Skip to content

security: pin GitHub Actions to commit hashes and fix deprecated actions #73

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alikahwaji merged 1 commit into from
Sep 1, 2025
Merged

security: pin GitHub Actions to commit hashes and fix deprecated actions #73

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 16 additions & 9 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,22 +39,27 @@ jobs:
with:
egress-policy: audit

- name: ⬇️ Checkout code
uses: actions/checkout@v4
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
with:
persist-credentials: false
fetch-depth: 1

- name: 🟢 Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: ${{ env.NODE_VERSION }}
cache: npm
registry-url: https://registry.npmjs.org/
cache-dependency-path: package-lock.json

- name: 📦 Install dependencies
run: npm ci
- name: Clear npm cache
run: npm cache clean --force
shell: bash

- name: Install dependencies
run: |
npm ci --no-optional --no-audit --prefer-offline
shell: bash

- name: 🧹 Lint
Expand All @@ -68,14 +73,14 @@ jobs:

- name: Upload JUnit
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: junit
path: junit.xml

- name: Upload coverage
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: coverage
path: coverage
Expand All @@ -85,21 +90,23 @@ jobs:
if: always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
timeout-minutes: 5
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: audit

- name: Download coverage
uses: actions/download-artifact@v4
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: coverage
path: coverage
continue-on-error: true

- name: Upload to Codecov
uses: codecov/codecov-action@v4
uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
with:
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: false
54 changes: 27 additions & 27 deletions .github/workflows/comprehensive-testing.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,9 +52,9 @@
cache-key: ${{ steps.cache-key.outputs.key }}
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: ${{ env.NODE_VERSION }}
cache: npm
Expand All @@ -67,7 +67,7 @@
echo "key=node-modules-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }}" >> "$GITHUB_OUTPUT"
shell: bash
- name: Cache dependencies
uses: actions/cache@v4
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/.npm
key: ${{ steps.cache-key.outputs.key }}
Expand Down Expand Up @@ -114,9 +114,9 @@
- 22
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: ${{ matrix.node-version }}
cache: npm
Expand All @@ -133,15 +133,15 @@
npm run test:unit:coverage
shell: bash
- name: Upload coverage reports
uses: codecov/codecov-action@v4
uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
if: matrix.node-version == 20
with:
file: ./coverage/lcov.info
flags: unit-tests
name: unit-tests-coverage
- name: Upload failure logs
if: failure()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: unit-test-failure-logs-${{ matrix.node-version }}-${{ github.run_number }}
path: |
Expand Down Expand Up @@ -173,9 +173,9 @@
- "6379:6379"
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: ${{ env.NODE_VERSION }}
cache: npm
Expand All @@ -201,7 +201,7 @@
npm run test:integration:coverage
shell: bash
- name: Upload integration test results
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
if: always()
with:
name: integration-test-results
Expand All @@ -221,9 +221,9 @@
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: ${{ env.NODE_VERSION }}
cache: npm
Expand All @@ -240,7 +240,7 @@
npm run benchmark:cpu
shell: bash
- name: Upload performance results
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
if: always()
with:
name: performance-results
Expand All @@ -255,9 +255,9 @@
if: contains(fromJson(needs.setup.outputs.test-matrix), 'security')
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: ${{ env.NODE_VERSION }}
cache: npm
Expand All @@ -281,7 +281,7 @@
npm audit --audit-level=moderate --json > audit-results.json || true
shell: bash
- name: Upload security results
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
if: always()
with:
name: security-test-results
Expand All @@ -297,9 +297,9 @@
if: contains(fromJson(needs.setup.outputs.test-matrix), 'property-based')
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: ${{ env.NODE_VERSION }}
cache: npm
Expand All @@ -317,7 +317,7 @@
PROPERTY_TESTING: true
shell: bash
- name: Upload property test results
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
if: always()
with:
name: property-test-results
Expand All @@ -341,9 +341,9 @@
- 22
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: ${{ matrix.node-version }}
cache: npm
Expand All @@ -352,7 +352,7 @@
run: npm ci
shell: bash
- name: Run compatibility tests
run: |

Check failure on line 355 in .github/workflows/comprehensive-testing.yml

View workflow job for this annotation

GitHub Actions / lint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2140:warning:3:117: Word is of the form "A"B"C" (B indicated). Did you mean "ABC" or "A\"B\"C"? [shellcheck]

Raw Output:
.github/workflows/comprehensive-testing.yml:355:9: shellcheck reported issue in this script: SC2140:warning:3:117: Word is of the form "A"B"C" (B indicated). Did you mean "ABC" or "A\"B\"C"? [shellcheck]
set -e
set -o pipefail
npm test -- --testPathPattern="__tests__/compatibility" --json --outputFile=compatibility-results-"${{ matrix.os }}"-"${{ matrix.node-version }}".json
Expand All @@ -360,7 +360,7 @@
NODE_ENV: test
shell: bash
- name: Upload compatibility results
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
if: always()
with:
name: compatibility-test-results-${{ matrix.os }}-${{ matrix.node-version }}
Expand All @@ -378,12 +378,12 @@
- security-tests
- property-based-tests
- compatibility-tests
if: always() && (github.event.inputs.generate_reports == 'true' || github.event.inputs.generate_reports == '')

Check failure on line 381 in .github/workflows/comprehensive-testing.yml

View workflow job for this annotation

GitHub Actions / lint 

[actionlint] reported by reviewdog 🐶
property "generate_reports" is not defined in object type {test_suite: string} [expression]

Raw Output:
.github/workflows/comprehensive-testing.yml:381:72: property "generate_reports" is not defined in object type {test_suite: string} [expression]

Check failure on line 381 in .github/workflows/comprehensive-testing.yml

View workflow job for this annotation

GitHub Actions / lint 

[actionlint] reported by reviewdog 🐶
property "generate_reports" is not defined in object type {test_suite: string} [expression]

Raw Output:
.github/workflows/comprehensive-testing.yml:381:22: property "generate_reports" is not defined in object type {test_suite: string} [expression]
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: ${{ env.NODE_VERSION }}
cache: npm
Expand All @@ -392,7 +392,7 @@
run: npm ci
shell: bash
- name: Download all test artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
path: test-artifacts
- name: Generate comprehensive test report
Expand All @@ -408,7 +408,7 @@
GITHUB_REF: "\"${{ github.ref }}\""
shell: bash
- name: Upload HTML reports
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: test-reports-html
path: test-reports/
Expand Down Expand Up @@ -491,7 +491,7 @@
});
- name: Slack notification
if: failure() && github.ref == 'refs/heads/main'
uses: 8398a7/action-slack@28ba43ae48961b90ced0e7aac97fc847a4ab1666
uses: 8398a7/action-slack@v3
with:
status: failure
channel: "#dev-alerts"
Expand Down
35 changes: 20 additions & 15 deletions .github/workflows/contract-validation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,9 @@
- src/contracts/**
- src/plugins/**
- package.json
paths-ignore:
- docs/**
- "*.md"
- .github/ISSUE_TEMPLATE/**
- "!docs/**"
- "!*.md"
- "!.github/ISSUE_TEMPLATE/**"
pull_request:
branches:
- main
Expand All @@ -20,10 +19,9 @@
- src/contracts/**
- src/plugins/**
- package.json
paths-ignore:
- docs/**
- "*.md"
- .github/ISSUE_TEMPLATE/**
- "!docs/**"
- "!*.md"
- "!.github/ISSUE_TEMPLATE/**"
workflow_dispatch:
inputs:
validation_type:
Expand Down Expand Up @@ -55,17 +53,21 @@
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@v4
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: ${{ env.NODE_VERSION }}
cache: npm
cache-dependency-path: package-lock.json
- name: Clear npm cache
run: npm cache clean --force
shell: bash
- name: Install dependencies
run: npm ci
run: |
npm ci --no-optional --no-audit --prefer-offline
shell: bash
- name: Run contract schema validation tests
run: |
Expand All @@ -74,7 +76,7 @@
npm test -- __tests__/ci/contract-schema-validation.test.js --verbose
shell: bash
- name: Generate contract validation report
run: |

Check failure on line 79 in .github/workflows/contract-validation.yml

View workflow job for this annotation

GitHub Actions / lint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2046:warning:38:37: Quote this to prevent word splitting [shellcheck]

Raw Output:
.github/workflows/contract-validation.yml:79:9: shellcheck reported issue in this script: SC2046:warning:38:37: Quote this to prevent word splitting [shellcheck]

Check failure on line 79 in .github/workflows/contract-validation.yml

View workflow job for this annotation

GitHub Actions / lint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2027:warning:38:37: The surrounding quotes actually unquote this. Remove or escape them [shellcheck]

Raw Output:
.github/workflows/contract-validation.yml:79:9: shellcheck reported issue in this script: SC2027:warning:38:37: The surrounding quotes actually unquote this. Remove or escape them [shellcheck]

Check failure on line 79 in .github/workflows/contract-validation.yml

View workflow job for this annotation

GitHub Actions / lint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2129:style:4:1: Consider using { cmd1; cmd2; } >> file instead of individual redirects [shellcheck]

Raw Output:
.github/workflows/contract-validation.yml:79:9: shellcheck reported issue in this script: SC2129:style:4:1: Consider using { cmd1; cmd2; } >> file instead of individual redirects [shellcheck]
set -e
set -o pipefail
echo "# Contract Validation Report" > contract-validation-report.md
Expand Down Expand Up @@ -124,7 +126,7 @@
fi
shell: bash
- name: Upload validation report
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: contract-validation-report
path: contract-validation-report.md
Expand All @@ -139,14 +141,17 @@
with:
path: current
- name: Checkout base branch
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ github.base_ref || 'main' }}
path: base
- name: Setup Node.js
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: "20"
- name: Clear npm cache
run: npm cache clean --force
shell: bash
- name: Install dependencies
run: |
set -e
Expand All @@ -155,7 +160,7 @@
cd ../base && npm ci
shell: bash
- name: Compare contract versions
run: |

Check failure on line 163 in .github/workflows/contract-validation.yml

View workflow job for this annotation

GitHub Actions / lint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2034:warning:24:7: version_comparison appears unused. Verify use (or export if used externally) [shellcheck]

Raw Output:
.github/workflows/contract-validation.yml:163:9: shellcheck reported issue in this script: SC2034:warning:24:7: version_comparison appears unused. Verify use (or export if used externally) [shellcheck]
set -e
set -o pipefail
echo "🔍 Checking for breaking changes in plugin contracts..."
Expand Down Expand Up @@ -240,7 +245,7 @@
shell: bash
- name: Comment on PR with breaking change analysis
if: github.event_name == 'pull_request' && failure()
uses: actions/github-script@35b1cdd1b2c1fc704b1cd442536d6e4b28b2ba4e
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const comment = `## 🚨 Breaking Changes Detected
Expand Down Expand Up @@ -286,7 +291,7 @@
run: npm ci
shell: bash
- name: Generate contract documentation
run: |

Check failure on line 294 in .github/workflows/contract-validation.yml

View workflow job for this annotation

GitHub Actions / lint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2046:warning:26:16: Quote this to prevent word splitting [shellcheck]

Raw Output:
.github/workflows/contract-validation.yml:294:9: shellcheck reported issue in this script: SC2046:warning:26:16: Quote this to prevent word splitting [shellcheck]

Check failure on line 294 in .github/workflows/contract-validation.yml

View workflow job for this annotation

GitHub Actions / lint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2285:error:26:7: Remove spaces around += to assign (or quote '+=' if literal) [shellcheck]

Raw Output:
.github/workflows/contract-validation.yml:294:9: shellcheck reported issue in this script: SC2285:error:26:7: Remove spaces around += to assign (or quote '+=' if literal) [shellcheck]
set -e
set -o pipefail
mkdir -p docs/contracts
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/deploy-production.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -350,7 +350,7 @@ jobs:
done
- name: Send deployment notification
if: always()
uses: 8398a7/action-slack@28ba43ae48961b90ced0e3a2b7f9a3b3fb92dd30
uses: 8398a7/action-slack@v3
with:
status: ${{ job.status }}
channel: "#deployments"
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/docs-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@ jobs:
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: audit
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: 20
cache: npm
Expand All @@ -40,7 +40,7 @@ jobs:
npm ci
npm run build
- name: Upload artifact
uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
path: docs-site/build

Expand Down
Loading
Loading