicks) + @JSONbored: add 'persist-credentials:
  false' to checkout steps in jobs that don't perform authenticated git
  operations. Adds the line to 17 read-only checkouts across 9
  workflows (chart-ci, ci, flutter-build, helm-publish, ios-testflight,
  llm-evals, preview-cleanup, preview-deploy, publish:build).
  Checkouts inside jobs that 'git push' (chart-release, mobile-build,
  mobile-release, helm-publish:second-checkout, publish:bump-pre_release)
  are intentionally left alone so they keep their token.

- @jjmata: preview-deploy.yml was the only workflow on
  actions/setup-node v6.4.0; everywhere else pinned v5.0.0. Standardise
  on v5.0.0 to match.

Dependabot config already has a github-actions ecosystem entry with a
weekly schedule, so no addition needed for that point.

* chore(ci): document intentional setup-node v6→5 normalization (#1811)

@superagent-security flagged the v6.4.0 -> v5.0.0 change in
preview-deploy.yml as a possible unintended downgrade. The downgrade
was deliberate, per @jjmata's review request to normalize setup-node
across all workflows. Add an inline YAML comment next to the line so
future scans don't re-flag it.

---------

Signed-off-by: Juan José Mata <juanjo.mata@gmail.com>
Co-authored-by: jeffrey701 <jeffrey701@users.noreply.github.com>
Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
This commit is contained in:
Jeff
2026-05-30 14:35:19 -07:00
committed by GitHub
parent f7df709e6d
commit 956c27df6b
14 changed files with 104 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
.github/workflows/publish.yml vendored
View File

@@ -73,15 +73,16 @@ jobs:
steps:
- name: Check out the repo
uses: actions/checkout@v5
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
persist-credentials: false
ref: ${{ github.event.inputs.ref || github.ref }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Log in to the container registry
uses: docker/login-action@v4
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
@@ -118,7 +119,7 @@ jobs:
- name: Extract metadata for Docker
id: meta
uses: docker/metadata-action@v6
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
flavor: latest=false
@@ -132,7 +133,7 @@ jobs:
org.opencontainers.image.description=A multi-arch Docker image for the Sure Rails app
- name: Publish 'linux/${{ matrix.platform }}' image by digest
uses: docker/build-push-action@v7
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
id: build
with:
context: .
@@ -158,7 +159,7 @@ jobs:
- name: Upload the Docker image digest
if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') || github.event_name == 'schedule' || github.event.inputs.push }}
uses: actions/upload-artifact@v6
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: digest-${{ matrix.platform }}
path: ${{ runner.temp }}/digests/*
@@ -178,17 +179,17 @@ jobs:
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
- name: Download Docker image digests
uses: actions/download-artifact@v7
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
path: ${{ runner.temp }}/digests
pattern: digest-*
merge-multiple: true
- name: Log in to the container registry
uses: docker/login-action@v4
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
@@ -275,19 +276,19 @@ jobs:
steps:
- name: Download Android APK artifact
uses: actions/download-artifact@v7
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
name: app-release-apk
path: ${{ runner.temp }}/mobile-artifacts
- name: Download iOS build artifact
uses: actions/download-artifact@v7
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
name: ios-build-unsigned
path: ${{ runner.temp }}/ios-build
- name: Download Helm chart artifact
uses: actions/download-artifact@v7
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
name: helm-chart-package
path: ${{ runner.temp }}/helm-artifacts
@@ -338,7 +339,7 @@ jobs:
ls -la "${{ runner.temp }}/release-assets/"
- name: Create GitHub Release
uses: softprops/action-gh-release@v3
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
with:
tag_name: ${{ github.ref_name }}
name: ${{ github.ref_name }}
@@ -425,7 +426,7 @@ jobs:
echo "branch=$SOURCE_BRANCH" >> $GITHUB_OUTPUT
- name: Check out source branch
uses: actions/checkout@v5
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
ref: ${{ steps.source_branch.outputs.branch }}
token: ${{ github.token }}