security: pin dependencies and restrict token permissions by djach7 · Pull Request #90 · containers/tar-diff

djach7 · 2026-05-01T13:05:16Z

Pin all GitHub Actions to commit SHAs and container images to digests
to prevent supply chain attacks. Add explicit permissions blocks to
workflows following principle of least privilege.

Changes:

Pin actions/checkout, actions/setup-go, codecov/codecov-action, actions/create-github-app-token, cycjimmy/semantic-release-action, goreleaser/goreleaser-action, and github/codeql-action to commit SHAs
Pin quay.io/fedora/fedora container image to sha256 digest
Add workflow-level "contents: read" permission to ci.yml and security.yml
Add job-level "contents: write" permission to version-release job

These changes address OpenSSF Scorecard findings:

Pinned-Dependencies: 0/10 -> 10/10
Token-Permissions: 0/10 -> 10/10
Expected overall score improvement: 6.8/10 -> ~8.0/10

Related: THEEDGE-4717

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

gemini-code-assist · 2026-05-01T13:05:22Z

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

codecov · 2026-05-01T13:07:38Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.19%. Comparing base (3777999) to head (957002d).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #90   +/-   ##
=======================================
  Coverage   79.19%   79.19%           
=======================================
  Files          10       10           
  Lines        1115     1115           
=======================================
  Hits          883      883           
  Misses        134      134           
  Partials       98       98

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

miabbott · 2026-05-01T15:04:07Z

I don't disagree with the pinning of the actions, but I just want to understand how we would handle updating them in the future.

Dependabot has made this easier in the past with their auto-generated PRs; can the behavior of dependabot be changed to use digests instead of tags?

djach7 · 2026-05-05T13:43:31Z

Sorry @miabbott I missed this comment. From my understanding (and what I've learned grilling claude about this) dependabot should maintain whatever format is in the file. So after this PR is merged all future dependabot PRs should switch to using digests as well.

knecasov · 2026-05-05T15:20:47Z

+        os: [ ubuntu-latest, ubuntu-24.04-arm]
    container:
-      image: quay.io/fedora/fedora:latest
+      image: quay.io/fedora/fedora@sha256:3de521d4e5fdfd9a368063f0d628dff2a0162f5d1cede0ceeefcd4465dd43a40 # latest


I just want to point out that the pinned SHA will probably not stay up-to-date for long. From what I have been able to find, Dependabot does not currently support updating container image digests in GitHub Actions workflow files (see issue 5819). It has been recommended to use Renovate to keep this digest current. What do you think about it, please?

You're right, do you think it makes sense to sacrifice however much OpenSSF score it is and go back to latest? The other option is to use renovate and set that up, I don't know much about it though.

Renovate is starting to see wider adoption within Red Hat, so it may be worth a spike to see if we could use it as a replacement for dependabot.

For the current container image setting, it may be more obvious to use a versioned tag (i.e. :43 or :44) rather than :latest. It won't appease OpenSSF, but would be more descriptive about what version is being used to build the software.

I think the version tag is a good compromise, I think we'll still get some credit from OpenSSF for that too. I'll push an update with that change.

@djach7, do you plan to create a spike to find out more information about Renovate or do you want me to create it, please?

I'll take care of it right now, thank you for offering though

Here is the spike: THEEDGE-4740

One recommendation - I would link the THEEDGE-4717 ticket in the THEEDGE-4740 ticket.
Anyway, thank you so much @djach7 for creating the ticket!

knecasov

I added a few comments.

djach7 · 2026-05-05T17:53:24Z

@knecasov thanks for reviewing! I just pushed an update addressing your comments and I resolved the ones that were comment or hash updates. I left the digest one open in case we want to have more discussion there.

knecasov · 2026-05-06T08:26:34Z

@knecasov thanks for reviewing! I just pushed an update addressing your comments and I resolved the ones that were comment or hash updates. I left the digest one open in case we want to have more discussion there.

Thank you very much, @djach7! I added some comments.

Pin all GitHub Actions to commit SHAs and container images to digests to prevent supply chain attacks. Add explicit permissions blocks to workflows following principle of least privilege. Changes: - Pin actions/checkout, actions/setup-go, codecov/codecov-action, actions/create-github-app-token, cycjimmy/semantic-release-action, goreleaser/goreleaser-action, and github/codeql-action to commit SHAs - Pin quay.io/fedora/fedora container image to sha256 digest - Add workflow-level "contents: read" permission to ci.yml and security.yml - Add job-level "contents: write" permission to version-release job These changes address OpenSSF Scorecard findings: - Pinned-Dependencies: 0/10 -> 10/10 - Token-Permissions: 0/10 -> 10/10 - Expected overall score improvement: 6.8/10 -> ~8.0/10 Related: THEEDGE-4717 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: djach7 <djachimo@redhat.com>

knecasov

LGTM! Thank you very much for incorporating comments and the discussion.