ci(security): pinact 設定と固定検証ワークフローを追加#61
Conversation
We pinned all GitHub Actions to full commit SHAs manually, but nothing enforced it going forward. Add pinact so CI rejects any unpinned action or a version comment that does not match its SHA. - .pinact.yaml (schema v3): file patterns for workflow / composite action files. - .github/workflows/pinact.yml: runs suzuki-shunsuke/pinact-action on pull requests in check-only mode (fix: false, verify: true) using the default GITHUB_TOKEN; it never modifies files, only fails CI on violations. Its own actions are SHA-pinned too. Dependabot (github-actions) keeps the pins fresh. Verified locally with `pinact run --check --verify`: all workflows pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 10 minutes and 20 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR adds automated verification to ensure GitHub Actions dependencies remain pinned to full commit SHAs going forward, using pinact in CI to prevent future unpinned or mismatched version-comment situations.
Changes:
- Add a
.pinact.yamlv3 configuration to define which workflow/composite-action files are subject to pin verification. - Add a
PinactGitHub Actions workflow that runs on pull requests and verifies pinning in check-only mode (fix: false,verify: true) using SHA-pinned actions.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.pinact.yaml |
Defines file patterns (workflows and composite actions) to be checked by pinact. |
.github/workflows/pinact.yml |
Adds a PR-triggered CI job that verifies all referenced actions are pinned to full SHAs without modifying files. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
概要
GitHub Actions を手動で SHA 固定しましたが、以後の固定漏れを防ぐ仕組み(pinact)が未設定でした。これを追加します。
変更内容
.pinact.yaml(スキーマ v3): 対象ファイルパターン(workflows / composite action)を定義.github/workflows/pinact.yml: PR でsuzuki-shunsuke/pinact-actionを検証専用モード(fix: false/verify: true)で実行GITHUB_TOKENを使用、ファイルは変更せず、固定漏れ or バージョンコメントと SHA の不一致があれば CI を失敗させる検証
pinact run --check --verifyを実行 → 全ワークフロー pass(exit 0)。既存の固定(actions/checkout, actions/setup-node)もコメントと SHA が一致これでサプライチェーン対策が「① インストール前 audit ② ignore-scripts ③ Actions の SHA 固定 + Dependabot ④ pinact による固定の継続検証」と揃います。
🤖 Generated with Claude Code