security: pin dependencies and restrict token permissions by djach7 · Pull Request #90 · containers/tar-diff

djach7 · 2026-05-01T13:05:16Z

Pin all GitHub Actions to commit SHAs and container images to digests
to prevent supply chain attacks. Add explicit permissions blocks to
workflows following principle of least privilege.

Changes:

Pin actions/checkout, actions/setup-go, codecov/codecov-action, actions/create-github-app-token, cycjimmy/semantic-release-action, goreleaser/goreleaser-action, and github/codeql-action to commit SHAs
Pin quay.io/fedora/fedora container image to sha256 digest
Add workflow-level "contents: read" permission to ci.yml and security.yml
Add job-level "contents: write" permission to version-release job

These changes address OpenSSF Scorecard findings:

Pinned-Dependencies: 0/10 -> 10/10
Token-Permissions: 0/10 -> 10/10
Expected overall score improvement: 6.8/10 -> ~8.0/10

Related: THEEDGE-4717

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

gemini-code-assist · 2026-05-01T13:05:22Z

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

codecov · 2026-05-01T13:07:38Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.19%. Comparing base (3777999) to head (5b970dd).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #90   +/-   ##
=======================================
  Coverage   79.19%   79.19%           
=======================================
  Files          10       10           
  Lines        1115     1115           
=======================================
  Hits          883      883           
  Misses        134      134           
  Partials       98       98

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

miabbott · 2026-05-01T15:04:07Z

I don't disagree with the pinning of the actions, but I just want to understand how we would handle updating them in the future.

Dependabot has made this easier in the past with their auto-generated PRs; can the behavior of dependabot be changed to use digests instead of tags?

djach7 · 2026-05-05T13:43:31Z

Sorry @miabbott I missed this comment. From my understanding (and what I've learned grilling claude about this) dependabot should maintain whatever format is in the file. So after this PR is merged all future dependabot PRs should switch to using digests as well.

knecasov · 2026-05-05T15:08:42Z


    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4


The pinned SHA 95e58e9a... corresponds to v4.35.2, but the latest v4 patch is v4.35.3 (e46ed2cb...). Was v4.35.2 pinned intentionally, or would it make sense to update to v4.35.3, please?

I would replace v4.35.3 with v4 so that comments regarding versions are consistent.

knecasov · 2026-05-05T15:20:47Z

+        os: [ ubuntu-latest, ubuntu-24.04-arm]
    container:
-      image: quay.io/fedora/fedora:latest
+      image: quay.io/fedora/fedora@sha256:3de521d4e5fdfd9a368063f0d628dff2a0162f5d1cede0ceeefcd4465dd43a40 # latest


I just want to point out that the pinned SHA will probably not stay up-to-date for long. From what I have been able to find, Dependabot does not currently support updating container image digests in GitHub Actions workflow files (see issue 5819). It has been recommended to use Renovate to keep this digest current. What do you think about it, please?

You're right, do you think it makes sense to sacrifice however much OpenSSF score it is and go back to latest? The other option is to use renovate and set that up, I don't know much about it though.

Renovate is starting to see wider adoption within Red Hat, so it may be worth a spike to see if we could use it as a replacement for dependabot.

For the current container image setting, it may be more obvious to use a versioned tag (i.e. :43 or :44) rather than :latest. It won't appease OpenSSF, but would be more descriptive about what version is being used to build the software.

I think the version tag is a good compromise, I think we'll still get some credit from OpenSSF for that too. I'll push an update with that change.

@djach7, do you plan to create a spike to find out more information about Renovate or do you want me to create it, please?

knecasov

I added a few comments.

djach7 · 2026-05-05T17:53:24Z

@knecasov thanks for reviewing! I just pushed an update addressing your comments and I resolved the ones that were comment or hash updates. I left the digest one open in case we want to have more discussion there.

Pin all GitHub Actions to commit SHAs and container images to digests to prevent supply chain attacks. Add explicit permissions blocks to workflows following principle of least privilege. Changes: - Pin actions/checkout, actions/setup-go, codecov/codecov-action, actions/create-github-app-token, cycjimmy/semantic-release-action, goreleaser/goreleaser-action, and github/codeql-action to commit SHAs - Pin quay.io/fedora/fedora container image to sha256 digest - Add workflow-level "contents: read" permission to ci.yml and security.yml - Add job-level "contents: write" permission to version-release job These changes address OpenSSF Scorecard findings: - Pinned-Dependencies: 0/10 -> 10/10 - Token-Permissions: 0/10 -> 10/10 - Expected overall score improvement: 6.8/10 -> ~8.0/10 Related: THEEDGE-4717 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: djach7 <djachimo@redhat.com>

knecasov · 2026-05-06T08:26:34Z

@knecasov thanks for reviewing! I just pushed an update addressing your comments and I resolved the ones that were comment or hash updates. I left the digest one open in case we want to have more discussion there.

Thank you very much, @djach7! I added some comments.

knecasov reviewed May 5, 2026

View reviewed changes

Comment thread .github/workflows/security.yml Outdated

knecasov reviewed May 5, 2026

View reviewed changes

Comment thread .github/workflows/ci.yml

djach7 force-pushed the openssf-evaluation branch from de67fa1 to 52f1e85 Compare May 5, 2026 15:17

knecasov reviewed May 5, 2026

View reviewed changes

Comment thread .github/workflows/release.yml Outdated

knecasov reviewed May 5, 2026

View reviewed changes

djach7 force-pushed the openssf-evaluation branch from 52f1e85 to 20ddf6d Compare May 5, 2026 17:52

miabbott reviewed May 5, 2026

View reviewed changes

Comment thread .github/workflows/ci.yml Outdated

djach7 force-pushed the openssf-evaluation branch from 20ddf6d to 5b970dd Compare May 5, 2026 19:28

Conversation

djach7 commented May 1, 2026

Uh oh!

gemini-code-assist Bot commented May 1, 2026

Uh oh!

codecov Bot commented May 1, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

miabbott commented May 1, 2026

Uh oh!

djach7 commented May 5, 2026

Uh oh!

Uh oh!

knecasov May 5, 2026

Choose a reason for hiding this comment

Uh oh!

knecasov May 6, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

knecasov May 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

djach7 May 5, 2026

Choose a reason for hiding this comment

Uh oh!

miabbott May 5, 2026

Choose a reason for hiding this comment

Uh oh!

djach7 May 5, 2026

Choose a reason for hiding this comment

Uh oh!

knecasov May 6, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

knecasov left a comment

Choose a reason for hiding this comment

Uh oh!

djach7 commented May 5, 2026

Uh oh!

Uh oh!

knecasov commented May 6, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

codecov Bot commented May 1, 2026 •

edited

Loading

knecasov May 5, 2026 •

edited

Loading