Conversation
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
…zizmor) Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
…zmor) Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
There was a problem hiding this comment.
Pull request overview
Updates GitHub Actions CI workflows to improve security posture (credential persistence, action pinning signals) and enhance vulnerability scanning (Trivy SARIF + KEV tagging), based on patterns from LXD.
Changes:
- Disable persisted git credentials on
actions/checkoutacross multiple workflows/jobs. - Rework Trivy security scanning to use
aquasecurity/trivy-action, upload SARIF, and tag KEV-listed CVEs. - Pin the documentation reusable workflow by commit and add
zizmorignore annotations for specific findings.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/triage.yml | Adds zizmor suppression for pull_request_target trigger warning. |
| .github/workflows/tests.yml | Disables checkout credential persistence in jobs; pins doc workflow by commit; adds zizmor suppression for an unpinned reusable action. |
| .github/workflows/security.yml | Migrates Trivy scanning to aquasecurity/trivy-action, adds KEV tagging logic, and adjusts permissions/conditions. |
| .github/workflows/codeql.yml | Disables checkout credential persistence for CodeQL job. |
| .github/actions/system-test/action.yml | Adds checkout credential hardening and zizmor suppressions; refactors input usage in bash steps. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| persist-credentials: false | ||
|
|
||
| - uses: canonical/lxd/.github/actions/lp-snap-build@main | ||
| - uses: canonical/lxd/.github/actions/lp-snap-build@main # zizmor: ignore[unpinned-uses] |
There was a problem hiding this comment.
This workflow runs canonical/lxd/.github/actions/lp-snap-build@main while providing an SSH private key secret. Using an unpinned ref (@main) for an external action is a supply-chain risk because the referenced code can change without review. Prefer pinning to an immutable commit SHA (or a trusted, immutable tag) instead of suppressing the warning.
| - uses: canonical/lxd/.github/actions/lp-snap-build@main # zizmor: ignore[unpinned-uses] | |
| - uses: canonical/lxd/.github/actions/lp-snap-build@FULL_40_CHARACTER_COMMIT_SHA # pin to the reviewed action revision |
There was a problem hiding this comment.
LXD's main moves too fast for pinning IMHO. Considering that dependabot has cooldowns and grouped updates, maybe @roosterfish will opt for pinning anyway though.
| - name: Tune disk performance | ||
| uses: canonical/lxd/.github/actions/tune-disk-performance@main | ||
| uses: canonical/lxd/.github/actions/tune-disk-performance@main # zizmor: ignore[unpinned-uses] | ||
|
|
||
| - name: Reclaim some space | ||
| uses: canonical/lxd/.github/actions/reclaim-disk-space@main | ||
| uses: canonical/lxd/.github/actions/reclaim-disk-space@main # zizmor: ignore[unpinned-uses] | ||
|
|
||
| - name: Reclaim some memory | ||
| uses: canonical/lxd/.github/actions/reclaim-memory@main | ||
| uses: canonical/lxd/.github/actions/reclaim-memory@main # zizmor: ignore[unpinned-uses] | ||
|
|
||
| - name: Disable Docker (GitHub runners) | ||
| if: ${{ runner.environment == 'github-hosted' }} | ||
| uses: canonical/lxd/.github/actions/disable-docker@main | ||
| uses: canonical/lxd/.github/actions/disable-docker@main # zizmor: ignore[unpinned-uses] |
There was a problem hiding this comment.
These steps reference reusable actions from canonical/lxd using the mutable @main ref. Even though this is within the same org, it still weakens supply-chain integrity and makes builds non-reproducible. Prefer pinning each uses: to a specific commit SHA (or an immutable tag) rather than adding zizmor ignores.
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
MicroCeph's `latest/edge` just moved from 19.2 to 20.2 Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
No description provided.