Skip to content

github/sonar: Update to use sonar hash ref#162

Merged
andrewwormald merged 2 commits intomainfrom
andreww-update-sonar-to-hash-ref
Dec 11, 2025
Merged

github/sonar: Update to use sonar hash ref#162
andrewwormald merged 2 commits intomainfrom
andreww-update-sonar-to-hash-ref

Conversation

@andrewwormald
Copy link
Collaborator

@andrewwormald andrewwormald commented Dec 11, 2025

Update to deal with sonar security complaint

@coderabbitai
Copy link

coderabbitai bot commented Dec 11, 2025
edited
Loading

Walkthrough

This pull request updates the Sonar GitHub Actions workflow (.github/workflows/sonar.yaml) to replace semantic version tags with pinned commit SHAs for action references: actions/checkout@v4 → specific commit (v4.1.7), actions/setup-go@v5 → specific commit (v5.0.2), and SonarSource/sonarqube-scan-action@v5.1.0 → its commit SHA. Functionality is unchanged; only exact commit references are used.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

  • Single workflow file modified with three homogeneous replacements.
  • No logic, conditional, or behavioural changes.
  • Attention points: verify the pinned SHAs correspond to intended released versions and that workflows still run in CI.

Possibly related PRs

  • sonar: Update deprecated action #127 — Modifies the same .github/workflows/sonar.yaml and updates the SonarQube action reference; closely related to these workflow pinning changes.

Suggested reviewers

  • adamhicks
  • NeilLuno

Poem

🐇 I pinned each hash, one by one,

No drifting tags beneath the sun,
Builds will run the same and neat,
Reproducible steps — a steady beat,
Hoppity hops for CI complete.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change—updating GitHub Actions workflow to use commit hash references instead of version tags for the Sonar action and other dependencies.
Description check ✅ Passed The description is related to the changeset, referencing a security concern that prompted the update to use hash references instead of semantic version tags.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch andreww-update-sonar-to-hash-ref
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between adfe8e8 and 11a366f.

📒 Files selected for processing (1)
  • .github/workflows/sonar.yaml (2 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/sonar.yaml

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot requested changes Dec 11, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ad7a9c0 and adfe8e8.

📒 Files selected for processing (1)
  • .github/workflows/sonar.yaml (2 hunks)
🔇 Additional comments (3)
.github/workflows/sonar.yaml (3)

17-31: Commend the shift to commit SHA pinning for improved security.

Replacing semantic version tags (@v4, @v5, etc.) with immutable commit SHAs is an effective security hardening measure. This mitigates risks from tag reassignment or tampering whilst the inline version comments preserve maintainability. The changes appear consistent across all three action references in the workflow.

17-17: Commit SHAs are properly pinned for security hardening.

The pinned commit SHAs for all three actions have been verified as valid and existing in their respective repositories:

  • actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 (v4.1.7)
  • actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 (v5.0.2)
  • SonarSource/sonarqube-scan-action@884b79409bbd464b2a59edc326a4b77dc56b2195 (v5.1.0)

This approach follows GitHub Actions security best practice by using immutable commit SHAs instead of mutable version tags, preventing potential tampering or accidental tag rewrites.

20-20: The commit SHA 0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 correctly corresponds to the version tag v5.0.2 in the actions/setup-go repository. The pin is accurate.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 11, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@andrewwormald andrewwormald merged commit 6c7d930 into main Dec 11, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

AI::Created

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@andrewwormald

Comments