Skip to content

CI improvements from LXD#1333

Merged
roosterfish merged 11 commits intocanonical:mainfrom
simondeziel:zizmor
Apr 21, 2026
Merged

CI improvements from LXD#1333
roosterfish merged 11 commits intocanonical:mainfrom
simondeziel:zizmor

Conversation

@simondeziel
Copy link
Copy Markdown
Member

@simondeziel simondeziel commented Apr 16, 2026

No description provided.

@simondeziel simondeziel requested a review from Copilot April 16, 2026 21:49
Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates GitHub Actions CI workflows to improve security posture (credential persistence, action pinning signals) and enhance vulnerability scanning (Trivy SARIF + KEV tagging), based on patterns from LXD.

Changes:

  • Disable persisted git credentials on actions/checkout across multiple workflows/jobs.
  • Rework Trivy security scanning to use aquasecurity/trivy-action, upload SARIF, and tag KEV-listed CVEs.
  • Pin the documentation reusable workflow by commit and add zizmor ignore annotations for specific findings.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
.github/workflows/triage.yml Adds zizmor suppression for pull_request_target trigger warning.
.github/workflows/tests.yml Disables checkout credential persistence in jobs; pins doc workflow by commit; adds zizmor suppression for an unpinned reusable action.
.github/workflows/security.yml Migrates Trivy scanning to aquasecurity/trivy-action, adds KEV tagging logic, and adjusts permissions/conditions.
.github/workflows/codeql.yml Disables checkout credential persistence for CodeQL job.
.github/actions/system-test/action.yml Adds checkout credential hardening and zizmor suppressions; refactors input usage in bash steps.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/actions/check-changes/action.yml
Comment thread .github/workflows/security.yml
Comment thread .github/workflows/security.yml
Comment thread .github/workflows/tests.yml
Comment thread .github/actions/system-test/action.yml
@roosterfish roosterfish mentioned this pull request Apr 17, 2026
Closed
@roosterfish
Copy link
Copy Markdown
Contributor

roosterfish commented Apr 17, 2026

The Ceph failures are likely related to MicroCeph latest/edge now serving tentacle. I am addressing the necessary updates in #1338.

I just saw you have also added two commits for the MicroCeph versions checks. I have aligned it with the MicroOVN and LXD check to support the the current LTS + the latest/edge version. Also the test suite requires tweaks due to the switch to Microcluster v3 in MicroCeph.

@simondeziel
Copy link
Copy Markdown
Member Author

simondeziel commented Apr 17, 2026

The Ceph failures are likely related to MicroCeph latest/edge now serving tentacle. I am addressing the necessary updates in #1338.

Ack, will rebase once it lands.

@roosterfish
Copy link
Copy Markdown
Contributor

roosterfish commented Apr 21, 2026

Can be rebased now.

@simondeziel
github: do not persist git creds beyond checkout
be4f94b 
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
@simondeziel
github: avoid risk of template injection in actions/check-changes (…
0e09d34 
…zizmor)

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
@simondeziel
github: avoid risk of template injection in actions/system-test (zi…
8aa8496 
…zmor)

Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
@simondeziel
github: avoid risk of template injection in tests workflow (zizmor)
5a499c8 
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
@simondeziel
github: ignore unpinned actions from canonical/lxd
814d36e 
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
@simondeziel
github: ignore unpinned actions from canonical/lxd
3719126 
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
@simondeziel
github: remove actions/require-gha-pinning
3b0bdd0 
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
@simondeziel
github: pin canonical/documentation-workflows
9795f25 
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
@simondeziel
github: align security workflow with LXD's
c218afa 
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
@simondeziel
github: ignore dangerous-triggers in triage workflow
a89be4a 
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
@simondeziel
github: ignore GITHUB_ENV manipulation done in actions/system-test
50ab661 
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
roosterfish
roosterfish approved these changes Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@roosterfish roosterfish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@roosterfish
Copy link
Copy Markdown
Contributor

roosterfish commented Apr 21, 2026

Happy with the changes @simondeziel ?

@simondeziel simondeziel marked this pull request as ready for review April 21, 2026 15:03
@simondeziel
Copy link
Copy Markdown
Member Author

simondeziel commented Apr 21, 2026

Happy with the changes @simondeziel ?

Oops, out of draft now ;)

@roosterfish roosterfish merged commit eb2ed72 into canonical:main Apr 21, 2026
29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@roosterfish roosterfish roosterfish approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@simondeziel @roosterfish