openssf: Move openssf-scorecard.yml into .github/workflows #54
Conversation
Summary of ChangesHello @henrywang, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request resolves an issue where the OpenSSF Scorecard analysis workflow was not executing due to an incorrect file path. By relocating the Highlights
Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request removes the openssf-scorecard.yml workflow from the common directory. Based on the PR description and the linked failed action, the intent appears to be to stop centrally syncing this workflow, likely to resolve an issue where it was being incorrectly used as a reusable workflow. If this understanding is correct, the change is appropriate, but I suggest updating the PR title and description for clarity (e.g., "chore: Remove openssf-scorecard.yml from common sync").
My review of the deleted file's content found a critical error and a high-severity security issue that should be addressed if this workflow's logic is reused:
- A
criticalissue with an invalid action version (github/codeql-action/upload-sarif@v4) that would cause the workflow to fail. - A
highseverity security risk, as actions are not pinned to specific commit SHAs, which is a best practice to prevent supply chain attacks.
I am having trouble creating individual review comments. Click here to see my feedback.
common/.github/workflows/openssf-scorecard.yml (47)
This step uses github/codeql-action/upload-sarif@v4, which is an invalid action reference. The latest major version for this action is v3. This will cause the workflow to fail.
Please use a valid version, for example v3. For improved security, it's also recommended to pin to a specific commit SHA.
uses: github/codeql-action/upload-sarif@v3common/.github/workflows/openssf-scorecard.yml (22-28)
As a security best practice, all GitHub Actions should be pinned to their full-length commit SHA. Using floating tags like @v4 or version tags like @v2.4.3 exposes the CI/CD pipeline to supply chain attacks if a tag is compromised. The OpenSSF Scorecard tool itself flags this under the Pinned-Dependencies check.
While the file is being deleted, if this content is reused, I strongly recommend updating all uses clauses to pin to a commit SHA.
For example:
actions/checkout@v4could becomeuses: actions/checkout@b4ffde65f46336ab11d5ea332401c1091c9f41d3 # v4.1.7ossf/[email protected]could becomeuses: ossf/scorecard-action@f505504259693f404d3589a6944ace132344c93c # v2.4.3
Workflow link does not work, use file instead See: https://github.com/bootc-dev/infra/actions/runs/19864862091 Signed-off-by: Xiaofeng Wang <[email protected]>
henrywang
force-pushed
the
fix_openssf
branch
from
63f0e9d to
c89a484
Compare
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request removes the openssf-scorecard.yml workflow from the common/ directory. Based on the description, this is intended to fix a failing workflow. The change is straightforward, but the PR title 'Move openssf-scorecard.yml into .github/workflows' is a bit misleading since the file is being deleted, not moved. A title like 'Remove openssf-scorecard.yml from common files' might be clearer. I have added one comment on the deleted file regarding a security best practice for GitHub Actions which may be useful if you reuse this workflow's logic elsewhere.
| @@ -1,50 +0,0 @@ | |||
| # Upstream https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml | |||
| # Tweaked to not pin actions by SHA digest as I think that's overkill noisy security theater. | |||
There was a problem hiding this comment.
While this file is being removed, it's worth discussing the comment about not pinning actions by SHA digest. Pinning to a full-length commit SHA is a security best practice strongly recommended by the OpenSSF to prevent supply chain attacks. A git tag like v4 can be moved to point to a malicious commit, which would compromise your build. The OpenSSF Scorecard tool itself has a Pinned-Dependencies check that fails if dependencies are not pinned by hash. While managing SHAs can add some overhead, it significantly improves security and can be automated with tools like Dependabot.
|
The goal of having this in common/ is to actually sync it across repos though. But yes, GH apparently not following symlinks for actions means it doesn't work here unless we:
|
2 participants
Workflow link does not work, use file instead
See: https://github.com/bootc-dev/infra/actions/runs/19864862091