Third party github actions are not pinned to full length shas #391
Description
TL;DR
Currently the github actions leveraged by this github action are not pinned to full length SHAs. To ensure that the same version of an action is always being executed, they should be pinned to a full length SHA.
The SHAs being unpinned, causes the actions to fail to execute when github's Require actions to be pinned to a full-length commit SHA enforcement prevents this action from being able to be used. Enabling this is the recommendation of Github in securing your action usage as seen here
Expected behavior
The expectation is that the actions leveraged by this action would be referenced with full commit SHAs
Observed behavior
The actions leverage by this action are referenced to tags, which are movable.
Action YAML
name: 'Security Review'
on:
pull_request_target:
types: [opened, synchronize]
concurrency:
group: '${{ github.workflow }}-review-${{ github.event.pull_request.number }}'
cancel-in-progress: true
defaults:
run:
shell: 'bash'
jobs:
review:
# 89942104 is the user id for the angular robot account.
if: |
(
github.event_name == 'pull_request_target' &&
github.event.pull_request.user.id == '89942104'
)
runs-on: 'ubuntu-latest'
timeout-minutes: 15
permissions:
contents: 'read'
id-token: 'write'
pull-requests: 'write'
steps:
- name: 'Acknowledge request'
env:
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
ISSUE_NUMBER: '${{ github.event.pull_request.number }}'
MESSAGE: |-
Beginning seecurity review for the pull request. Track the progres [in the logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more details.
REPOSITORY: '${{ github.repository }}'
run: |-
gh issue comment "${ISSUE_NUMBER}" \
--body "${MESSAGE}" \
--repo "${REPOSITORY}"
- name: 'Checkout repository'
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: 'Run Gemini security analysis review'
uses: 'google-github-actions/run-gemini-cli@f7db4b6f82ad0c3725cf4c98bdd93af80e22b4dc' # v0.1.14
id: 'gemini_security_analysis'
env:
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
ISSUE_TITLE: '${{ github.event.pull_request.title }}'
ISSUE_BODY: '${{ github.event.pull_request.body }}'
PULL_REQUEST_NUMBER: '${{ github.event.pull_request.number }}'
REPOSITORY: '${{ github.repository }}'
with:
gcp_location: '${{ vars.GOOGLE_CLOUD_LOCATION }}'
gcp_project_id: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
gcp_service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
gcp_workload_identity_provider: '${{ vars.GCP_WIF_PROVIDER }}'
gemini_api_key: '${{ secrets.SECURITY_REVIEWER }}'
gemini_cli_version: '${{ vars.GEMINI_CLI_VERSION }}'
gemini_debug: '${{ fromJSON(vars.DEBUG || vars.ACTIONS_STEP_DEBUG || false) }}'
gemini_model: '${{ vars.GEMINI_MODEL }}'
google_api_key: '${{ secrets.GOOGLE_API_KEY }}'
use_gemini_code_assist: '${{ vars.GOOGLE_GENAI_USE_GCA }}'
use_vertex_ai: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}'
upload_artifacts: '${{ vars.UPLOAD_ARTIFACTS }}'
extensions: |
[
"https://github.com/gemini-cli-extensions/security.git"
]
settings: |-
{
"model": {
"maxSessionTurns": 100
},
"telemetry": {
"enabled": true,
"target": "local",
"outfile": ".gemini/telemetry.log"
},
"mcpServers": {
"github": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"GITHUB_PERSONAL_ACCESS_TOKEN",
"ghcr.io/github/github-mcp-server:v0.18.0"
],
"includeTools": [
"add_comment_to_pending_review",
"create_pending_pull_request_review",
"pull_request_read",
"submit_pending_pull_request_review"
],
"env": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN}"
}
}
},
"tools": {
"core": [
"run_shell_command(cat)",
"run_shell_command(echo)",
"run_shell_command(grep)",
"run_shell_command(head)",
"run_shell_command(tail)"
]
}
}
prompt: '/security:analyze-github-pr'Log output
Current runner version: '2.329.0'
Runner Image Provisioner
Operating System
Runner Image
GITHUB_TOKEN Permissions
Secret source: Actions
Prepare workflow directory
Prepare all required actions
Getting action download info
Download action repository 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' (SHA:08c6903cd8c0fde910a37f88322edcfb5dd907a8)
Download action repository 'google-github-actions/run-gemini-cli@f7db4b6f82ad0c3725cf4c98bdd93af80e22b4dc' (SHA:f7db4b6f82ad0c3725cf4c98bdd93af80e22b4dc)
Getting action download info
Error: The actions google-github-actions/auth@v2 and actions/upload-artifact@v4 are not allowed in angular/dev-infra because all actions must be pinned to a full-length commit SHA.
Additional information
No response