Skip to content

chore: update deps, fix security vulns, upgrade deprecated CI actions #171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
docdyhr merged 1 commit into from
Mar 15, 2026
Merged

chore: update deps, fix security vulns, upgrade deprecated CI actions #171

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 1 addition & 7 deletions .audit-ci.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,7 @@
"high": true,
"critical": true,
"report-type": "summary",
"allowlist": [
"GHSA-7r86-cg39-jmmj",
"GHSA-23c5-xmqv-rm74",
"GHSA-qffp-2rhf-9h96",
"GHSA-9ppj-qmqm-q256",
"GHSA-qpx9-hpmf-5gmw"
],
"allowlist": [],
"skip-dev": true,
"output-format": "text"
}
6 changes: 3 additions & 3 deletions .github/workflows/codeql-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ jobs:

# Initializes the CodeQL tools for scanning.
- name: 🔧 Initialize CodeQL
uses: github/codeql-action/init@v3
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
# Use comprehensive security queries
Comment on lines +57 to 60
Copy link

@sourcery-ai sourcery-ai bot Mar 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): Consider pinning GitHub Actions to a specific commit SHA instead of a major tag for better supply-chain security.

Since you’re already updating CodeQL, it’s a good time to pin these to immutable SHAs (e.g. github/codeql-action/* here and upload-sarif in main-ci.yml). This improves build reproducibility and reduces the impact of any compromised or breaking upstream release; you can add a comment with the corresponding release tag for traceability.

Suggested implementation:

      # Initializes the CodeQL tools for scanning.
      - name: 🔧 Initialize CodeQL
        # Pinned to a specific CodeQL Action commit for supply-chain security.
        # Replace <CODEQL_ACTION_COMMIT_SHA> with the immutable SHA corresponding to the desired v4 release
        # (e.g. from https://github.com/github/codeql-action/releases).
        # Example comment once pinned: github/codeql-action/init@v4.0.0
        uses: github/codeql-action/init@<CODEQL_ACTION_COMMIT_SHA>
        with:
          languages: ${{ matrix.language }}
          # Use comprehensive security queries


      # Autobuild attempts to build any compiled languages
      - name: 🤖 Autobuild
        # Pinned to the same CodeQL Action commit SHA as init/analyze for reproducibility.
        # Example comment once pinned: github/codeql-action/autobuild@v4.0.0
        uses: github/codeql-action/autobuild@<CODEQL_ACTION_COMMIT_SHA>


      - name: 🔍 Perform CodeQL Analysis
        # Pinned to the same CodeQL Action commit SHA as init/autobuild for reproducibility.
        # Example comment once pinned: github/codeql-action/analyze@v4.0.0
        uses: github/codeql-action/analyze@<CODEQL_ACTION_COMMIT_SHA>
  1. Look up the exact commit SHA for the desired github/codeql-action v4 release (e.g. v4.0.0) and replace <CODEQL_ACTION_COMMIT_SHA> with that immutable SHA in all three steps to keep them in sync.
  2. In .github/workflows/main-ci.yml, locate any upload-sarif usage (e.g. github/codeql-action/upload-sarif@v4 or similar) and:
    • Pin it to a specific commit SHA in the same way.
    • Add a comment indicating the corresponding release tag (e.g. github/codeql-action/upload-sarif@v4.0.0) for traceability.

Expand All @@ -79,10 +79,10 @@ jobs:

# Autobuild attempts to build any compiled languages
- name: 🤖 Autobuild
uses: github/codeql-action/autobuild@v3
uses: github/codeql-action/autobuild@v4

- name: 🔍 Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{matrix.language}}"
# Upload results to GitHub Security tab
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/docker-modern.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ jobs:

- name: 🔐 Log in to Docker Hub
if: github.event_name == 'release' || inputs.push
uses: docker/login-action@v3
uses: docker/login-action@v4
Copy link

@sourcery-ai sourcery-ai bot Mar 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): Apply the same version-pinning strategy to docker/login-action to avoid unexpected behavior changes.

As with the CodeQL steps, docker/login-action@v4 will follow the latest v4 release. Please pin this to a specific commit SHA for the chosen v4 release so the workflow behavior remains deterministic and less exposed to supply‑chain or unexpected runtime changes over time.

Suggested implementation:

      - name: 🔐 Log in to Docker Hub
        if: github.event_name == 'release' || inputs.push
        # Pinned to a specific v4 commit to keep workflow behavior deterministic
        uses: docker/login-action@<PINNED_V4_COMMIT_SHA>
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ secrets.DOCKER_USERNAME }}
  1. Replace <PINNED_V4_COMMIT_SHA> with the actual commit SHA for the desired v4 release of docker/login-action (e.g., from the release/tag you are standardizing on).
  2. Optionally, extend the comment to include the corresponding tag (e.g., # v4.0.0) once you have chosen the exact release, to make future maintenance easier.

with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.DOCKER_USERNAME }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/main-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ jobs:
output: "trivy-results.sarif"

- name: Upload Trivy scan results
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: "trivy-results.sarif"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ jobs:
uses: docker/setup-buildx-action@v4

- name: 🔐 Log in to Docker Hub
uses: docker/login-action@v3
uses: docker/login-action@v4
with:
registry: docker.io
username: ${{ secrets.DOCKER_USERNAME }}
Expand Down
Loading
Loading