ci security#1612
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThis PR adds lint tooling and configuration, rewires lint execution through ChangesTooling and workflow updates
Related Issues: None mentioned. Related PRs: None mentioned. Suggested labels: ci, tooling, github-actions Suggested reviewers: None specified. 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR strengthens CI supply-chain and permissions posture by pinning GitHub Actions to commit SHAs, introducing automated enforcement (pinact) and workflow security linting (zizmor), and tightening workflow permissions/concurrency settings.
Changes:
- Pin all
uses:GitHub Actions/reusable workflow references to commit SHAs (with version comments) and add alint-pinactworkflow to enforce this. - Add
zizmor(and alint-zizmorworkflow) plus newjustrecipes to run CI security tooling locally/consistently. - Reduce default workflow permissions and add targeted permissions/comments where elevated access is required.
Reviewed changes
Copilot reviewed 20 out of 21 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| justfile | Adds opengrep, pinact, zizmor, and updates lint aggregation. |
| default.nix | Adds pinact and zizmor to the dev shell toolset. |
| Cargo.lock | Updates a few Rust dependencies (lockfile churn from upgrades). |
| .pinact.yaml | Configures pinact rules (currently with an ignore exception). |
| .github/zizmor.yml | Introduces zizmor configuration file placeholder. |
| .github/workflows/version-bump.yml | Pins actions + scopes permissions via GitHub App token. |
| .github/workflows/README.md | Updates documented lint command to just clippy. |
| .github/workflows/mergeability.yml | Adds concurrency settings for merge queue behavior. |
| .github/workflows/lint-zizmor.yml | New workflow to run zizmor in CI. |
| .github/workflows/lint-validate-dependabot.yml | Pins actions + adds concurrency and job naming. |
| .github/workflows/lint-pinact.yml | New workflow to enforce pinned action refs/version comments. |
| .github/workflows/lint-opengrep.yml | Pins checkout action and delegates to just opengrep. |
| .github/workflows/lint-license-headers.yml | Pins checkout action. |
| .github/workflows/lint-commitlint.yml | Pins checkout + commitlint action and improves naming. |
| .github/workflows/lint-cargo-fmt.yml | Pins checkout action. |
| .github/workflows/lint-actionlint.yml | Pins checkout action. |
| .github/workflows/fossa.yml | Pins checkout + fossa action and adjusts checkout creds. |
| .github/workflows/dev.yml | Pins actions, tightens permissions, and adjusts lint step naming/recipe. |
| .github/workflows/bump.yml | Pins actions + scopes permissions via GitHub App token (but currently incomplete). |
| .github/actions/nix-shell/action.yml | Pins composite action dependencies (nix/cachix/use-nix-shell). |
| .github/actions/nix-setup/action.yml | Pins docker/login-action used by the composite action. |
202433a to
9775945
Compare
| if: >- | ||
| ${{ | ||
| needs.check_changes.outputs.devfiles == 'true' | ||
| || startsWith(github.event.ref, 'refs/tags/v') | ||
| || github.event_name == 'workflow_dispatch' | ||
| }} |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/lint-validate-dependabot.yml (1)
9-12: 🩺 Stability & Availability | 🔵 Trivial | 💤 Low valueVerify concurrency group is well-formed for all trigger types.
The group key
${{ github.workflow }}:${{ github.event.pull_request.number }}relies onpull_request.number, which is only populated forpull_request-triggered events. If this workflow also runs on other event types (e.g.,push,merge_group), the group key would contain a literal empty/null segment, which is harmless but slightly imprecise (multiple non-PR runs could collide into the same group and cancel each other).Fallback suggestion
concurrency: - group: "${{ github.workflow }}:${{ github.event.pull_request.number }}" + group: "${{ github.workflow }}:${{ github.event.pull_request.number || github.ref }}" cancel-in-progress: true🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/lint-validate-dependabot.yml around lines 9 - 12, The concurrency group in the workflow is too specific to pull_request events because it uses github.event.pull_request.number, which may be empty for other triggers. Update the concurrency.group expression to use a fallback that is always populated for all event types, and keep the identifier stable per run source by referencing github.workflow together with a safe event-based key in the lint-validate-dependabot workflow. This will prevent unrelated push or merge_group runs from collapsing into the same concurrency bucket.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.commitlintrc.yaml:
- Around line 24-29: The commitlint-rs config is using unsupported rule keys in
the message description section, so these checks will not run. Update the rule
names in .commitlintrc.yaml from description-format and description-max-length
to the commitlint-rs-supported subject-related keys, keeping the same format and
length constraints. Use the existing rule block in the config as the place to
swap the names while preserving their level and validation values.
In @.github/workflows/dev.yml:
- Line 69: The workflow pin for dorny/paths-filter is inconsistent with its
version comment, so update the uses reference to the correct release SHA or
adjust the comment to match the pinned version. Locate the existing pinned
action entry in dev.yml alongside the other workflow steps and make the
version/tag and commit hash agree.
---
Nitpick comments:
In @.github/workflows/lint-validate-dependabot.yml:
- Around line 9-12: The concurrency group in the workflow is too specific to
pull_request events because it uses github.event.pull_request.number, which may
be empty for other triggers. Update the concurrency.group expression to use a
fallback that is always populated for all event types, and keep the identifier
stable per run source by referencing github.workflow together with a safe
event-based key in the lint-validate-dependabot workflow. This will prevent
unrelated push or merge_group runs from collapsing into the same concurrency
bucket.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 87ab51c6-e041-429b-94f6-133e45830a3e
⛔ Files ignored due to path filters (1)
Cargo.lockis excluded by!**/*.lock
📒 Files selected for processing (19)
.commitlintrc.yaml.github/actions/nix-setup/action.yml.github/actions/nix-shell/action.yml.github/workflows/README.md.github/workflows/bump.yml.github/workflows/dev.yml.github/workflows/fossa.yml.github/workflows/lint-actionlint.yml.github/workflows/lint-cargo-fmt.yml.github/workflows/lint-commitlint.yml.github/workflows/lint-license-headers.yml.github/workflows/lint-opengrep.yml.github/workflows/lint-validate-dependabot.yml.github/workflows/mergeability.yml.github/workflows/version-bump.yml.github/zizmor.yml.pinact.yamldefault.nixjustfile
💤 Files with no reviewable changes (4)
- .github/workflows/lint-actionlint.yml
- .github/workflows/lint-cargo-fmt.yml
- .github/workflows/lint-opengrep.yml
- .github/workflows/lint-license-headers.yml
| description-format: | ||
| level: error | ||
| format: "^.*[^.]$" | ||
| description-max-length: | ||
| level: error | ||
| length: 72 |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🌐 Web query:
What rules does commitlint-rs (KeisukeYamashita/commitlint-rs) support, specifically description-format and description-max-length?
💡 Result:
The commitlint-rs project (KeisukeYamashita/commitlint-rs) does not natively support rules named description-format or description-max-length [1][2][3]. In the context of commitlint-rs, the commit message header is typically referred to as the subject [1][4]. While the tool supports various configuration rules for subject and body validation, these specific identifiers (description-format and description-max-length) are not part of its standard rule set [1][3][4]. Users commonly confuse commitlint-rs with other tools like cargo-commitlint (which is a separate project) or the Node-based commitlint [4][5]. For example, cargo-commitlint provides rules such as header-max-length and subject-case, but does not use the specific names you queried [4][5]. If you are looking to enforce length or format constraints on the commit subject in commitlint-rs, you should consult the project's official rule documentation [3], which details the rules currently implemented in the library. As of the latest available information, there is no evidence of "description" being used as a rule prefix in this tool [1][3].
Citations:
- 1: https://keisukeyamashita.github.io/commitlint-rs/rules/body-empty/
- 2: https://github.com/KeisukeYamashita/commitlint-rs
- 3: https://keisukeyamashita.github.io/commitlint-rs
- 4: https://docs.rs/crate/cargo-commitlint/1.0.0
- 5: https://docs.rs/crate/cargo-commitlint/2.0.0
Use commitlint-rs rule names here
description-format and description-max-length are not recognized by commitlint-rs, so these checks won’t run. Rename them to the supported rule keys for the message part you want to validate.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.commitlintrc.yaml around lines 24 - 29, The commitlint-rs config is using
unsupported rule keys in the message description section, so these checks will
not run. Update the rule names in .commitlintrc.yaml from description-format and
description-max-length to the commitlint-rs-supported subject-related keys,
keeping the same format and length constraints. Use the existing rule block in
the config as the place to swap the names while preserving their level and
validation values.
qmonnet
left a comment
There was a problem hiding this comment.
Looks good overall (with minor comments inline below).
My main concern is the pinning of the GitHub Actions versions. I understand why it makes it better reproducible to pin the Actions, although I don't think we've been bitten by sliding tags so far, so is this something you want to do to harden the posture, or is it to make opengrep happy?
The thing that worries me is that, unless I'm mistaken, Dependabot will start opening PRs to update Actions hashes for every single patch release, and it's going to be rather noisy (and annoying). Do we have a way to limit that? If we could have all Dependabot non-urgent updates in a single, weekly PR, for example, it would be nice, but I don't know if it supports this.
| packages: "read" | ||
| id-token: "write" | ||
| pull-requests: "write" | ||
| contents: "read" # actions/checkout on this private repo; git push + PR go through the scoped app token below |
There was a problem hiding this comment.
Not sure I understand the comment, what “private” repo are we talking about? (Same question in dev.yml)
|
|
||
| jobs: | ||
| format-check: | ||
| name: "Check formatting for Rust code" |
There was a problem hiding this comment.
This one seems to be removed rather than moved, this is because we already run it in the check job for dev.yml, right?
| with: | ||
| recipe: "check-dependencies" | ||
|
|
||
| - name: "commitlint" |
There was a problem hiding this comment.
I don't understand the motivation for this new lint. But from the commit description, I understand you plan to discuss it.
There was a problem hiding this comment.
Discussed during the meeting - this is to make it easier to run the linter locally from the nix-shell, without pulling the Node.js ecosystem.
Should ideally be mentioned in the commit log.
b71cd37 to
2dcd76b
Compare
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/bump-actions.yml:
- Around line 47-69: Run the pin update step before the Create Pull Request step
in the workflow so scheduled runs actually generate action pin changes; add the
missing bump step using the existing nix-shell setup path and make sure it
produces the changes that `create-pull-request` will commit. Also fix the PR
body reference by replacing the nonexistent `steps.upgrade.outputs.upgrade` with
the output from the newly added bump step, keeping the workflow aligned with the
`nix-shell` and `Create Pull Request` steps.
In @.github/workflows/bump.yml:
- Around line 79-82: The workflow step renamed to `cargo update` no longer
provides the `upgrade` step output, but later references still read
`steps.upgrade.outputs.upgrade`. Update the workflow so the `just`-driven step
(`bump-cargo-deps`) either exposes a matching output via an explicit `id:
upgrade`/composite-action output contract, or change the downstream PR body
generation to use static text instead of `steps.upgrade.outputs.upgrade`.
In `@justfile`:
- Around line 526-545: The PR summary/output is currently only written when
`nb_upgrades` is at least 1, so lockfile-only changes leave `upgrade_log` empty;
update the summary generation logic around the `nb_upgrades` check to include a
fallback message for lockfile-only updates. Keep the existing
`upgrade_log`/`GITHUB_STEP_SUMMARY`/`GITHUB_OUTPUT` flow in `justfile`, but add
a branch that writes a short summary when `cargo update` changed files without
any package upgrades, so the generated PR always has content.
- Around line 510-511: The staging step in the justfile is too narrow because it
only adds Cargo.lock, Cargo.toml, and cli/Cargo.toml, which can miss other
modified workspace manifests. Update the commit staging command to include all
relevant Cargo manifest files in the workspace, using the existing justfile
commit flow around the git add and git commit steps so upgrades in any workspace
member are captured.
- Around line 495-512: The upgrade loop is consuming non-package lines from the
`cargo upgrade --dry-run` output, which can cause invalid values to be passed
into `cargo upgrade --package`. Update the filtering step in the `justfile`
workflow so only actual table rows/package names are written to `list_packages`,
using the upgrade script’s existing output-processing block around `cargo
upgrade --dry-run`, `sed`, and the `while read -r package` loop.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 67766e3a-771e-429d-9014-685e963257c8
📒 Files selected for processing (7)
.github/dependabot.yml.github/workflows/bump-actions.yml.github/workflows/bump.yml.github/workflows/dev.yml.github/zizmor.yml.pinact.yamljustfile
✅ Files skipped from review due to trivial changes (2)
- .github/zizmor.yml
- .pinact.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/dev.yml
| - name: "cargo update" | ||
| uses: *just | ||
| with: | ||
| recipe: "bump-cargo-deps" |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Preserve or remove the stale upgrade output contract.
The new cargo update step no longer defines id: upgrade, but the PR body still reads steps.upgrade.outputs.upgrade later in the workflow. Either expose a real output from the recipe/composite action or replace the body with static text.
Minimal fallback fix
sign-commits: "true"
body: |
- ${{ steps.upgrade.outputs.upgrade }}
+ Automated dependency update generated by `just bump-cargo-deps`.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/bump.yml around lines 79 - 82, The workflow step renamed
to `cargo update` no longer provides the `upgrade` step output, but later
references still read `steps.upgrade.outputs.upgrade`. Update the workflow so
the `just`-driven step (`bump-cargo-deps`) either exposes a matching output via
an explicit `id: upgrade`/composite-action output contract, or change the
downstream PR body generation to use static text instead of
`steps.upgrade.outputs.upgrade`.
| git add Cargo.lock Cargo.toml cli/Cargo.toml | ||
| git commit -sF "${commit_msg}" |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
Stage all modified Cargo manifests.
Hard-coding cli/Cargo.toml drops upgrades made in any other workspace manifest.
Proposed staging fix
- git add Cargo.lock Cargo.toml cli/Cargo.toml
+ git ls-files -z -- Cargo.lock ':(glob)**/Cargo.toml' | xargs -0 git add --
git commit -sF "${commit_msg}"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| git add Cargo.lock Cargo.toml cli/Cargo.toml | |
| git commit -sF "${commit_msg}" | |
| git ls-files -z -- Cargo.lock ':(glob)**/Cargo.toml' | xargs -0 git add -- | |
| git commit -sF "${commit_msg}" |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@justfile` around lines 510 - 511, The staging step in the justfile is too
narrow because it only adds Cargo.lock, Cargo.toml, and cli/Cargo.toml, which
can miss other modified workspace manifests. Update the commit staging command
to include all relevant Cargo manifest files in the workspace, using the
existing justfile commit flow around the git add and git commit steps so
upgrades in any workspace member are captured.
| if [[ "${nb_upgrades}" -ge 1 ]]; then | ||
| { | ||
| echo "### :rocket: Upgrades available"; | ||
| echo "" | ||
| echo "| name | old | req | compatible | latest |"; | ||
| echo "|------|-----|-----|------------|--------|"; | ||
| awk '{print "| " $1 " | " $2 " | " $3 " | " $4 " | " $5 " |"}' < <(sed 1,2d < "${upgrade_output}"); | ||
| echo "" | ||
| echo ":warning: This Pull Request was automatically generated and should be carefully reviewed before acceptance. It may introduce **breaking changes**." | ||
| echo "" | ||
| } > "${upgrade_log}" | ||
| fi | ||
|
|
||
| if [ -n "${GITHUB_STEP_SUMMARY:-}" ] && [ -n "${GITHUB_OUTPUT:-}" ] && [ -w "${GITHUB_STEP_SUMMARY}" ] && [ -w "${GITHUB_OUTPUT}" ]; then | ||
| cat "${upgrade_log}" > "${GITHUB_STEP_SUMMARY}" | ||
| { | ||
| echo "upgrade<<EOF"; | ||
| cat "${upgrade_log}"; | ||
| echo "EOF"; | ||
| } >> "${GITHUB_OUTPUT}" |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Add a summary for lockfile-only updates.
If only cargo update commits changes, nb_upgrades is 0, so the generated PR summary/output is empty.
Proposed fallback
if [[ "${nb_upgrades}" -ge 1 ]]; then
{
echo "### :rocket: Upgrades available";
@@
echo ""
} > "${upgrade_log}"
+ else
+ {
+ echo "### :package: Lockfile update";
+ echo "";
+ echo "This Pull Request contains dependency resolution updates from \`cargo update\`.";
+ echo "";
+ } > "${upgrade_log}"
fi📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| if [[ "${nb_upgrades}" -ge 1 ]]; then | |
| { | |
| echo "### :rocket: Upgrades available"; | |
| echo "" | |
| echo "| name | old | req | compatible | latest |"; | |
| echo "|------|-----|-----|------------|--------|"; | |
| awk '{print "| " $1 " | " $2 " | " $3 " | " $4 " | " $5 " |"}' < <(sed 1,2d < "${upgrade_output}"); | |
| echo "" | |
| echo ":warning: This Pull Request was automatically generated and should be carefully reviewed before acceptance. It may introduce **breaking changes**." | |
| echo "" | |
| } > "${upgrade_log}" | |
| fi | |
| if [ -n "${GITHUB_STEP_SUMMARY:-}" ] && [ -n "${GITHUB_OUTPUT:-}" ] && [ -w "${GITHUB_STEP_SUMMARY}" ] && [ -w "${GITHUB_OUTPUT}" ]; then | |
| cat "${upgrade_log}" > "${GITHUB_STEP_SUMMARY}" | |
| { | |
| echo "upgrade<<EOF"; | |
| cat "${upgrade_log}"; | |
| echo "EOF"; | |
| } >> "${GITHUB_OUTPUT}" | |
| if [[ "${nb_upgrades}" -ge 1 ]]; then | |
| { | |
| echo "### :rocket: Upgrades available"; | |
| echo "" | |
| echo "| name | old | req | compatible | latest |"; | |
| echo "|------|-----|-----|------------|--------|"; | |
| awk '{print "| " $1 " | " $2 " | " $3 " | " $4 " | " $5 " |"}' < <(sed 1,2d < "${upgrade_output}"); | |
| echo "" | |
| echo ":warning: This Pull Request was automatically generated and should be carefully reviewed before acceptance. It may introduce **breaking changes**." | |
| echo "" | |
| } > "${upgrade_log}" | |
| else | |
| { | |
| echo "### :package: Lockfile update"; | |
| echo ""; | |
| echo "This Pull Request contains dependency resolution updates from \`cargo update\`."; | |
| echo ""; | |
| } > "${upgrade_log}" | |
| fi | |
| if [ -n "${GITHUB_STEP_SUMMARY:-}" ] && [ -n "${GITHUB_OUTPUT:-}" ] && [ -w "${GITHUB_STEP_SUMMARY}" ] && [ -w "${GITHUB_OUTPUT}" ]; then | |
| cat "${upgrade_log}" > "${GITHUB_STEP_SUMMARY}" | |
| { | |
| echo "upgrade<<EOF"; | |
| cat "${upgrade_log}"; | |
| echo "EOF"; | |
| } >> "${GITHUB_OUTPUT}" |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@justfile` around lines 526 - 545, The PR summary/output is currently only
written when `nb_upgrades` is at least 1, so lockfile-only changes leave
`upgrade_log` empty; update the summary generation logic around the
`nb_upgrades` check to include a fallback message for lockfile-only updates.
Keep the existing `upgrade_log`/`GITHUB_STEP_SUMMARY`/`GITHUB_OUTPUT` flow in
`justfile`, but add a branch that writes a short summary when `cargo update`
changed files without any package upgrades, so the generated PR always has
content.
22c1a70 to
f94f266
Compare
I updated Cargo.lock to keep the other diffs as clean as possible. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> Signed-off-by: Daniel Noland <[email protected]>
Pin every third-party `uses:` reference (marketplace actions and composite actions) to a specific commit SHA, with the resolved tag kept as a trailing comment for readability. Managed going forward via `pinact run` (config in .pinact.yaml). The one exception is the cross-repo reusable workflow `githedgehog/fabricator/.github/workflows/run-vlab.yaml`: we control that workflow and pinning it is not desired. It floats intentionally and should pose no meaningful security issue. .pinact.yaml also sets a 10-day `min_age` so `pinact run` never adopts an action release less than 10 days old. Also adds `pinact` to the nix devshell so it can be run locally. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> Signed-off-by: Daniel Noland <[email protected]>
Trim GITHUB_TOKEN permissions to what each job actually consumes, traced through the composite actions and justfile recipes: - bump.yml / version-bump.yml: the blanket contents/id-token/ pull-requests grants had no consumer -- the actual git push and PR creation go through a separately-minted, already-scoped GitHub App token, not GITHUB_TOKEN. Reduced to `contents: read` (needed for checkout on this private repo). - dev.yml: same story for the shared `check-perms` block (check, sanitize, test_each, concurrency, miri, wasm, cross) -- none of those jobs build or push containers, so checks/pull-requests/ packages/id-token were dead weight. `build` and `publish` keep `packages: write` since they push images via `just push-container`. `check_changes` keeps `pull-requests: read` for dorny/paths-filter's API-based file-list lookup on PR events. Also scope the three `create-github-app-token` steps (bump.yml, dev.yml, version-bump.yml) to `permission-contents`/ `permission-pull-requests` instead of inheriting the full GitHub App installation's permissions, and set `persist-credentials: false` on checkout steps that never push with the default token (bump.yml, dev.yml, fossa.yml, lint-validate-dependabot.yml), plus add zizmor to the nix devshell used to audit this. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> Signed-off-by: Daniel Noland <[email protected]>
- Name the previously-anonymous cargo-upgrades, version, publish, commitlint, and validate jobs (zizmor anonymous-definition). - Add a concurrency group to mergeability.yml and lint-validate-dependabot.yml (zizmor concurrency-limits); the former falls back to github.run_id for merge_group events so an in-progress merge-queue check is never cancelled. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> Signed-off-by: Daniel Noland <[email protected]>
Give each linter its own just recipe (clippy, opengrep, pinact, zizmor) instead of burying cargo clippy alone in `lint`, then compose them in the justfile. This gives local parity with the individual CI lint jobs and a single place to tune each tool's flags. dev.yml's `check` job now calls the `clippy` recipe directly (it already ran individual recipes like fmt/test/doctest rather than the aggregate `lint`; this keeps that step's naming honest). lint-opengrep.yml now delegates to `just opengrep` instead of duplicating the scan invocation inline. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> Signed-off-by: Daniel Noland <[email protected]>
Fold actionlint, cargo-fmt's sibling checks, license-headers, opengrep, pinact, and zizmor into one non-matrixed `lint` job in dev.yml instead of six independent lint-*.yml workflows, each of which paid for its own nix-shell/cachix pull. One job now means one pull per PR instead of six. check-dependencies moves here too, off of the check job's debug/release matrix and out of build's inline step list. `build` (and therefore `publish`, which pushes to our container registry) now depends on the whole `lint` job via `needs:`, so a check-dependencies failure still blocks a container push. Adds .github/zizmor.yml carrying an unpinned-uses `ref-pin` policy for the fabricator run-vlab reusable workflow, so zizmor accepts its `@master` ref pin (which pinact can't SHA-pin; see the pinning commit). Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> Signed-off-by: Daniel Noland <[email protected]>
Add a commitlint check to the same job, gated by a config (.commitlintrc.yaml) that mirrors the type list and header-length intent of the existing lint-commitlint.yml action, no trailing period, roughly 72-char headers. commitlint-rs has no single "whole header length" rule, only a per-field description-max-length. That bound is looser than the old check in principle. commitlint-rs's `--from`/`--to` flags are unusable in any non-interactive shell, CI included: its arg-handling checks stdin before checking --from/--to, and stdin is never a TTY there, so it silently lints empty/stray stdin content instead of the requested commit range. Worked around by feeding each commit's message to commitlint individually over stdin instead, which is the one invocation mode that actually works. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> Signed-off-by: Daniel Noland <[email protected]>
Steps in a job run sequentially and stop at the first failure, so as written, a fmt failure would hide whatever clippy/opengrep/zizmor/ pinact/actionlint/license-headers would have said -- a step backwards from the six independent jobs this replaced, which all ran in parallel and reported together. Mark each check `continue-on-error` and add a final step that checks every step's outcome and fails the job if any of them didn't succeed. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> Signed-off-by: Daniel Noland <[email protected]>
Extract the dependency-bump logic that lived inline in bump.yml into just recipes so it can be run and tested locally: - `bump-cargo-deps` runs `cargo update` plus per-package `cargo upgrade`, committing each bump separately, and (in CI) emits the PR-body summary via GITHUB_OUTPUT. It uses mktemp scratch files and guards the GITHUB_* writes so it is safe to run outside Actions. - `bump-actions` runs `pinact run --update` to refresh pinned action SHAs; available for manual/local use. bump.yml now calls `just bump-cargo-deps` and drives check-dependencies through the shared `just` composite action instead of duplicating the recipe bodies inline. It also switches the app-token input from the deprecated `app-id` to `client-id` and adds the `ci:+vlab` label to generated PRs. Also bumps the dependabot cooldown from 7 to 10 days to match the pinact `min_age`, so automated dependency PRs wait the same window before adopting a fresh release. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> Signed-off-by: Daniel Noland <[email protected]>
The cross compile job isn't run that frequently, but when failures happen it is very annoying to debug because the max-parallel setting of 1 makes failures take a long time. Increasing to 2 is very helpful here and doesn't tax CI too much. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> Signed-off-by: Daniel Noland <[email protected]>
f94f266 to
9fd2c20
Compare
qmonnet
left a comment
There was a problem hiding this comment.
Looks good, thank you.
My two main questions:
-
Can you double-check (and ideally comment on) the change from
app-idtoclient-idin bump.yml? I note this makes it inconsistent with dev.yml and version-bump.yml, by the way. -
It seems to me that we want to call
just bump-actionsas part of bump.yml to avoid Dependabot opening too many PRs for GitHub Actions updates?
| declare -r BASE | ||
|
|
||
| # Run "cargo update" | ||
| echo "::notice::Running cargo update" |
There was a problem hiding this comment.
Note: we could use a print_notice() wrapper to print ::notice:: in GitHub Actions and format differently outside of it, but it's absolutely fine to keep that for a follow-up or even to keep it like this, I don't expect us to run this locally very often anyway.
| echo "| name | old | req | compatible | latest |"; | ||
| echo "|------|-----|-----|------------|--------|"; |
There was a problem hiding this comment.
Nit: The columns size won't be automatically adjusted, so I'd pick a larger width for the "name" column; then I think with awk you have printf available and that you can pad the fields to keep something nicely aligned.
Doesn't matter much, though.
There was a problem hiding this comment.
In fact, why not reuse the same logic as we had previously?
# Create Pull Request description
echo "### :rocket: Upgrades available";
if [[ "${nb_upgrades}" -ge 1 ]]; then
{
echo ""
echo "\`\`\`"
cat "${upgrade_output}"
echo "\`\`\`"
} > "${upgrade_log}"
fi| app-id: "${{ secrets.DP_APP_ID }}" | ||
| client-id: "${{ secrets.DP_APP_ID }}" |
There was a problem hiding this comment.
Just double-checking, is this intentional?
There was a problem hiding this comment.
yup. app-id is deprecated
There was a problem hiding this comment.
OK thanks, would you mind fixing the other workflows in this case, please?
| [script] | ||
| bump-actions: | ||
| {{ _just_debuggable_ }} | ||
| pinact run --update |
There was a problem hiding this comment.
Looks good, but shouldn't we call this from the bump.yml workflow to update GitHub Actions on a periodical basis, before the cooldown for Dependabot ends and it starts opening its own PRs? I don't see bump-actions called in CI at the moment.
Spruce up CI security in response to more opengrep findings.
Specifically, opengrep now wants pinned github actions.
I added pinact to manage the pinning and zizmor to address other security issues in the CI while we are at it.