fix(go-security): pin external actions and add github-actions label

[bedatty]

GitHub Actions Shared Workflows

---

Description

Resolves the Pinned Actions lint failures reported on PR #284 by replacing version-tag and floating refs with full commit SHAs (with # vX.Y.Z comments) in .github/workflows/go-security.yml. Also adds the missing github-actions label to .github/labels.yml so Dependabot can apply it as configured in dependabot.yml (label sync runs via .github/workflows/labels-sync.yml).

Affected files:

• .github/workflows/go-security.yml — pinned 10 external action references flagged by the lint check (actions/checkout, actions/setup-go, actions/dependency-review-action, github/codeql-action/upload-sarif, securego/gosec).
• .github/labels.yml — declared the github-actions label (color #2088FF).

Type of Change

• fix: Bug fix in a workflow (incorrect behavior, broken step, wrong condition)
• feat: New workflow or new input/output/step in an existing workflow
• perf: Performance improvement (e.g. caching, parallelism, reduced steps)
• refactor: Internal restructuring with no behavior change
• docs: Documentation only (README, docs/, inline comments)
• ci: Changes to self-CI (workflows under .github/workflows/ that run on this repo)
• chore: Dependency bumps, config updates, maintenance
• test: Adding or updating tests
• BREAKING CHANGE: Callers must update their configuration after this PR

Breaking Changes

None.

Testing

• YAML syntax validated locally
• Triggered a real workflow run on a caller repository using @develop or the beta tag
• Verified all existing inputs still work with default values
• Confirmed no secrets or tokens are printed in logs
• Checked that unrelated workflows are not affected

Caller repo / workflow run: will be validated by the self-PR validation run on this PR

Related Issues

Refs #284

Summary by CodeRabbit

• Chores
  • Added a repository label to track GitHub Actions dependency updates, enabling clearer change categorization in the project.
  • Pinned multiple GitHub Actions and security scanning tools to fixed revisions to improve build determinism and ensure consistent security scanning behavior across environments.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 50fcffd2-4ed5-43db-9e5d-aedeebde70d1

📥 Commits

Reviewing files that changed from the base of the PR and between ab77f9d and 8c4ccf9.

📒 Files selected for processing (1)

• .github/workflows/go-security.yml

---

Walkthrough

Adds a new github-actions repository label and pins multiple GitHub Actions/security scanner steps in the Go security workflow to fixed commit SHAs to ensure deterministic action versions.

Changes

Cohort / File(s)	Summary
Repository labels ​.github/labels.yml	Added github-actions label with color: 2088FF and description Updates to GitHub Actions dependencies (Dependabot ecosystem).
Go security workflow ​.github/workflows/go-security.yml	Replaced floating action tags/branches with pinned commit SHAs/fixed versions for multiple steps (e.g., actions/checkout, actions/setup-go, actions/dependency-review-action, securego/gosec, github/codeql-action/upload-sarif, sonatype-nexus-community/nancy-github-action, aquasecurity/trivy-action, trufflesecurity/trufflehog, actions/upload-artifact, anchore/sbom-action). Only uses refs changed; step inputs/config unchanged.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title accurately summarizes the main changes: pinning external actions in go-security workflow and adding the github-actions label.
Description check	✅ Passed	Description covers all required template sections with specific details about the changes, rationale, affected files, type of change, testing performed, and issue references.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/go-security-pin-actions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lerian-studio]

🛡️ CodeQL Analysis Results

Languages analyzed: actions

✅ No security issues found.

---

_{🔍 View full scan logs | 🛡️ Security tab}

[lerian-studio]

🔍 Lint Analysis

Check	Files Scanned	Status
YAML Lint	2 file(s)	✅ success
Action Lint	1 file(s)	✅ success
Pinned Actions	1 file(s)	✅ success
Markdown Link Check	no changes	⏭️ skipped
Spelling Check	2 file(s)	✅ success
Shell Check	1 file(s)	✅ success
README Check	1 file(s)	✅ success
Composite Schema	no changes	⏭️ skipped
Deployment Matrix	no changes	⏭️ skipped

---

_{🔍 View full scan logs}

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

.github/workflows/go-security.yml (3)

153-153: ⚠️ Potential issue | 🟠 Major

Pin nancy-github-action to commit SHA with version tag.

Line 153: sonatype-nexus-community/nancy-github-action@main must use a pinned commit SHA instead of the floating @main ref to satisfy the documented "Pinned Actions" requirement. Update to:

uses: sonatype-nexus-community/nancy-github-action@395e2fb168f674f96502e5652103d112899ea369 # v1.0.2

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/go-security.yml at line 153, Replace the floating GH
Action ref used in the workflow step that currently reads "uses:
sonatype-nexus-community/nancy-github-action@main" with the pinned commit SHA to
satisfy the pinned-actions requirement; update that "uses" entry to
"sonatype-nexus-community/nancy-github-action@395e2fb168f674f96502e5652103d112899ea369"
(optionally annotating the comment "# v1.0.2") so the action is no longer on the
floating main ref.

---

195-195: ⚠️ Potential issue | 🟠 Major

Pin trufflesecurity/trufflehog to commit SHA.

Line 195 uses trufflesecurity/trufflehog@main with a floating branch reference. This must be pinned to a commit SHA with a version comment to match the pattern established by other actions in the workflow (e.g., actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6).

Use: trufflesecurity/trufflehog@3fc0c2aa6648d54242e4af6fbfde0701796e4fb0 # main

Note: This workflow also contains other unpinned actions (actions/upload-artifact@v7, anchore/sbom-action@v0, aquasecurity/trivy-action@0.35.0, sonatype-nexus-community/nancy-github-action@main) that require the same treatment for consistency with the pinning requirements.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/go-security.yml at line 195, Replace the floating
reference trufflesecurity/trufflehog@main with the specific commit SHA provided
(trufflesecurity/trufflehog@3fc0c2aa6648d54242e4af6fbfde0701796e4fb0) and add a
trailing comment indicating the original branch/tag (e.g., "# main"); update the
workflow line that currently contains uses: trufflesecurity/trufflehog@main
accordingly. Also audit other action usages named actions/upload-artifact@v7,
anchore/sbom-action@v0, aquasecurity/trivy-action@0.35.0, and
sonatype-nexus-community/nancy-github-action@main and pin each to a fixed commit
SHA with a matching version comment to match the repository's pinning pattern.

---

230-230: ⚠️ Potential issue | 🟠 Major

Pin all external actions to commit SHAs to satisfy pinning requirements.

Six action references still use version tags instead of commit SHAs:

• actions/upload-artifact@v7 (lines 230, 258) → pin to 043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
• anchore/sbom-action@v0 (line 252) → pin to e22c389904149dbc22b58101806040fa8d37a610 # v0
• sonatype-nexus-community/nancy-github-action@main (line 153) → pin to 395e2fb168f674f96502e5652103d112899ea369 # main
• trufflesecurity/trufflehog@main (line 195) → pin to 3fc0c2aa6648d54242e4af6fbfde0701796e4fb0 # main
• aquasecurity/trivy-action@0.35.0 (line 168) → obtain SHA and pin (GitHub API access restricted; retrieve manually)

Per coding guidelines: "This reusable workflow pins every external action used by the job steps to a full commit SHA (with a matching # vX.Y.Z comment) instead of floating tags/branches."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/go-security.yml at line 230, Replace floating action refs
with pinned commit SHAs: change actions/upload-artifact@v7 to
actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0 (add comment "#
v7") in both occurrences, change anchore/sbom-action@v0 to
anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 ("# v0"), change
sonatype-nexus-community/nancy-github-action@main to
sonatype-nexus-community/nancy-github-action@395e2fb168f674f96502e5652103d112899ea369
("# main"), change trufflesecurity/trufflehog@main to
trufflesecurity/trufflehog@3fc0c2aa6648d54242e4af6fbfde0701796e4fb0 ("# main"),
and for aquasecurity/trivy-action@0.35.0 look up the corresponding commit SHA
from the repository (or GitHub API) and replace the tag with that full SHA and a
matching "# 0.35.0" comment; ensure every changed step uses the full commit SHA
instead of a tag/branch.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/go-security.yml:
- Line 168: Replace the floating action reference "uses:
aquasecurity/trivy-action@0.35.0" with a pinned commit SHA for that release and
add the version comment; specifically, look for the line containing
aquasecurity/trivy-action@0.35.0 and update it to use the full commit SHA for
v0.35.0 (e.g., aquasecurity/trivy-action@<commit-sha> # v0.35.0) so the workflow
is pinned like the other actions.

---

Outside diff comments:
In @.github/workflows/go-security.yml:
- Line 153: Replace the floating GH Action ref used in the workflow step that
currently reads "uses: sonatype-nexus-community/nancy-github-action@main" with
the pinned commit SHA to satisfy the pinned-actions requirement; update that
"uses" entry to
"sonatype-nexus-community/nancy-github-action@395e2fb168f674f96502e5652103d112899ea369"
(optionally annotating the comment "# v1.0.2") so the action is no longer on the
floating main ref.
- Line 195: Replace the floating reference trufflesecurity/trufflehog@main with
the specific commit SHA provided
(trufflesecurity/trufflehog@3fc0c2aa6648d54242e4af6fbfde0701796e4fb0) and add a
trailing comment indicating the original branch/tag (e.g., "# main"); update the
workflow line that currently contains uses: trufflesecurity/trufflehog@main
accordingly. Also audit other action usages named actions/upload-artifact@v7,
anchore/sbom-action@v0, aquasecurity/trivy-action@0.35.0, and
sonatype-nexus-community/nancy-github-action@main and pin each to a fixed commit
SHA with a matching version comment to match the repository's pinning pattern.
- Line 230: Replace floating action refs with pinned commit SHAs: change
actions/upload-artifact@v7 to
actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0 (add comment "#
v7") in both occurrences, change anchore/sbom-action@v0 to
anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 ("# v0"), change
sonatype-nexus-community/nancy-github-action@main to
sonatype-nexus-community/nancy-github-action@395e2fb168f674f96502e5652103d112899ea369
("# main"), change trufflesecurity/trufflehog@main to
trufflesecurity/trufflehog@3fc0c2aa6648d54242e4af6fbfde0701796e4fb0 ("# main"),
and for aquasecurity/trivy-action@0.35.0 look up the corresponding commit SHA
from the repository (or GitHub API) and replace the tag with that full SHA and a
matching "# 0.35.0" comment; ensure every changed step uses the full commit SHA
instead of a tag/branch.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 2ab25e35-2154-4313-8686-49b83ed96c31

📥 Commits

Reviewing files that changed from the base of the PR and between 3b0e643 and 2ef99c2.

📒 Files selected for processing (2)

• .github/labels.yml
• .github/workflows/go-security.yml

[coderabbitai]

Warning

CodeRabbit couldn't request changes on this pull request because it doesn't have sufficient GitHub permissions.

Please grant CodeRabbit Pull requests: Read and write permission and re-run the review.

👉 Steps to fix this

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/go-security.yml:
- Around line 79-82: The pinned SHA for actions/upload-artifact (commented as
v7) is incorrect — replace the current SHA
(bbbca2ddaa5d8feaa63e36b76fdaad77386f024f) with the commit matching v7
(043fb46d1a93c77aae656e7c1c64a875d1fc6a0a) or change the version comment to
match the pinned SHA; locate the reference to actions/upload-artifact in the
workflow and update the SHA/comment accordingly. For aquasecurity/trivy-action
(pinned as ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0), note that
automated verification failed due to IP restrictions and perform a manual
verification of that pin (or update to a verified SHA/tag) in the workflow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: ad3c314e-2546-4872-ae1c-7995917021d4

📥 Commits

Reviewing files that changed from the base of the PR and between 2ef99c2 and ab77f9d.

📒 Files selected for processing (1)

• .github/workflows/go-security.yml