From 78faf58cb9d6de298496c62e46e273b34517fd4b Mon Sep 17 00:00:00 2001 From: Mike Odnis Date: Sun, 31 May 2026 19:10:21 -0400 Subject: [PATCH] ci(security): SHA-pin reusable security-scan workflow The `security` workflow called resq-software/.github's reusable security-scan.yml via the mutable `@main` ref. This: - tripped the open zizmor `unpinned-uses` code-scanning alert (security.yml:24, severity error), and - is the most likely cause of the scheduled-run startup_failures observed weekly since 2026-04-27 (org policy requires actions pinned to a full-length commit SHA; the runs reported startup_failure with zero jobs executed). Pin to ee2001974be1e5610cff3a2c669cfab95c7415e7 (current .github main HEAD; last commit to security-scan.yml, 2026-05-04, #20), matching the SHA-pin convention already used by ci.yml. Trailing `# main (...)` comment keeps Dependabot able to propose updates. `secrets: inherit` is retained and documented inline: the reusable workflow reads org-level secrets (SEMGREP_APP_TOKEN) not declared in its workflow_call.secrets block, so they cannot be forwarded explicitly. Clearing the zizmor `secrets-inherit` warning requires an org-side change in security-scan.yml first. --- .github/workflows/security.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index f53c6a0..226e751 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -21,8 +21,18 @@ permissions: jobs: scan: - uses: resq-software/.github/.github/workflows/security-scan.yml@main + # SHA-pinned to satisfy the org "actions must be pinned to a full-length + # commit SHA" policy. The previous mutable `@main` ref tripped the zizmor + # `unpinned-uses` code-scanning alert and is the most likely cause of the + # scheduled-run startup failures. Trailing comment lets Dependabot still + # propose updates. Matches the SHA-pin convention already used in ci.yml. + uses: resq-software/.github/.github/workflows/security-scan.yml@ee2001974be1e5610cff3a2c669cfab95c7415e7 # main (2026-05-04, #20) with: languages: '["actions"]' enable-semgrep: true + # `inherit` is required here: the reusable workflow consumes org-level + # secrets (e.g. SEMGREP_APP_TOKEN) that are NOT declared in its + # `workflow_call.secrets` block, so they cannot be forwarded explicitly. + # Fully clearing the zizmor `secrets-inherit` warning needs an org-side + # `secrets:` declaration in security-scan.yml first (tracked separately). secrets: inherit