ci(security): SHA-pin reusable security-scan workflow#30
Merged
Conversation
The `security` workflow called resq-software/.github's reusable security-scan.yml via the mutable `@main` ref. This: - tripped the open zizmor `unpinned-uses` code-scanning alert (security.yml:24, severity error), and - is the most likely cause of the scheduled-run startup_failures observed weekly since 2026-04-27 (org policy requires actions pinned to a full-length commit SHA; the runs reported startup_failure with zero jobs executed). Pin to ee2001974be1e5610cff3a2c669cfab95c7415e7 (current .github main HEAD; last commit to security-scan.yml, 2026-05-04, #20), matching the SHA-pin convention already used by ci.yml. Trailing `# main (...)` comment keeps Dependabot able to propose updates. `secrets: inherit` is retained and documented inline: the reusable workflow reads org-level secrets (SEMGREP_APP_TOKEN) not declared in its workflow_call.secrets block, so they cannot be forwarded explicitly. Clearing the zizmor `secrets-inherit` warning requires an org-side change in security-scan.yml first.
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe PR updates the security workflow job to pin its reusable workflow reference to a specific commit SHA instead of the mutable ChangesWorkflow reference pinning
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
3 tasks
WomB0ComB0
added a commit
that referenced
this pull request
Jun 1, 2026
Root cause of the security-workflow startup_failure (every run since 2026-05-04, 0 jobs executed): the reusable security-scan.yml's CodeQL and zizmor jobs request `actions: read` (added in resq-software/.github#20, 2026-05-04 — exactly when the failures began). A reusable workflow's jobs cannot request a permission the caller did not grant; GitHub rejects the entire run at startup. The prior #30 SHA-pin and the secrets-inherit removal did not fix it because neither granted actions:read. Add it to the scan job's permissions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
securityworkflow invokedresq-software/.github's reusablesecurity-scan.ymlthrough the mutable@mainref. Pinning it to a full-length commit SHA:unpinned-usescode-scanning alert (security.yml:24, severity error — alert chore(deps): bump the rust-minor-patch group with 3 updates #10).startup_failureseen weekly since 2026-04-27 (the org enforces "actions must be pinned to a SHA"). Those scheduled runs reportedstartup_failurewith 0 jobs executed, consistent with workflow-resolution/policy rejection at startup.Pinned to
ee2001974be1e5610cff3a2c669cfab95c7415e7— current.githubmain HEAD and the last commit to touchsecurity-scan.yml(2026-05-04, resq-software/.github#20). Matches the SHA-pin convention already used byci.yml. Trailing# main (...)comment keeps Dependabot able to propose updates.On
secrets: inheritRetained and documented inline. The reusable workflow reads org-level secrets (
SEMGREP_APP_TOKEN) that are not declared in itsworkflow_call.secrets:block, so they cannot be forwarded explicitly. Fully clearing the zizmorsecrets-inheritwarning (alert #11, warning) requires an org-sidesecrets:declaration insecurity-scan.ymlfirst — out of scope here.Test plan
securityvia workflow_dispatch onmain; confirm nostartup_failure.unpinned-uses) auto-resolves.17 6 * * 1) completes.Out of scope
scan / osv-scannerfailures on stale branches (they're behindmain, which already carries the per-lockfile osv-scanner config).secrets-inheritwarning (needs the org-side change above).Summary by CodeRabbit