Skip to content

Enhance reusable workflows#80

Open
Yaswant Pradhan (yaswant) wants to merge 169 commits into
mainfrom
develop
Open

Enhance reusable workflows#80
Yaswant Pradhan (yaswant) wants to merge 169 commits into
mainfrom
develop

Conversation

@yaswant

@yaswant Yaswant Pradhan (yaswant) commented Jun 5, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

PR Summary

Code Reviewer: James Bruten (@james-bruten-mo)

Hardens the GitHub Actions security baseline across all workflows.

Action pinning

  • All third-party actions replaced with immutable 40-char commit SHAs (e.g. actions/checkout@v6@df4cb1c…).
  • actions/github-script in track-review-project.yaml upgraded from v8 → v9 as part of the pin.

Credential & permission scoping

  • persist-credentials: false added to every actions/checkout step
  • Top-level permissions: {} set on caller workflows; granular contents: read / pull-requests: write / actions: read pushed down to job level in call-track-review-project.yaml, call-trigger-project-workflow.yaml, and trigger-project-workflow.yaml
  • fortran-lint.yaml gains an explicit contents: read job permission.

Template-injection fixes (zizmor)

  • cla-check.yaml: step outputs and inputs.cla-url moved to env: vars, read via process.env.* in the github-script block.
  • fortran-lint.yaml: all string/path inputs moved to env: vars; boolean flags resolved in shell using a bash array.
  • track-review-project.yaml: inputs.project_org and inputs.project_number moved to env: vars. Also, included PROJECT_ACTION_PAT secret as required parameter to avoid secret inheritance in caller workflow (breaking change! See updated README for usage).

CLA workflow logic

  • Merge-ref detection replaced: git ls-remote → gh api repos/.../pulls/… (avoids unauthenticated git network call).
  • CONTRIBUTORS.md modification check rewritten: git diff → GitHub Contents API + base64 | tr | cmp (avoids authenticated git fetch from fork). File modification now checked against content instead of just file state.

Tooling & config

  • New dependabot.yaml: monthly schedule, major-version updates blocked, all action updates grouped into a single PR
  • New zizmor.yaml: suppresses unpinned-uses, dangerous-triggers, and secrets-inherit for the two caller workflows that use secrets: inherit
  • .yamllint: updated ignore syntax; added comments and comments-indentation rules.
  • PR template: minor formatting tidy-up, emoji section headers, few typo fixes.

To enforce strict GitHub Actions security baselines, we now use immutable 40-character commit SHAs.

✅ Code Quality Checklist

(Some checks are automatically carried out via the CI pipeline)

  • I have performed a self-review of my own code
  • My code follows the project's style guidelines
  • The modified workflow's README has been updated, if required
  • The changes have been sufficiently tested (see MetOffice/git_playground/pull/137)

🤖 AI Assistance and Attribution

  • Some of the content of this change has been produced with the assistance of Generative AI tool name (e.g., Met Office Github Copilot Enterprise, Github Copilot Personal, ChatGPT GPT-4, etc) and I have followed the Simulation Systems AI policy (including attribution labels)

💻 Code Review

  • The changes are approriate and testing has been sufficient

@yaswant
update checkout action version to v6 in CLA workflow
d0af05e
@yaswant
refactor: enhance CLA check for contributor status in PR branch
fe826dc
@yaswant
refactor: update step name for contributor check in CLA workflow
e78dd86
@yaswant
refactor: update ref input handling for CLA verification
fc10ca3
@yaswant
refactor: add functionality to delete old CLA-related comments
2bd6f12
@yaswant
refactor: improve filtering of CLA-related comments from GitHub Actio…
ff15ce5 
…ns bot
@yaswant
refactor: remove unused ref input and simplify checkout ref handling
1181bdb
@yaswant
refactor: add error handling for deleting old CLA comments
e2f37e7
@yaswant
refactor: enhance error handling for label creation in CLA workflow
48dd503
@yaswant
refactor: update CONTRIBUTORS file references to CONTRIBUTORS.md in C…
4e23060 
…LA workflow
@yaswant
refactor: update CLA comment link to point to the correct repository …
548cddf 
…location
@yaswant
Update post message
dcf2c97
@yaswant
Handle the scenario where a contributor has already signed the CLA in…
a455d67 
… the base branch
@yaswant
Merge branch 'main' into develop
2415cc9
@yaswant
Empty Commit
8e563d5
@yaswant
Refactor CLA workflow to use base SHA for accurate comparison
0eeacb5
@yaswant
Add copyright notice to CLA Checker workflow file
49f528b
@yaswant
Merge branch 'main' into develop
91bf7c5
@james-bruten-mo @yaswant
remove labelling when cla already signed on base (#46)
61639ac 
Co-authored-by: Yaswant Pradhan <2984440+yaswant@users.noreply.github.com>
@james-bruten-mo
Remove label (#47)
61964fe
@james-bruten-mo
Remove label (#48)
dc0cdf9
@james-bruten-mo
Remove label (#49)
ba7228b
@james-bruten-mo
update cla action (#50)
641b29d
@james-bruten-mo
Project edit action (#53)
ac9a69a
@james-bruten-mo
add permissions to develop branch action
322090a
@james-bruten-mo
update permissions syntax
b57ad63
@james-bruten-mo
try read-all
6132c4b
@james-bruten-mo
revert to write
7dcbe75
@james-bruten-mo
test without assigning
05cadd4
@james-bruten-mo
update secret
c412c32
@yaswant Yaswant Pradhan (yaswant) changed the title Pin third party actions Enhance reusable workflows Jun 8, 2026
@yaswant
Update linked README files
916299f
@yaswant
Fix formatting in README.md for permissions section
acdad39
@yaswant
Enhance workflow permissions
07d5a66
@yaswant
Refactor PR reviewer extraction and project metadata handling for imp…
3dc3aff 
…roved safety and clarity
@yaswant
Update README.md to clarify project entry handling and enhance permis…
499779a 
…sions for workflows
@yaswant
Update workflows and dependencies for improved validation and linting
a1c1b0f 
- Set 'requirements' in build-sphinx-docs.yaml to optional
- Update output redirection syntax in cla-check.yaml, sphinx-docs.yaml, and track-review-project.yaml for consistency
- Add Actionlint, Zizmor, and Markdown Lint steps to validate workflows in validate.yaml
- Change shell from Python to Bash in labeler action for input validation
- Update pyproject.toml to include new dependencies and configure Markdown Lint settings
- Improve formatting and clarity in README.md
@yaswant
Enhance shell script detection in validation workflow with improved m…
ba8edcb 
…essaging and error handling
@yaswant
Improve shell script detection messaging in validation workflow
c97548b
@yaswant
Empty Commit
5749f74
@yaswant Yaswant Pradhan (yaswant) added this to the Summer 2026 milestone Jun 22, 2026
james-bruten-mo
James Bruten (james-bruten-mo) reviewed Jun 23, 2026
View reviewed changes

@james-bruten-mo James Bruten (james-bruten-mo) left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of queries around things, but otherwise looks ok. Can you link the git_playground PR where you tested these.

Would it also be possible for you to update the checkout action to the new v7 and retest please. There are changes to pull_request_target behaviour in that which may affect us https://github.blog/changelog/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout/
I suspect we're probably ok, other than the cla-check which may require us to use the override.

Comment thread .github/workflows/call-track-review-project.yaml Outdated
Comment thread .github/workflows/cla-check.yaml Outdated
# Clean up the localised workspace
rm -f base_raw.txt pr_raw.txt base_clean.txt pr_clean.txt
fi
# - name: Check if CONTRIBUTORS.md was modified in PR

@james-bruten-mo James Bruten (james-bruten-mo) Jun 23, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume this commented section can now be removed?

@yaswant Yaswant Pradhan (yaswant) Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. I kept it there as that was my first attempt to replace the original implementation.

@yaswant Yaswant Pradhan (yaswant) Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now removed.

Comment thread .github/workflows/sphinx-docs.yaml
@yaswant

Yaswant Pradhan (yaswant) commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

A couple of queries around things, but otherwise looks ok. Can you link the git_playground PR where you tested these.

Its under the Code Quality Checklist section of the PR

Would it also be possible for you to update the checkout action to the new v7 and retest please. There are changes to pull_request_target behaviour in that which may affect us https://github.blog/changelog/2026-06-18-safer-pull_request_target-defaults-for-github-actions-checkout/ I suspect we're probably ok, other than the cla-check which may require us to use the override.

Let me give that a spin.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@james-bruten-mo James Bruten (james-bruten-mo) Awaiting requested review from james-bruten-mo

At least 1 approving review is required to merge this pull request.

Assignees

@yaswant Yaswant Pradhan (yaswant)

Labels

CI security Changes to prevent code vulnerabilities

Projects

None yet

Milestone

Summer 2026

Development

Successfully merging this pull request may close these issues.

Security hardening: Pin third-party actions to immutable commit SHAs

3 participants

@yaswant @james-bruten-mo @mo-ssd-bot