Skip to content

#151: addressing Aquasec findings #152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lsulak wants to merge 2 commits into
base: master
Choose a base branch
from
Open

#151: addressing Aquasec findings #152

lsulak wants to merge 2 commits into from

Conversation

@lsulak
Copy link
Collaborator

@lsulak lsulak commented Dec 22, 2025
edited by coderabbitai bot
Loading

Closes: #151

Summary by CodeRabbit

  • Chores
    • Updated CI/CD workflows to pin third-party actions to specific commits for more reproducible runs.
    • Standardized checkout behavior by adjusting credential handling and fetch depth.
    • Added explicit runtime settings (e.g., Java version) where required to ensure consistent build and release steps.

✏️ Tip: You can customize this high-level summary in your review settings.

@lsulak lsulak self-assigned this Dec 22, 2025
@lsulak lsulak added the no RN No release notes required label Dec 22, 2025
@coderabbitai
Copy link

coderabbitai bot commented Dec 22, 2025
edited
Loading

Walkthrough

Pinned GitHub Actions used in multiple workflows to specific commit SHAs; added explicit persist-credentials: false for checkout in some workflows and a java-version entry in release.yml. Workflow steps and control flow remain unchanged.

Changes

Cohort / File(s) Change Summary
GitHub Actions workflow pinning
​.github/workflows/build.yml, ​.github/workflows/dependent_items.yml, ​.github/workflows/jacoco_report.yml, ​.github/workflows/license_check.yml, ​.github/workflows/release.yml, ​.github/workflows/test_filenames_check.yml		 Replaced action version tags (e.g., v2, v10, v13, v14, v0.1.0, v1.5.2) with specific commit SHAs for actions such as actions/checkout, olafurpg/setup-scala, AbsaOSS/filename-inspector, dependent-issues, jacoco-report, and github-script. Added with: persist-credentials: false for checkout in several workflows and added java-version in release.yml. No other control-flow or behavior changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

  • Repetitive, uniform edits (version tag → commit SHA) across workflow files.
  • Verify commit SHAs correspond to intended action revisions and that persist-credentials: false and the added java-version are acceptable for CI steps.
  • Check release workflow fetch-depth: 0 and java-version: "adopt@1.8" additions for release environment expectations.

Poem

🐰 I hopped through YAML, tidy and spry,
Pinning SHAs beneath the CI sky.
No drifting tags to scare the night,
Just steady commits — secure and right.
Hop, code, hop! 🎩🔐

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main change—pinning GitHub Actions to commit SHAs to address Aquasec security findings, which directly matches the objective in issue #151.
Linked Issues check ✅ Passed The PR successfully implements the core requirement from issue #151 by replacing GitHub Actions version tags with immutable SHA references across all workflow files for improved supply-chain security.
Out of Scope Changes check ✅ Passed All changes are in-scope: workflow updates consistently pin actions to SHA references as required, with minimal additional changes (persist-credentials flags and step renames) that directly support the security objective.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch bugfix/151-aquasec-security-fix

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link

github-actions bot commented Dec 22, 2025
edited
Loading

JaCoCo core module code coverage report - scala 2.13.11

Overall Project 59.84% 🍏

There is no coverage information present for the Files changed

@github-actions
Copy link

github-actions bot commented Dec 22, 2025
edited
Loading

JaCoCo doobie module code coverage report - scala 2.13.11

Overall Project 70.17% 🍏

There is no coverage information present for the Files changed

@github-actions
Copy link

github-actions bot commented Dec 22, 2025
edited
Loading

JaCoCo slick module code coverage report - scala 2.13.11

Overall Project 91.42% 🍏

There is no coverage information present for the Files changed

coderabbitai[bot]
coderabbitai bot reviewed Dec 22, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 93d1619 and 19dc598.

📒 Files selected for processing (6)
  • .github/workflows/build.yml
  • .github/workflows/dependent_items.yml
  • .github/workflows/jacoco_report.yml
  • .github/workflows/license_check.yml
  • .github/workflows/release.yml
  • .github/workflows/test_filenames_check.yml
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-09-09T11:30:33.202Z 
Learnt from: benedeki
Repo: AbsaOSS/fa-db PR: 140
File: project/plugins.sbt:18-18
Timestamp: 2025-09-09T11:30:33.202Z
Learning: The fa-db repository at AbsaOSS/fa-db has an existing GitHub Actions workflow (.github/workflows/release.yml) that uses sbt ci-release with all required secrets (PGP_PASSPHRASE, PGP_SECRET, SONATYPE_PASSWORD, SONATYPE_USERNAME) properly configured for Maven Central publishing.

Applied to files:

  • .github/workflows/license_check.yml
  • .github/workflows/release.yml
  • .github/workflows/build.yml
  • .github/workflows/jacoco_report.yml
  • .github/workflows/test_filenames_check.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)
  • GitHub Check: Build, Test and Doc (2.12.17)
  • GitHub Check: Build, Test and Doc (2.13.12)
  • GitHub Check: Build, Test and Doc (2.13.12)
  • GitHub Check: Build, Test and Doc (2.12.17)
  • GitHub Check: Build, Test and Measure
  • GitHub Check: Build, Test and Doc (2.12.17)
  • GitHub Check: Build, Test and Doc (2.13.12)
🔇 Additional comments (6)
.github/workflows/license_check.yml (1)

32-34: LGTM! Consistent SHA pinning across workflows.

The commit SHAs match those used in build.yml, ensuring consistent action versions across the CI/CD pipeline.

.github/workflows/release.yml (1)

25-33: Security pinning applied with beneficial standardization.

Actions are pinned to commit SHAs, and the addition of java-version: "adopt@1.8" standardizes the Java version across workflows (already present in build.yml and jacoco_report.yml). This ensures consistent build environments.

.github/workflows/jacoco_report.yml (2)

52-55: Consistent security pinning applied.

Actions pinned to the same commit SHAs used across other workflows, ensuring version consistency.

115-115: GitHub Script action pinned consistently to v8.0.0.

All three github-script steps use the same commit SHA (ed597411d8f924073f98dfc5c65a23a2325f34cd), which corresponds to v8.0.0, the latest stable release.

.github/workflows/test_filenames_check.yml (1)

30-34: Verify AbsaOSS/filename-inspector SHA mapping to v0.1.0 release.

The action is pinned to commit SHA 355108975e656fac9faaa04209b6df3f9997c8fa. Confirm this commit corresponds to the v0.1.0 release tag.

.github/workflows/build.yml (1)

48-50: Excellent security improvement: Actions pinned to immutable commit SHAs.

This change aligns with supply-chain security best practices by replacing mutable version tags with immutable commit references.

Note: The olafurpg/setup-scala commit SHA correctly corresponds to v14, but the actions/checkout commit SHA (8e8c483db84b4bee98b60c0593521ed34d9990e8) corresponds to version 6.0.1, not v2.

Likely an incorrect or invalid review comment.

.github/workflows/dependent_items.yml
runs-on: ubuntu-latest
steps:
- uses: z0al/dependent-issues@v1.5.2
- uses: z0al/dependent-issues@950226e7ca8fc43dc209a7febf67c655af3bdb43
Copy link

@coderabbitai coderabbitai bot Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

⚠️ Using deprecated action from archived repository.

The z0al/dependent-issues action is from a repository archived by the owner on Sep 26, 2023. While pinning to a commit SHA is a security best practice, using an action from an archived repository introduces maintenance and security risks since it is now read-only. Consider migrating to an actively maintained alternative for issue dependency management.

🤖 Prompt for AI Agents 
.github/workflows/dependent_items.yml around lines 31-31: the workflow uses the
archived z0al/dependent-issues action; replace it with an actively maintained
alternative (either a maintained fork of dependent-issues or a different
marketplace action that provides the same issue-dependency functionality), pin
that replacement to a release tag or commit SHA, update any inputs/outputs in
the workflow to match the new action's interface, remove the archived action
reference, and run the workflow locally or in a test branch to verify behavior.

.github/workflows/jacoco_report.yml
if: steps.jacocorun.outcome == 'success'
id: jacoco-core
uses: madrapps/jacoco-report@v1.6.1
uses: madrapps/jacoco-report@50d3aff4548aa991e6753342d9ba291084e63848
Copy link

@coderabbitai coderabbitai bot Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

cd .github/workflows && cat jacoco_report.yml | head -100

Repository: AbsaOSS/fa-db

Length of output: 3585

🏁 Script executed:

sed -n '60,105p' .github/workflows/jacoco_report.yml

Repository: AbsaOSS/fa-db

Length of output: 2157

JaCoCo report action pinned to commit SHA.

All three jacoco-report steps consistently use the same commit SHA (50d3aff4548aa991e6753342d9ba291084e63848). Pinning to a specific commit SHA ensures the exact, immutable version of the action's code is used, with a commit SHA uniquely identifying a specific state of the repository. Add a comment indicating which version the SHA corresponds to (e.g., # v1.7.2) for improved clarity and maintainability.

🤖 Prompt for AI Agents 
.github/workflows/jacoco_report.yml around line 70: the jacoco-report action is
pinned to a commit SHA (50d3aff4548aa991e6753342d9ba291084e63848) but lacks a
comment indicating the corresponding action version; add a brief inline comment
on the same line (or immediately above) specifying which released tag/version
that SHA maps to (for example “# v1.7.2”), and do the same for the other two
jacoco-report steps so each pinned SHA is annotated with its human-readable
version.

coderabbitai[bot]
coderabbitai bot reviewed Dec 22, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
.github/workflows/license_check.yml (1)

32-34: SHA is verified; security improvements are correct.

The pinning of actions/checkout to SHA 8e8c483db84b4bee98b60c0593521ed34d9990e8 (v6.0.1) and the addition of persist-credentials: false are both proper security practices. SHA pinning prevents tag-moving attacks, and disabling credential persistence prevents accidental credential leakage in subsequent workflow steps.

Consider adding a version comment above line 32 for maintainability:

# actions/checkout@v6.0.1
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 19dc598 and c868101.

📒 Files selected for processing (5)
  • .github/workflows/build.yml
  • .github/workflows/jacoco_report.yml
  • .github/workflows/license_check.yml
  • .github/workflows/release.yml
  • .github/workflows/test_filenames_check.yml
🚧 Files skipped from review as they are similar to previous changes (4)
  • .github/workflows/jacoco_report.yml
  • .github/workflows/test_filenames_check.yml
  • .github/workflows/release.yml
  • .github/workflows/build.yml
🧰 Additional context used
🧠 Learnings (2)
📓 Common learnings 
Learnt from: benedeki
Repo: AbsaOSS/fa-db PR: 140
File: project/plugins.sbt:18-18
Timestamp: 2025-09-09T11:30:33.202Z
Learning: The fa-db repository at AbsaOSS/fa-db has an existing GitHub Actions workflow (.github/workflows/release.yml) that uses sbt ci-release with all required secrets (PGP_PASSPHRASE, PGP_SECRET, SONATYPE_PASSWORD, SONATYPE_USERNAME) properly configured for Maven Central publishing.
📚 Learning: 2025-09-09T11:30:33.202Z 
Learnt from: benedeki
Repo: AbsaOSS/fa-db PR: 140
File: project/plugins.sbt:18-18
Timestamp: 2025-09-09T11:30:33.202Z
Learning: The fa-db repository at AbsaOSS/fa-db has an existing GitHub Actions workflow (.github/workflows/release.yml) that uses sbt ci-release with all required secrets (PGP_PASSPHRASE, PGP_SECRET, SONATYPE_PASSWORD, SONATYPE_USERNAME) properly configured for Maven Central publishing.

Applied to files:

  • .github/workflows/license_check.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Build, Test and Doc (2.12.17)
  • GitHub Check: Build, Test and Measure
  • GitHub Check: Build, Test and Doc (2.13.12)
🔇 Additional comments (1)
.github/workflows/license_check.yml (1)

37-37: Use caution with unmaintained action; SHA pinning is correct but consider alternatives.

Pinning olafurpg/setup-scala to a commit SHA is a sound security practice. However, this project is no longer maintained, which means the pinned version will not receive future security updates. Consider evaluating maintained alternatives such as japgolly/setup-everything-scala, coursier/setup-action, or the official actions/setup-java which supports sbt projects.

@lsulak lsulak requested a review from tmikula-dev December 22, 2025 16:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@benedeki benedeki Awaiting requested review from benedeki benedeki is a code owner

@dk1844 dk1844 Awaiting requested review from dk1844 dk1844 is a code owner

@jakipatryk jakipatryk Awaiting requested review from jakipatryk jakipatryk is a code owner

@Zejnilovic Zejnilovic Awaiting requested review from Zejnilovic Zejnilovic is a code owner

@salamonpavel salamonpavel Awaiting requested review from salamonpavel salamonpavel is a code owner

@miroslavpojer miroslavpojer Awaiting requested review from miroslavpojer miroslavpojer is a code owner

@tmikula-dev tmikula-dev Awaiting requested review from tmikula-dev

At least 1 approving review is required to merge this pull request.

Assignees

@lsulak lsulak

Labels

no RN No release notes required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Aquasec Security Fixes: Replace Tags with SHA for CICD Actions

2 participants

@lsulak