fix: pin GitHub Actions to commit SHAs (INT-326)

[Xeboc]

Info

• Pins all uses: references in GitHub Actions workflows to full commit SHAs.

References

• https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow configurations to enhance CI/CD infrastructure stability and pipeline consistency across build, test, and maintenance processes.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request updates multiple GitHub Actions workflow files across the repository. The changes include pinning newer versions of external action dependencies (actions/checkout, trunk-io/trunk-action, and amannn/action-semantic-pull-request), replacing a Terraform/Tofu test step with an Aqua package manager installer in the test workflow, and introducing a new workflow file (tester.yaml) that configures Aqua. Overall, these are infrastructure configuration updates to CI/CD pipelines affecting workflow orchestration and dependency management without changes to application code.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

The majority of changes involve straightforward version pinning updates across multiple files (repetitive pattern), but the removal of the masterpointio/github-action-tf-test action and its replacement with Aqua, along with the introduction of a new workflow file, introduce sufficient heterogeneity and functional change to warrant closer inspection of the testing strategy shift.

Possibly related PRs

• feat: inital version github-action-tf-test#1 — This PR removes the workflow step invoking this action and replaces it with Aqua installer configuration, directly modifying the action's usage.
• chore: sync with template terraform-spacelift-policies#11 — Both PRs make overlapping updates to GitHub Actions workflow files, including action version pins and test step modifications involving Aqua.
• feat(trunk): add trunk + workflows masterpoint.io#60 — Both PRs modify the same workflow files (.github/workflows/lint.yaml, test.yaml, trunk-upgrade.yaml) with similar action pin updates and test infrastructure changes.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: pinning GitHub Actions to commit SHAs across multiple workflow files for security purposes, as documented in the PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/INT-326/pin-github-actions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/test.yaml:
- Around line 24-28: The workflow currently installs Aqua but never checks out
code, doesn't run tests, and pins the installer by tag; add an actions/checkout
step (use actions/checkout) immediately before the Aqua installer step so
aqua.yaml is available, replace the aqua-installer tag
(aquaproj/aqua-installer@v4.0.4) with a specific commit SHA to pin the action,
and add a run step that uses the matrix variable (use matrix.tf) to execute the
test command (e.g., run: ${{ matrix.tf }} test) so the defined matrix actually
runs tests.

In @.github/workflows/tester.yaml:
- Around line 1-19: The workflow is incomplete: the job named "deploy" only
installs the Aqua action (aquaproj/aqua-installer@v4.0.4) and lacks a checkout
step, any test steps, and uses a tag instead of a commit SHA; fix by adding a
workspace checkout (actions/checkout) before the "Install Aqua" step, rename the
job from "deploy" to something like "test" to match intent, add concrete test
steps that consume aqua.yaml (lint/build/test commands) after installing Aqua,
or remove the file entirely if it's redundant with test.yaml, and pin the
aquaproj/aqua-installer action to a specific commit SHA rather than the tag to
improve security and reproducibility.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 95f2b356-22f8-4fde-ac93-ef34a27e712e

📥 Commits

Reviewing files that changed from the base of the PR and between c84ae5e and 5bcdd98.

📒 Files selected for processing (4)

• .github/workflows/lint.yaml
• .github/workflows/test.yaml
• .github/workflows/tester.yaml
• .github/workflows/trunk-upgrade.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get the commit SHA for aquaproj/aqua-installer v4.0.4
gh api repos/aquaproj/aqua-installer/git/refs/tags/v4.0.4 --jq '.object.sha'

Repository: masterpointio/terraform-aws-tailscale

Length of output: 241

---

🏁 Script executed:

cat -n .github/workflows/test.yaml

Repository: masterpointio/terraform-aws-tailscale

Length of output: 724

---

🏁 Script executed:

wc -l .github/workflows/test.yaml

Repository: masterpointio/terraform-aws-tailscale

Length of output: 111

---

Workflow is incomplete and non-functional.

The workflow installs Aqua but lacks two critical steps:

1. No actions/checkout – Without checking out the repository, Aqua cannot access aqua.yaml to install tools
2. No test execution – The matrix tf: [tofu, terraform] is defined but never used; there's no step to run terraform test or tofu test

Additionally, aquaproj/aqua-installer@v4.0.4 uses a version tag rather than a commit SHA.

Add a actions/checkout step before Aqua, pin the action to its commit SHA, and add a step to execute the test command using the matrix variable (e.g., run: ${{ matrix.tf }} test).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test.yaml around lines 24 - 28, The workflow currently
installs Aqua but never checks out code, doesn't run tests, and pins the
installer by tag; add an actions/checkout step (use actions/checkout)
immediately before the Aqua installer step so aqua.yaml is available, replace
the aqua-installer tag (aquaproj/aqua-installer@v4.0.4) with a specific commit
SHA to pin the action, and add a run step that uses the matrix variable (use
matrix.tf) to execute the test command (e.g., run: ${{ matrix.tf }} test) so the
defined matrix actually runs tests.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if there are other test workflows that might make this redundant
fd -e yaml -e yml . .github/workflows --exec basename {} | sort

Repository: masterpointio/terraform-aws-tailscale

Length of output: 151

---

🏁 Script executed:

cat -n .github/workflows/test.yaml

Repository: masterpointio/terraform-aws-tailscale

Length of output: 724

---

🏁 Script executed:

cat -n .github/workflows/tester.yaml

Repository: masterpointio/terraform-aws-tailscale

Length of output: 475

---

🏁 Script executed:

wc -l .github/workflows/tester.yaml

Repository: masterpointio/terraform-aws-tailscale

Length of output: 113

---

🏁 Script executed:

wc -l .github/workflows/test.yaml

Repository: masterpointio/terraform-aws-tailscale

Length of output: 111

---

This workflow is incomplete and should not be merged as-is.

The tester.yaml file appears to be unfinished test scaffolding. It's missing several critical elements:

• No checkout step – The workflow can't access aqua.yaml or any repository files
• No test implementation – Only installs Aqua with no actual tests following
• Misleading job name – Job is named deploy but the workflow is "Test CI/CD"

Before merging, either complete this workflow with the necessary checkout step and test logic, or remove it if it's meant to be replaced by test.yaml.

Additionally, consider pinning the Aqua installer action to a commit SHA rather than a tag for better security and reproducibility.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/tester.yaml around lines 1 - 19, The workflow is
incomplete: the job named "deploy" only installs the Aqua action
(aquaproj/aqua-installer@v4.0.4) and lacks a checkout step, any test steps, and
uses a tag instead of a commit SHA; fix by adding a workspace checkout
(actions/checkout) before the "Install Aqua" step, rename the job from "deploy"
to something like "test" to match intent, add concrete test steps that consume
aqua.yaml (lint/build/test commands) after installing Aqua, or remove the file
entirely if it's redundant with test.yaml, and pin the aquaproj/aqua-installer
action to a specific commit SHA rather than the tag to improve security and
reproducibility.