Skip to content

fix: pin GitHub Actions to commit SHAs (INT-326) #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Xeboc wants to merge 4 commits into from
Closed

fix: pin GitHub Actions to commit SHAs (INT-326) #97

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7b181b9
fix: pin GitHub Actions to commit SHAs (INT-326)
Xeboc Apr 1, 2026
4b7be8f
adding a test run
Xeboc Apr 2, 2026
89b0adf
update
Xeboc Apr 2, 2026
5bcdd98
one more
Xeboc Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/lint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out Git repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Trunk Check
uses: trunk-io/trunk-action@4d5ecc89b2691705fd08c747c78652d2fc806a94 # v1.1.19
uses: trunk-io/trunk-action@75699af9e26881e564e9d832ef7dc3af25ec031b # v1.2.4
env:
# NOTE: inject the GITHUB_TOKEN for the trunk managed tflint linter
# https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
Expand All @@ -28,6 +28,6 @@ jobs:
conventional-title:
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
- uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
8 changes: 4 additions & 4 deletions .github/workflows/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ jobs:
matrix:
tf: [tofu, terraform]
steps:
- uses: masterpointio/github-action-tf-test@c1e41998f67925ac3f34e0bbcfcaa4a44d1f0cd9 # v1.0.1

- name: Install Aqua
uses: aquaproj/[email protected]
with:
tf_type: ${{ matrix.tf }}
aws_role_arn: ${{ vars.TF_TEST_AWS_ROLE_ARN }}
github_token: ${{ secrets.GITHUB_TOKEN }}
aqua_version: v2.48.1
Comment on lines +24 to +28
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get the commit SHA for aquaproj/aqua-installer v4.0.4
gh api repos/aquaproj/aqua-installer/git/refs/tags/v4.0.4 --jq '.object.sha'

Repository: masterpointio/terraform-aws-tailscale

Length of output: 241

🏁 Script executed:

cat -n .github/workflows/test.yaml

Repository: masterpointio/terraform-aws-tailscale

Length of output: 724

🏁 Script executed:

wc -l .github/workflows/test.yaml

Repository: masterpointio/terraform-aws-tailscale

Length of output: 111

Workflow is incomplete and non-functional.

The workflow installs Aqua but lacks two critical steps:

  1. No actions/checkout – Without checking out the repository, Aqua cannot access aqua.yaml to install tools
  2. No test execution – The matrix tf: [tofu, terraform] is defined but never used; there's no step to run terraform test or tofu test

Additionally, aquaproj/[email protected] uses a version tag rather than a commit SHA.

Add a actions/checkout step before Aqua, pin the action to its commit SHA, and add a step to execute the test command using the matrix variable (e.g., run: ${{ matrix.tf }} test).

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test.yaml around lines 24 - 28, The workflow currently
installs Aqua but never checks out code, doesn't run tests, and pins the
installer by tag; add an actions/checkout step (use actions/checkout)
immediately before the Aqua installer step so aqua.yaml is available, replace
the aqua-installer tag (aquaproj/[email protected]) with a specific commit
SHA to pin the action, and add a run step that uses the matrix variable (use
matrix.tf) to execute the test command (e.g., run: ${{ matrix.tf }} test) so the
defined matrix actually runs tests.

19 changes: 19 additions & 0 deletions .github/workflows/tester.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
name: Test CI/CD

on:
pull_request:

permissions:
id-token: write
contents: read

jobs:
deploy:
runs-on: ubuntu-latest

steps:

- name: Install Aqua
uses: aquaproj/[email protected]
with:
aqua_version: v2.48.1
Comment on lines +1 to +19
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if there are other test workflows that might make this redundant
fd -e yaml -e yml . .github/workflows --exec basename {} | sort

Repository: masterpointio/terraform-aws-tailscale

Length of output: 151

🏁 Script executed:

cat -n .github/workflows/test.yaml

Repository: masterpointio/terraform-aws-tailscale

Length of output: 724

🏁 Script executed:

cat -n .github/workflows/tester.yaml

Repository: masterpointio/terraform-aws-tailscale

Length of output: 475

🏁 Script executed:

wc -l .github/workflows/tester.yaml

Repository: masterpointio/terraform-aws-tailscale

Length of output: 113

🏁 Script executed:

wc -l .github/workflows/test.yaml

Repository: masterpointio/terraform-aws-tailscale

Length of output: 111

This workflow is incomplete and should not be merged as-is.

The tester.yaml file appears to be unfinished test scaffolding. It's missing several critical elements:

  • No checkout step – The workflow can't access aqua.yaml or any repository files
  • No test implementation – Only installs Aqua with no actual tests following
  • Misleading job name – Job is named deploy but the workflow is "Test CI/CD"

Before merging, either complete this workflow with the necessary checkout step and test logic, or remove it if it's meant to be replaced by test.yaml.

Additionally, consider pinning the Aqua installer action to a commit SHA rather than a tag for better security and reproducibility.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/tester.yaml around lines 1 - 19, The workflow is
incomplete: the job named "deploy" only installs the Aqua action
(aquaproj/[email protected]) and lacks a checkout step, any test steps, and
uses a tag instead of a commit SHA; fix by adding a workspace checkout
(actions/checkout) before the "Install Aqua" step, rename the job from "deploy"
to something like "test" to match intent, add concrete test steps that consume
aqua.yaml (lint/build/test commands) after installing Aqua, or remove the file
entirely if it's redundant with test.yaml, and pin the aquaproj/aqua-installer
action to a specific commit SHA rather than the tag to improve security and
reproducibility.

4 changes: 2 additions & 2 deletions .github/workflows/trunk-upgrade.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,10 @@ jobs:
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Run Trunk Upgrade
uses: masterpointio/[email protected].1
uses: masterpointio/github-action-trunk-upgrade@a79fd65d524d92031fe167daee411d2f25d4a999 # v0.1.0
with:
app-id: ${{ secrets.MP_BOT_APP_ID }}
app-private-key: ${{ secrets.MP_BOT_APP_PRIVATE_KEY }}
Expand Down
Loading