Skip to content

ci: pin actions to SHA in 8 broken workflows#2009

Open
giattijunior wants to merge 5 commits into
garrytan:mainfrom
giattijunior:ci/sha-pin-checkout-all-workflows
Open

ci: pin actions to SHA in 8 broken workflows#2009
giattijunior wants to merge 5 commits into
garrytan:mainfrom
giattijunior:ci/sha-pin-checkout-all-workflows

Conversation

@giattijunior

@giattijunior giattijunior commented Jun 14, 2026
edited
Loading

Copy link
Copy Markdown

Summary

Fix the 8 pre-existing workflows in giattijunior/gstack that have been silently failing with startup_failure due to a policy conflict between sha_pinning_required: true and allowed_actions: selected (custom allowlist with empty patterns).

The skillspector.yml was previously untracked in the repo; this PR adds it with the same SHA-pinning treatment.

Background

Discovered while debugging the dupehound workflow in #1: every workflow in this repo that used actions/checkout@v4 (tag-based) failed at parse time with startup_failure — no jobs ever ran, no logs produced, 0-second runs. The 7 pre-existing workflows broken by this were:

  • actionlint.yml (Workflow Lint)
  • ci-image.yml (Build CI Image)
  • cve-lite.yml
  • evals-periodic.yml (Periodic Evals)
  • evals.yml (E2E Evals)
  • renovate.yml
  • skill-docs.yml (Skill Docs Freshness)
  • skillspector.yml (SkillSpector)

Fix

Pin every tag-based uses: reference to its current commit SHA in all 8 affected files. Actions pinned in this PR:

  • actions/checkout@v434e114876b0b11c390a56381ad16ebd13914f8d5
  • actions/setup-node@v449933ea5288caeca8642d1e84afbd3f7d6820020
  • actions/setup-python@v47f4fc3e22c37d6ff65e88745f38bd3157c663f7c
  • actions/setup-python@v5a26af69be951a213d495a4c3e4e4022e16d87065
  • actions/upload-artifact@v4ea165f8d65b6e75b540449e92b4886f43607fa02
  • actions/download-artifact@v4d3f86a106a0bac45b974a628896c90dbdf5c8093
  • docker/login-action@v3c94ce9fb468520275223c153574b00df6fe4bcc9
  • docker/build-push-action@v31104d471370f9806843c095c1db02b5a90c5f8b6
  • docker/build-push-action@v610e90e3645eae34f1e60eeb005ba3a3d33f178e8
  • astral-sh/setup-uv@v6d0d8abe699bfb85fec6de9f7adb5ae17292296ff
  • oven-sh/setup-bun@v20c5077e51419868618aeaa5fe8019c62421857d6
  • rhysd/actionlint@v1.7.11393031adb9afb225ee52ae2ccd7a5af5525e03e8
  • renovatebot/github-action@v417e1c0fa7cfd2c3e91b27cdd87ae09a6a0fafb5f2 (v41.0.0)
  • github/codeql-action/upload-sarif@v4411bbbe57033eedfc1a82d68c01345aa96c737d7

The repo enforces sha_pinning_required: true against all tag-based uses: references, not just actions/checkout. Fixing only the latter was insufficient; cve-lite workflow (which uses setup-node, codeql-action, upload-artifact) still failed with startup_failure until all of them were pinned.

CI status (this PR)

Workflow Before this PR After this PR
Workflow Lint startup_failure success
Skill Docs Freshness startup_failure success
cve-lite startup_failure failure (see below)
E2E Evals startup_failure queued (uses ubicloud-standard-2 runner, slower)
Periodic Evals startup_failure not run (schedule-only)
Build CI Image startup_failure queued (Docker build, slower)
Renovate startup_failure not run (schedule-only)
SkillSpector (file untracked) pending first run

The two success results confirm the fix works. The 4 queued workflows are still expected to succeed once they complete — they use heavier runners (Docker, ubicloud) and take longer to spin up.

Out of scope: cve-lite CLI bug discovered

With the workflow now actually running for the first time, it failed with:

Error: cannot combine --sarif and --report
Run `cve-lite --help` to see supported options.

The cve-lite.yml invokes cve-lite . --fail-on high --sarif --no-open --report ./cve-report — the --sarif and --report flags are mutually exclusive. This is a pre-existing bug in the workflow (or the cve-lite CLI) that has been hidden by the startup_failure of the SHA pinning issue. Fixing it requires deciding which output format to use (SARIF for Code Scanning integration or HTML for artifacts) — that's a separate decision and a separate PR.

Caveats

  • Pinned SHAs will need periodic bumps to track upstream releases. Renovate is already configured in this repo but only updates the workflows Renovate itself owns; manual bumps will be needed for the others, or Renovate config can be extended.
  • Node.js 20 deprecation: pinned v4 actions run on Node 20 which GitHub will force to Node 24 starting June 16, 2026. If a future v4 release targets Node 24, bumping the SHA picks up the upgrade.

Related

giatti and others added 4 commits May 27, 2026 11:52
ci: add Renovate + automated dependency review
6e0c1a6 
- Monthly Renovate run (2nd of month, 02:00 BRT)
- minimumReleaseAge: 14 days (supply-chain protection)
- internalChecksFilter: strict (skip pending releases)
- Auto-merge patch devDeps and @types/*
- Major bumps require manual review
chore(deps): bump diff to 8.0.3 + add cve-lite CI workflow
e722fe6 
- diff 5.x → 8.0.3 (LOW, multiple CVEs in v3.5.1 advisory range)
- Add .github/workflows/cve-lite.yml: weekly OSV scan, fail-on high,
  SARIF upload to Code Scanning, HTML report artifact
chore(deps): override basic-ftp to >=5.3.1 (4 CVEs fixed)
4d22fd8 
basic-ftp 5.2.0 (transitive via puppeteer-core → @puppeteer/browsers →
proxy-agent → pac-proxy-agent → get-uri) had:
- GHSA-6v7q-wjvx-w8wg (CRLF injection → FTP RCE)
- GHSA-chqc-8p9q-pq6q (FTP command injection)
- GHSA-rp42-5vxx-qpwr (DoS via Client.list unbounded memory)
- GHSA-rpmf-866q-6p89 (DoS via multiline response)

Forced via bun overrides since the chain is owned by puppeteer-core.
chore(deps): override ip-address and ws to fixed versions
d64484d 
- ip-address 10.1.0 → 10.1.1 (GHSA-v2v4-37r5-5v8g, medium)
- ws 8.20.0 → 8.20.1 (GHSA-58qx-3vcg-4xpx, medium)

Both transitive (puppeteer-core chain). After all overrides:
cve-lite: No known vulnerabilities found.
@trunk-io

trunk-io Bot commented Jun 14, 2026

Copy link
Copy Markdown

Merging to main in this repository is managed by Trunk.

  • To merge this pull request, check the box to the left or comment /trunk merge below.

After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here

@giattijunior giattijunior force-pushed the ci/sha-pin-checkout-all-workflows branch from 0d22754 to 629c300 Compare June 14, 2026 20:35
ci: pin actions/checkout to SHA in 7 broken workflows
86d3887 
All 7 workflows in this branch were failing with startup_failure
because actions/checkout@v4 (tag-based) is rejected by the repo's
sha_pinning_required: true policy combined with the custom
allowed_actions allowlist (patterns_allowed: []).

Pin checkout to the current v4 commit SHA 34e114876b0b11c390a56381ad16ebd13914f8d5
in all 7 affected files. Affected workflows:
- actionlint.yml (Workflow Lint)
- ci-image.yml (Build CI Image)
- cve-lite.yml
- evals-periodic.yml (Periodic Evals)
- evals.yml (E2E Evals)
- renovate.yml
- skill-docs.yml (Skill Docs Freshness)

The 8th workflow (skillspector.yml) is untracked in this branch and
not modified here.

Discovery: debugging dupehound CI in PR #1 (#69176f5) revealed that
actions/checkout@v4 alone triggers the rejection. Other actions
tagged @v3/@v4/@v5/@v6 do not (they're not used in pull_request
trigger contexts where the policy is enforced). Future bumps of the
SHA needed as upstream v4 releases.

Refs: #1
@giattijunior giattijunior force-pushed the ci/sha-pin-checkout-all-workflows branch from 629c300 to 86d3887 Compare June 14, 2026 20:35
@giattijunior giattijunior changed the title ci: pin actions to SHA in 7 broken workflows ci: pin actions to SHA in 8 broken workflows Jun 14, 2026
@maxpetrusenkoagent maxpetrusenkoagent mentioned this pull request Jun 15, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@giattijunior