Sync gotests workflow across all needed repos#131
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (2)
✅ Files skipped from review due to trivial changes (1)
🚧 Files skipped from review as they are similar to previous changes (1)
Summary by CodeRabbit
WalkthroughAdded a new "Go tests" GitHub Actions workflow file and registered it in ChangesGo Tests Workflow Introduction
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@workflows_examples/gotests.yaml`:
- Line 8: Replace the mutable tag reference in the reusable workflow usage by
pinning to the commit SHA: update the uses line that currently points to
"RedHatInsights/processing-tools/.github/workflows/gotests.yaml@v0.4.1" to use
the specific commit SHA for that release, e.g.
"RedHatInsights/processing-tools/.github/workflows/gotests.yaml@<COMMIT_SHA>",
and optionally add the original "@v0.4.1" tag as a trailing comment for
readability.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 10e69b39-41d4-4112-ba62-f035f67843e9
📒 Files selected for processing (2)
.github/sync.ymlworkflows_examples/gotests.yaml
|
|
||
| jobs: | ||
| gotests: | ||
| uses: RedHatInsights/processing-tools/.github/workflows/gotests.yaml@v0.4.1 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
GitHub Actions reusable workflow pinning commit SHA vs tag security best practices 2025 2026
💡 Result:
For GitHub Actions reusable workflows, the security best practice is to pin to a full-length commit SHA rather than a tag. This ensures immutability, preventing supply chain attacks where tags are rewritten or force-pushed to malicious commits, as seen in incidents like tj-actions/changed-files (2025) and aquasecurity/trivy-action (2026) [1][2][3]. Official GitHub documentation explicitly states: "Using the commit SHA is the safest option for stability and security" for referencing reusable workflows with syntax {owner}/{repo}/.github/workflows/{filename}@{ref} [3]. The secure use reference confirms pinning actions and workflows to full-length commit SHAs mitigates risks of backdoors or tag movement, even from verified creators [1]. Administrators can enforce SHA pinning via organization or repository policies, failing non-compliant workflows [4][1]. SHA pinning provides the highest security because SHAs reference specific, unchangeable Git commits, unlike tags which can be altered by repository owners [5][6]. Add comments like # v4.1.1 for version tracking [7][8][9]. Use tools like Dependabot or Renovate to automate updates while maintaining pins [8]. Avoid latest or unpinned refs entirely [10]. As of 2025-2026 updates, GitHub supports SHA pinning enforcement and blocking policies, with 2026 roadmap adding dependency locking [4][11]. This applies identically to reusable workflows as to actions [1][3].
Citations:
- 1: https://docs.github.com/en/actions/reference/security/secure-use
- 2: https://dev.to/kanywst/hacking-github-from-tag-rewrites-to-dangling-commits-where-the-git-protocol-trusts-you-without-2o4h
- 3: https://docs.github.com/en/actions/how-tos/reuse-automations/reuse-workflows
- 4: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
- 5: https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide
- 6: https://cloudnativeengineer.substack.com/p/github-actions-reproducibility-security
- 7: Pin GitHub Actions to commit SHAs in release workflow github/gh-aw#10021
- 8: How to pin GitHub Actions to SHA instead of tag using Renovate? renovatebot/renovate#42031
- 9: Pin all GitHub Actions to immutable SHA commits for supply chain security github/gh-aw#5691
- 10: https://dev.to/ciberconscientes/github-actions-why-you-should-pin-your-actions-to-a-specific-version-1513
- 11: https://github.blog/news-insights/product-news/whats-coming-to-our-github-actions-2026-security-roadmap/
🏁 Script executed:
# Check if we can find any references to this workflow in the repository
fd -t f -e yaml -e yml | head -20Repository: RedHatInsights/processing-tools
Length of output: 309
🌐 Web query:
RedHatInsights/processing-tools v0.4.1 tag GitHub release commit
💡 Result:
Could not determine the commit for the RedHatInsights/processing-tools v0.4.1 tag from the available sources. What I found: - The GitHub releases page for RedHatInsights/processing-tools was found, but the search results snippets did not include an entry for tag v0.4.1 or any tag-to-commit mapping details needed to answer the question [1]. - Other RedHatInsights repos reference the processing-tools pre-commit hook version bump to v0.4.0 (not v0.4.1), and include a bot-pushed commit hash for that v0.4.0 update; however, this is not the v0.4.1 tag you asked for [2]. If you want, paste the URL of the specific v0.4.1 release/tag page (or the output of git ls-remote --tags https://github.com/RedHatInsights/processing-tools.git v0.4.1), and I can map it to the exact commit hash.
Citations:
- 1: https://github.com/RedHatInsights/processing-tools/releases
- 2: chore(deps): update pre-commit hook redhatinsights/processing-tools to v0.4.0 - autoclosed insights-on-prem#30
🏁 Script executed:
# Check the actual content of the file to see the full context
cat -n workflows_examples/gotests.yamlRepository: RedHatInsights/processing-tools
Length of output: 273
Pin reusable workflow by commit SHA, not tag.
Line 8 references a mutable tag (@v0.4.1). Tags can be retargeted, so this weakens CI supply-chain integrity. Prefer pinning to an immutable commit SHA (you can keep the tag in a comment for readability).
Suggested change
jobs:
gotests:
- uses: RedHatInsights/processing-tools/.github/workflows/gotests.yaml@v0.4.1
+ uses: RedHatInsights/processing-tools/.github/workflows/gotests.yaml@<full_commit_sha>🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@workflows_examples/gotests.yaml` at line 8, Replace the mutable tag reference
in the reusable workflow usage by pinning to the commit SHA: update the uses
line that currently points to
"RedHatInsights/processing-tools/.github/workflows/gotests.yaml@v0.4.1" to use
the specific commit SHA for that release, e.g.
"RedHatInsights/processing-tools/.github/workflows/gotests.yaml@<COMMIT_SHA>",
and optionally add the original "@v0.4.1" tag as a trailing comment for
readability.
4 participants
Description
Adding an example of
gotests.yamlusage and syncing it to the Go-based repos fleetFixes #CCXDEV-15356
Type of change
Testing steps
To be tested on each repository