Merged
Conversation
Contributor
derrix060
commented
Mar 26, 2026
derrix060
commented
- Pin all 3rd party action references to commit SHAs (6 unpinned tag alerts)
- Move ${{ inputs.* }} from run: blocks to env: blocks to prevent code injection (10 injection alerts)
- Add persist-credentials: false to untrusted PR checkouts (2 alerts)
- Add accepted-risk comments on pre_build_script (intentionally executed)
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
This PR aims to resolve GitHub code scanning alerts in reusable workflows by hardening GitHub Actions usage (pinning action refs, reducing injection risk, and tightening checkout credentials handling).
Changes:
- Pin third-party GitHub Actions
uses:references to full commit SHAs (with version annotations). - Reduce script-injection risk by routing
inputs.*throughenv:in severalrun:steps. - Add
persist-credentials: falseto selectedactions/checkoutsteps and add accepted-risk notes for intentionally executed scripts.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/release-please.yaml | Pin release-please action to a commit SHA. |
| .github/workflows/pre-commit.yaml | Pin checkout/setup actions and pre-commit action to SHAs. |
| .github/workflows/pre-commit-auth.yaml | Pin checkout/setup actions and pre-commit action to SHAs (auth variant). |
| .github/workflows/helm-chart-package.yaml | Pin checkout/setup-helm/sticky-comment actions; Trivy already pinned. |
| .github/workflows/docker-promote-jfrog.yaml | Move workflow inputs into env: for shell steps; pin JFrog CLI action to SHA. |
| .github/workflows/docker-promote-dockerhub.yaml | Move inputs.tags/source_tag into env: for promotion step. |
| .github/workflows/docker-build-push-jfrog.yaml | Add persist-credentials: false, route some inputs via env:, pin JFrog CLI action, add accepted-risk note. |
| .github/workflows/docker-build-push-dockerhub.yaml | Add persist-credentials: false, add accepted-risk note, annotate pinned internal build action. |
| .github/workflows/commitizen.yaml | Pin checkout and commitizen action to SHAs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
derrix060
added a commit
that referenced
this pull request
Mar 26, 2026
- Fix typo "Validade" -> "Validate" in docker-promote-jfrog - Fix invalid "if: if ..." condition in helm-chart-package - Add whitespace trimming for comma-separated tags in promote workflows - Update SHA pin comments to exact versions (v4 -> v4.10.0) - Remove misleading branch comments (# main, # master) from SHA pins - Add trusted-source comment for chart env var extraction
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
derrix060
added a commit
that referenced
this pull request
Mar 26, 2026
- Move pre_build_script from inline run: to temp script execution via env var (both dockerhub and jfrog build workflows) - Fix path concatenation bug in helm-chart diff.txt path - Fix nested double-quote issues in PREVIOUS_VERSION/CHART_NAME/ CHART_VERSION assignments in helm-chart-package
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Security fixes across 11 workflow files:
- Pin all 3rd party action references to commit SHAs with version comments
- Move all ${{ inputs.* }}, ${{ env.* }}, ${{ steps.*.outputs.* }}, and
${{ job.status }} expressions from run: blocks to step env: blocks to
prevent code injection
- Use heredoc format for all $GITHUB_ENV writes to prevent env var
injection via newline characters
- Add persist-credentials: false to untrusted PR checkouts
- Execute pre_build_script via temp file instead of inline interpolation
with EXIT trap for guaranteed cleanup
- Use openssl rand -hex 8 for heredoc delimiters consistently
- Fix helm-chart-package: invalid if: condition, scan-ref path separator,
PR notification condition for reusable workflows, PREVIOUS_VERSION
same-step usage
- Fix docker-promote-jfrog: typo, target_env validation alignment,
whitespace trimming for comma-separated tags
- Fix docker-promote-dockerhub: whitespace trimming for tags
- Validate secret key names in get_infisical_secrets action
- Add dependency checks, path traversal validation, domain normalization,
and workflow command escaping in get_infisical_secrets action
derrix060
force-pushed
the
feat/infisical-secrets
branch
from
55f51ac to
cae60bd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.