yamanin/registry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CI: Pin GitHub Actions and fix zizmor high-severity findings (#667)

Browse Source 
## Description

This PR fixes zizmor --min-severity high findings in our GitHub Actions
workflows by:
- Pinning all uses: references to immutable commit SHAs (replaces
floating tags like @v6 / @main).
- Pinning internal Terraform setup action usage
(coder/coder/.github/actions/setup-tf@main) to a fixed ref/commit.
- Pinning crate-ci/typos to a commit SHA.
- Removing GitHub expression template expansion inside a run: block in
version-bump.yaml (prevents template injection flagged by zizmor).


## Type of Change

- [ ] New module
- [ ] New template
- [ ] Bug fix
- [ ] Feature/enhancement
- [ ] Documentation
- [x] Other

## Module Information

N/A

## Template Information

N/A

## Testing & Validation

- [ ] Tests pass (`bun test`)
- [ ] Code formatted (`bun fmt`)
- [x] Changes tested locally - zizmor .github/workflows/* --min-severity
high

## Related Issues

- coder/registry#642
- https://github.com/coder/registry/pull/662
This commit is contained in:
Lukasz 2026-01-21 11:42:10 +01:00 committed by GitHub
parent d21f55a322
commit ec57cb5c0f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 26 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/check_registry_site_health.yaml vendored
View File

@ -11,7 +11,7 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v6 uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
- name: Run check.sh - name: Run check.sh
run: | run: |

20
.github/workflows/ci.yaml vendored
View File

@ -12,9 +12,9 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Check out code - name: Check out code
uses: actions/checkout@v6 uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
- name: Detect changed files - name: Detect changed files
uses: dorny/paths-filter@v3 uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
id: filter id: filter
with: with:
list-files: shell list-files: shell
@ -37,9 +37,9 @@ jobs:
all: all:
- '**' - '**'
- name: Set up Terraform - name: Set up Terraform
uses: coder/coder/.github/actions/setup-tf@main uses: coder/coder/.github/actions/setup-tf@59cdd7e21f4d7da12567c0c29964d298fbf38f27 # v2.29.1
- name: Set up Bun - name: Set up Bun
uses: oven-sh/setup-bun@v2 uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2
with: with:
# We're using the latest version of Bun for now, but it might be worth # We're using the latest version of Bun for now, but it might be worth
# reconsidering. They've pushed breaking changes in patch releases # reconsidering. They've pushed breaking changes in patch releases
@ -80,20 +80,20 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Check out code - name: Check out code
uses: actions/checkout@v6 uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
- name: Install Bun - name: Install Bun
uses: oven-sh/setup-bun@v2 uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2
with: with:
bun-version: latest bun-version: latest
# Need Terraform for its formatter # Need Terraform for its formatter
- name: Install Terraform - name: Install Terraform
uses: coder/coder/.github/actions/setup-tf@main uses: coder/coder/.github/actions/setup-tf@59cdd7e21f4d7da12567c0c29964d298fbf38f27 # v2.29.1
- name: Install dependencies - name: Install dependencies
run: bun install run: bun install
- name: Validate formatting - name: Validate formatting
run: bun fmt:ci run: bun fmt:ci
- name: Check for typos - name: Check for typos
uses: crate-ci/typos@v1.42.0 uses: crate-ci/typos@bb4666ad77b539a6b4ce4eda7ebb6de553704021 # v1.42.0
with: with:
config: .github/typos.toml config: .github/typos.toml
validate-readme-files: validate-readme-files:
@ -104,9 +104,9 @@ jobs:
needs: validate-style needs: validate-style
steps: steps:
- name: Check out code - name: Check out code
uses: actions/checkout@v6 uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
- name: Set up Go - name: Set up Go
uses: actions/setup-go@v6 uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
with: with:
go-version: "1.24.0" go-version: "1.24.0"
- name: Validate contributors - name: Validate contributors

2
.github/workflows/deploy-registry.yaml vendored
View File

@ -28,7 +28,7 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v6 uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
- name: Authenticate with Google Cloud - name: Authenticate with Google Cloud
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093
with: with:

6
.github/workflows/golangci-lint.yml vendored
View File

@ -14,11 +14,11 @@ jobs:
name: lint name: lint
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
- uses: actions/setup-go@v6 - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
with: with:
go-version: stable go-version: stable
- name: golangci-lint - name: golangci-lint
uses: golangci/golangci-lint-action@v9 uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9
with: with:
version: v2.1 version: v2.1

2
.github/workflows/release.yml vendored
View File

@ -14,7 +14,7 @@ jobs:
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v6 uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false persist-credentials: false

14
.github/workflows/version-bump.yaml vendored
View File

@ -20,26 +20,28 @@ jobs:
issues: write issues: write
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v6 uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with: with:
fetch-depth: 0 fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Bun - name: Set up Bun
uses: oven-sh/setup-bun@v2 uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2
with: with:
bun-version: latest bun-version: latest
- name: Set up Terraform - name: Set up Terraform
uses: coder/coder/.github/actions/setup-tf@main uses: coder/coder/.github/actions/setup-tf@59cdd7e21f4d7da12567c0c29964d298fbf38f27 # v2.29.1
- name: Install dependencies - name: Install dependencies
run: bun install run: bun install
- name: Extract bump type from label - name: Extract bump type from label
env:
LABEL_NAME: ${{ github.event.label.name }}
id: bump-type id: bump-type
run: | run: |
case "${{ github.event.label.name }}" in case "$LABEL_NAME" in in
"version:patch") "version:patch")
echo "type=patch" >> $GITHUB_OUTPUT echo "type=patch" >> $GITHUB_OUTPUT
;; ;;
@ -50,7 +52,7 @@ jobs:
echo "type=major" >> $GITHUB_OUTPUT echo "type=major" >> $GITHUB_OUTPUT
;; ;;
*) *)
echo "Invalid version label: ${{ github.event.label.name }}" echo "Invalid version label: ${LABEL_NAME}"
exit 1 exit 1
;; ;;
esac esac
@ -60,7 +62,7 @@ jobs:
- name: Comment on PR - Version bump required - name: Comment on PR - Version bump required
if: failure() if: failure()
uses: actions/github-script@v8 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with: with:
github-token: ${{ secrets.GITHUB_TOKEN }} github-token: ${{ secrets.GITHUB_TOKEN }}
script: | script: |