Skip to content

GitHub Actions pinning #475

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lucperkins wants to merge 2 commits into
base: main
Choose a base branch
from
Open

GitHub Actions pinning #475

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
28f5af6
GitHub Actions pinning
lucperkins May 28, 2026
44fc55e
Add zizmor checking workflow
lucperkins May 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .envrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# shellcheck shell=bash
use flake
16 changes: 13 additions & 3 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,16 @@
version: 2

updates:
- package-ecosystem: "github-actions"
directory: "/"
- package-ecosystem: github-actions
directory: /
schedule:
interval: "weekly"
interval: weekly
cooldown:
default-days: 7
groups:
actions:
patterns: ["*"]
ignore:
- dependency-name: DeterminateSystems/*
commit-message:
prefix: ci
57 changes: 40 additions & 17 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,12 +52,16 @@ jobs:
fail-fast: false
runs-on: ${{ inputs.runner }}
timeout-minutes: 60
env:
SYSTEM: ${{ inputs.system }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: DeterminateSystems/determinate-nix-action@main
- uses: DeterminateSystems/flakehub-cache-action@main
- run: nix build .#packages.${{ inputs.system }}.default .#packages.${{ inputs.system }}.binaryTarball --no-link -L
- run: nix build .#packages.${{ inputs.system }}.binaryTarball --out-link tarball
- run: nix build ".#packages.${SYSTEM}.default" ".#packages.${SYSTEM}.binaryTarball" --no-link -L
- run: nix build ".#packages.${SYSTEM}.binaryTarball" --out-link tarball
- run: nix build .#^debug,out
- name: Upload debug info to Sentry
run: ./maintainers/upload-debug-info-to-sentry.py --debug-dir ./result-debug ./result/bin/nix
Expand All @@ -66,9 +70,9 @@ jobs:
SENTRY_AUTH_TOKEN: ${{ secrets.sentry_auth_token }}
SENTRY_ORG: ${{ secrets.sentry_org }}
SENTRY_PROJECT: ${{ secrets.sentry_project }}
- uses: actions/upload-artifact@v6
- uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: ${{ inputs.system }}
name: ${{ env.SYSTEM }}
path: ./tarball/*.xz

build_static:
Expand All @@ -77,11 +81,15 @@ jobs:
fail-fast: false
runs-on: ${{ inputs.runner }}
timeout-minutes: 60
env:
SYSTEM: ${{ inputs.system }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: DeterminateSystems/determinate-nix-action@main
- uses: DeterminateSystems/flakehub-cache-action@main
- run: nix build .#packages.${{ inputs.system }}.nix-cli-static --no-link -L
- run: nix build ".#packages.${SYSTEM}.nix-cli-static" --no-link -L

test:
if: ${{ inputs.if && inputs.run_tests}}
Expand All @@ -90,18 +98,24 @@ jobs:
fail-fast: false
runs-on: ${{ inputs.runner }}
timeout-minutes: 60
env:
SYSTEM: ${{ inputs.system }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: DeterminateSystems/determinate-nix-action@main
- uses: DeterminateSystems/flakehub-cache-action@main
- run: nix flake check -L --system ${{ inputs.system }}
- run: nix flake check -L --system "${SYSTEM}"

vm_tests_smoke:
if: inputs.run_vm_tests && github.event_name != 'merge_group'
needs: build
runs-on: ${{ inputs.runner_for_virt }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: DeterminateSystems/determinate-nix-action@main
- uses: DeterminateSystems/flakehub-cache-action@main
- run: |
Expand All @@ -117,7 +131,9 @@ jobs:
needs: build
runs-on: ${{ inputs.runner_for_virt }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: DeterminateSystems/determinate-nix-action@main
- uses: DeterminateSystems/flakehub-cache-action@main
- run: |
Expand Down Expand Up @@ -174,23 +190,28 @@ jobs:

steps:
- name: Checkout nix
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Checkout flake-regressions
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: NixOS/flake-regressions
path: flake-regressions
persist-credentials: false
- name: Checkout flake-regressions-data
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: NixOS/flake-regressions-data
path: flake-regressions/tests
persist-credentials: false
- uses: DeterminateSystems/determinate-nix-action@main
- uses: DeterminateSystems/flakehub-cache-action@main
- name: Run flake regression tests
env:
#PARALLEL: ${{ !contains(matrix.nix_config, 'eval-cores') && '-P 50%' || '-P 1' }}
PARALLEL: '-P 1'
PARALLEL: "-P 1"
FLAKE_REGRESSION_GLOB: ${{ matrix.glob }}
NIX_CONFIG: ${{ matrix.nix_config }}
PREFETCH: "1"
Expand Down Expand Up @@ -230,13 +251,15 @@ jobs:
deployments: "write"
steps:
- name: Checkout nix
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: DeterminateSystems/determinate-nix-action@main
- uses: DeterminateSystems/flakehub-cache-action@main
- name: Build manual
if: inputs.system == 'x86_64-linux'
run: nix build .#hydraJobs.manual
- uses: nwtgck/actions-netlify@v3.0
- uses: nwtgck/actions-netlify@4cbaf4c08f1a7bfa537d6113472ef4424e4eb654 # v3.0.0
if: inputs.publish_manual && inputs.system == 'x86_64-linux'
with:
publish-dir: "./result/share/doc/nix/manual"
Expand Down
75 changes: 46 additions & 29 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,25 +13,25 @@ on:
types:
- published

permissions:
id-token: "write"
contents: "read"
pull-requests: "write"
statuses: "write"
deployments: "write"

jobs:
eval:
runs-on: UbuntuLatest32Cores128G
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- uses: DeterminateSystems/determinate-nix-action@main
- run: nix flake show --all-systems --json

build_x86_64-linux:
uses: ./.github/workflows/build.yml
permissions:
id-token: write
contents: read
with:
Comment on lines +32 to 35
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

In GitHub Actions reusable workflows, do permissions set on the caller job cap the GITHUB_TOKEN permissions available inside called workflow jobs, even if the called workflow asks for broader permissions?

💡 Result:

Yes, permissions set on a caller job explicitly cap the GITHUB_TOKEN permissions available to any jobs within a called reusable workflow [1][2]. When you call a reusable workflow, GitHub validates the permissions requested by the called workflow against the permissions granted by the caller job [3]. The following rules apply: 1. Mandatory Capping: The permissions available to a reusable workflow can only be maintained or reduced from those granted by the caller job; they cannot be elevated [4][1]. If the called workflow requests broader permissions than what is provided by the caller job, the workflow will fail validation before it even begins executing [2][3]. 2. Default Behavior: If you do not explicitly define permissions on the caller job, the called workflow inherits the default permissions for the GITHUB_TOKEN [1]. 3. Principle of Least Privilege: Because reusable workflows are treated similarly to actions in terms of permission scoping, it is considered a security best practice to grant the caller job only the minimum permissions required for the tasks performed by the called workflow [2][5]. If a called workflow requires specific permissions to function (e.g., contents: write), you must ensure that the caller job explicitly grants those permissions (or a broader superset) [2][3]. If the caller job fails to grant sufficient permissions, the workflow execution will be rejected by GitHub [3].

Citations:

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Files =="
ls -la .github/workflows || true

echo
echo "== ci.yml (relevant sections) =="
# Show around reported lines and around build_x86_64-linux usage
sed -n '1,120p' .github/workflows/ci.yml | nl -ba | sed -n '20,80p' || true
rg -n "build_x86_64-linux|publish_manual|uses: \\.\/\\.github\\/workflows\\/build\\.yml|uses: \\.\\/\\.github\\/workflows\\/build\\.yml" .github/workflows/ci.yml || true
sed -n '1,220p' .github/workflows/ci.yml | nl -ba | sed -n '1,220p' || true

echo
echo "== build.yml (manual job + permissions) =="
rg -n "job[s]?:|manual:|publish_manual|permissions:" .github/workflows/build.yml || true
# Print around manual job section and around any publish_manual logic
python3 - <<'PY'
import re, itertools, pathlib
p = pathlib.Path(".github/workflows/build.yml")
text = p.read_text().splitlines()
# find lines with "manual:" and "permissions:"
hits = [i for i,l in enumerate(text) if re.search(r'^\s*manual:\s*$', l) or re.search(r'^\s*manual:\s*$', l)]
perm_hits = [i for i,l in enumerate(text) if re.search(r'^\s*permissions:\s*$', l)]
print("manual line indices:", hits)
print("permissions line indices:", perm_hits)
PY
# Best-effort contextual extracts (avoid huge output)
sed -n '1,260p' .github/workflows/build.yml | nl -ba | sed -n '1,260p' || true

Repository: DeterminateSystems/nix-src

Length of output: 1087

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== ci.yml: locate build_x86_64-linux and the uses: build.yml call =="
rg -n "build_x86_64-linux" .github/workflows/ci.yml || true
rg -n "uses:\s*\./\.github/workflows/build\.yml|publish_manual|permissions:" .github/workflows/ci.yml || true
echo
echo "== ci.yml: print around build_x86_64-linux usage (best-effort) =="
# Print entire file with line numbers via cat -n (file is small: 6086 bytes)
cat -n .github/workflows/ci.yml | sed -n '1,220p'

echo
echo "== build.yml: print around manual job and its permissions =="
cat -n .github/workflows/build.yml | sed -n '200,320p'

echo
echo "== build.yml: print around publish_manual input handling =="
rg -n "publish_manual" .github/workflows/build.yml || true
cat -n .github/workflows/build.yml | sed -n '1,120p'

Repository: DeterminateSystems/nix-src

Length of output: 17052

Widen build_x86_64-linux permissions for the reusable workflow’s manual publish path.

In .github/workflows/ci.yml, build_x86_64-linux sets only permissions: id-token: write and contents: read but passes publish_manual: true to .github/workflows/build.yml. The called workflow’s manual job requires pull-requests, statuses, and deployments write permissions, and those permissions can’t be elevated beyond what the caller grants—so the Netlify/manual update path that uses secrets.GITHUB_TOKEN can fail.

Suggested fix 
  build_x86_64-linux:
    uses: ./.github/workflows/build.yml
    permissions:
      id-token: write
      contents: read
+     pull-requests: write
+     statuses: write
+     deployments: write
    with:
      system: x86_64-linux
      runner: namespace-profile-linuxamd32c64g-cache
      runner_for_virt: UbuntuLatest32Cores128G
      runner_small: ubuntu-latest
      run_tests: true
      run_vm_tests: true
      run_regression_tests: true
      publish_manual: true
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
id-token: write
contents: read
with:
permissions:
id-token: write
contents: read
pull-requests: write
statuses: write
deployments: write
with:
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 32 - 35, The caller workflow job
build_x86_64-linux currently grants only id-token: write and contents: read but
passes publish_manual: true to the reusable workflow; update the permissions
block for build_x86_64-linux to also grant pull-requests: write, statuses:
write, and deployments: write (in addition to id-token: write and contents:
read) so the called workflow’s manual job can perform the Netlify/manual updates
using secrets.GITHUB_TOKEN; if you prefer, gate these elevated permissions
behind the same condition that sets publish_manual to true so they are only
granted when needed.

system: x86_64-linux
runner: namespace-profile-linuxamd32c64g-cache
Expand All @@ -50,17 +50,20 @@ jobs:

build_aarch64-linux:
uses: ./.github/workflows/build.yml
permissions:
id-token: write
contents: read
with:
if: ${{
github.event_name != 'pull_request'
|| (
github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-src'
&& (
(github.event.action == 'labeled' && github.event.label.name == 'upload to s3')
|| (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3'))
)
)
}}
github.event_name != 'pull_request'
|| (
github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-src'
&& (
(github.event.action == 'labeled' && github.event.label.name == 'upload to s3')
|| (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3'))
)
)
}}
system: aarch64-linux
runner: UbuntuLatest32Cores128GArm
runner_for_virt: UbuntuLatest32Cores128GArm
Expand All @@ -72,6 +75,9 @@ jobs:

build_aarch64-darwin:
uses: ./.github/workflows/build.yml
permissions:
id-token: write
contents: read
with:
system: aarch64-darwin
runner: namespace-profile-mac-m2-12c28g
Expand All @@ -84,6 +90,12 @@ jobs:

success:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
pull-requests: write
statuses: write
deployments: write
needs:
- eval
- build_x86_64-linux
Expand All @@ -102,14 +114,17 @@ jobs:
contains(needs.*.result, 'failure') ||
contains(needs.*.result, 'cancelled')

- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- uses: DeterminateSystems/determinate-nix-action@main

- name: Create artifacts directory
run: mkdir -p ./artifacts

- name: Fetch artifacts
uses: actions/download-artifact@v7
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
path: downloaded
- name: Move downloaded artifacts to artifacts directory
Expand All @@ -121,15 +136,15 @@ jobs:

- name: Build fallback-paths.nix
if: ${{
github.event_name != 'pull_request'
|| (
github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-src'
&& (
(github.event.action == 'labeled' && github.event.label.name == 'upload to s3')
|| (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3'))
)
)
}}
github.event_name != 'pull_request'
|| (
github.event.pull_request.head.repo.full_name == 'DeterminateSystems/nix-src'
&& (
(github.event.action == 'labeled' && github.event.label.name == 'upload to s3')
|| (github.event.action != 'labeled' && contains(github.event.pull_request.labels.*.name, 'upload to s3'))
)
)
}}
run: |
nix build .#fallbackPathsNix --out-link fallback
cat fallback > ./artifacts/fallback-paths.nix
Expand All @@ -154,7 +169,9 @@ jobs:
contents: write
id-token: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: DeterminateSystems/determinate-nix-action@main
- uses: DeterminateSystems/flakehub-push@main
with:
Expand Down
25 changes: 25 additions & 0 deletions .github/workflows/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: zizmor

on:
push:
branches:
- main
pull_request:

jobs:
zizmor:
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Run zizmor
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
with:
config: .github/zizmor.yml
5 changes: 5 additions & 0 deletions .github/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
rules:
unpinned-uses:
config:
policies:
DeterminateSystems/*: ref-pin