fix(security): pin GitHub Actions to SHA digests#1911
Conversation
dosubot
bot
added
the
size:XS
✅ Deploy Preview for polite-licorice-3db33c canceled.
|
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the repository's supply chain security by pinning GitHub Actions to immutable SHA digests, thereby protecting against potential compromises of mutable tags. It also improves automation by configuring Renovate to manage updates for GitHub Actions workflows, ensuring continuous security and maintenance without manual intervention. Highlights
Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request aims to improve security by pinning GitHub Actions to SHA digests and enabling Renovate to manage their versions. The change in renovate.json correctly adds the .github/** path to includePaths, allowing Renovate to scan and update workflow files. This change is a good practice for maintaining CI/CD dependencies and enhances the security posture of the repository. The implementation is correct, and I have no further feedback.
Pin trivy-action to v0.35.0 SHA (CVE-2026-26189), and pin docker/setup-qemu-action and docker/setup-buildx-action to SHA digests (previously referenced mutable `master` branch). Also add .github/** to renovate includePaths so the shared community-tooling config (which includes helpers:pinGitHubActionDigests) can manage workflow action updates going forward. Signed-off-by: Todd Baert <todd.baert@dynatrace.com>
toddbaert
force-pushed
the
fix/pin-trivy-action-sha
branch
from
f62a296 to
ede0469
Compare
|
Pin release-please-action, setup-qemu-action, and setup-buildx-action to commit SHA digests. These were missed in #1911. Signed-off-by: Todd Baert <todd.baert@dynatrace.com>
…1912) ## Summary Follow-up to #1911. Pins the remaining unpinned actions in `release-please.yaml` to commit SHA digests. ## Changes | Action | Before | After | |---|---|---| | `google-github-actions/release-please-action` | `@v3` | `@db8f2c6...` (v3) | | `docker/setup-qemu-action` | `@master` | `@c7c5346...` (v3) | | `docker/setup-buildx-action` | `@master` | `@8d2750c...` (v3) | These were the last unpinned actions in the repo. With the `renovate.json` change from #1911 (adding `.github/**` to `includePaths`), Renovate will now keep all workflow action SHAs up to date automatically. Signed-off-by: Todd Baert <todd.baert@dynatrace.com>
1 participant
Summary
aquasecurity/trivy-actionfrom mutable tag@0.28.0to SHA-pinnedv0.35.0(57a97c7) in response to CVE-2026-26189 / the Trivy supply chain incident on March 19, 2026docker/setup-qemu-actionanddocker/setup-buildx-actionfrom@master(!) to SHA-pinnedv3tags in bothbuild.yamlandrelease-please.yamlgoogle-github-actions/release-please-actionfrom@v3to SHA-pinnedv3.github/**to renovateincludePathsso the sharedopen-feature/community-toolingconfig (which already includeshelpers:pinGitHubActionDigests) can manage workflow action updates going forwardContext
On March 19, 2026 an attacker force-pushed 75 existing tags in
aquasecurity/trivy-actionto malicious commits that exfiltrated CI/CD secrets. Any workflow referencing trivy-action by a mutable tag (rather than a commit SHA) was potentially vulnerable. See Upwind's incident breakdown for details.Impact assessment
This repo was not impacted. We verified via the GitHub Actions API that no runs of the
buildworkflow occurred during the attack window (March 19, 17:00-23:13 UTC). The last origin run completed at 08:35 UTC, well before the compromise began.Additionally, sensitive secrets (signing keys, publishing tokens, etc.) are only available in protected environments scoped to specific branches (e.g.,
main), so even if a PR branch run had been compromised, those secrets would not have been exposed.However, the use of mutable tags left the repo vulnerable to this class of attack, and
docker/setup-qemu-action@masteranddocker/setup-buildx-action@masterwere pinned to themasterbranch, which carries the same risk.Changes
.github/workflows/build.yamltrivy-actiontov0.35.0SHA, pinsetup-qemu-actionandsetup-buildx-actiontov3SHAs.github/workflows/release-please.yamlrelease-please-actiontov3SHA, pinsetup-qemu-actionandsetup-buildx-actiontov3SHAsrenovate.json.github/**toincludePathsso Renovate manages action version updates