fix(ci): refresh stale GitHub Action SHA pins after upstream force-pushes#61
Open
sebastienrousseau wants to merge 2 commits into
Open
fix(ci): refresh stale GitHub Action SHA pins after upstream force-pushes#61sebastienrousseau wants to merge 2 commits into
sebastienrousseau wants to merge 2 commits into
Conversation
…shes The OpenSSF Scorecard pass in 834bfe6 pinned several actions to SHAs that turned out to be stale once upstream maintainers force-pushed their `v2` / `v3` tags. Dependabot's first run flagged the breakage: Error processing EmbarkStudios/cargo-deny-action error: no such commit 82eb9f621fbc699dd0918f3ea06864c14cc84246 Seven pins refreshed against the current tag → commit mapping (resolved via `gh api /repos/X/tags?per_page=100`): actions/attest-build-provenance 96b4a1ef… → e8998f94… # v2 sigstore/cosign-installer f713795c… → d58896d6… # v3 EmbarkStudios/cargo-deny-action 82eb9f62… → d8395c1c… # v2 github/codeql-action/init ce28f5bb… → 03e4368a… # v3 github/codeql-action/analyze ce28f5bb… → 03e4368a… # v3 github/codeql-action/upload-sarif 4e828ff8… → 03e4368a… # v3 sebastienrousseau/pipelines/... 13013621… → 47ed7767… # v0.0.2 Root cause of the earlier mistake: `gh api /repos/X/git/ref/tags/v2` returns the tag-object SHA for **annotated** tags (not the underlying commit). Used the `tags?per_page=100` endpoint this time which always returns `commit.sha` regardless of tag style. Each new SHA verified by an explicit `gh api /repos/X/commits/<sha>` round-trip before commit. Dependabot can now resolve them on its next weekly run. --- THE ARCHITECT ᛫ Sebastien Rousseau ᛫ https://sebastienrousseau.com THE ENGINE ᛞ EUXIS ᛫ Enterprise Unified Execution Intelligence System ᛫ https://euxis.co Assisted-by: Claude:claude-opus-4-7
The cargo-deny pin bumped to `d8395c1c…` (v0.20+) in the sibling stale-pin commit. That release removed the top-level `unmaintained = "workspace"` key (EmbarkStudios/cargo-deny#611) — the unmaintained-crate signal now comes through standard RustSec advisory entries (`unmaintained: main` / `unsound`), not a dedicated config knob. Without the migration the CI step fails with: error[deprecated]: this key has been removed ┌─ ./deny.toml:5:1 │ 5 │ unmaintained = "workspace" │ ━━━━━━━━━━━━ Fix: delete the line. The severity flow stays the same — any advisory below `severity-threshold` (default `low`) fails the build unless listed in `ignore`. Inline comment captures the why so the next maintainer doesn't re-add it. --- THE ARCHITECT ᛫ Sebastien Rousseau ᛫ https://sebastienrousseau.com THE ENGINE ᛞ EUXIS ᛫ Enterprise Unified Execution Intelligence System ᛫ https://euxis.co Assisted-by: Claude:claude-opus-4-7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Dependabot's first run on
main(post-v0.0.6) failed because theOpenSSF Scorecard pass in commit
834bfe6pinned 7 GitHubActions to SHAs that the upstream maintainers later force-pushed
away from. The pins now point at git objects that no longer
exist:
Fix
Re-resolved each tag via
gh api /repos/X/tags?per_page=100 | .commit.sha(which always returns the underlying commit SHA,regardless of whether the tag is lightweight or annotated).
Round-trip-verified each new SHA via
gh api /repos/X/commits/<sha>.actions/attest-build-provenance96b4a1ef…e8998f94…sigstore/cosign-installerf713795c…d58896d6…EmbarkStudios/cargo-deny-action82eb9f62…d8395c1c…github/codeql-action/initce28f5bb…03e4368a…github/codeql-action/analyzece28f5bb…03e4368a…github/codeql-action/upload-sarif4e828ff8…03e4368a…sebastienrousseau/pipelines/...rust-ci.yml13013621…47ed7767…(v0.0.2)Root-cause prevention: the earlier mistake came from resolving
via
/git/ref/tags/v2, which returns the tag-object SHA forannotated tags (not the underlying commit). The new resolver
uses
/tags?per_page=100which always dereferences.Dependabot can now resolve the pins on its next weekly run and
will keep them current going forward.
Test plan
gh api /commits/<sha>.