[Supply-chain] Pin Gitea workflow actions to immutable revisions #241

Closed
opened 2026-07-11 12:51:08 +02:00 by zemion · 1 comment
Owner

Semgrep flags mutable action tags such as actions/checkout@v4. This is normal in many projects but is a real supply-chain decision.

Classification: supply-chain hardening.

Report evidence:

  • 12 Semgrep findings across .gitea/workflows/dependency-audit.yml, module-matrix.yml, release-integration.yml, security-audit.yml, and security-audit-toolbox-update.yml.
  • Rule: github-actions-mutable-action-tag.

Suggested next steps:

  • Decide whether the self-hosted Gitea runner should pin upstream actions by full commit SHA.
  • If yes, pin actions/checkout, actions/setup-python, actions/setup-node, and actions/upload-artifact and document the update process.
  • If no, keep this as accepted risk with a narrow Semgrep exception for .gitea/workflows/*.

Baseline report directory: audit-reports/govoplan-full-20260711-1238

<!-- codex-audit-full-2026-07-11:core-workflow-action-pinning --> Semgrep flags mutable action tags such as `actions/checkout@v4`. This is normal in many projects but is a real supply-chain decision. Classification: **supply-chain hardening**. Report evidence: - 12 Semgrep findings across `.gitea/workflows/dependency-audit.yml`, `module-matrix.yml`, `release-integration.yml`, `security-audit.yml`, and `security-audit-toolbox-update.yml`. - Rule: `github-actions-mutable-action-tag`. Suggested next steps: - Decide whether the self-hosted Gitea runner should pin upstream actions by full commit SHA. - If yes, pin `actions/checkout`, `actions/setup-python`, `actions/setup-node`, and `actions/upload-artifact` and document the update process. - If no, keep this as accepted risk with a narrow Semgrep exception for `.gitea/workflows/*`. Baseline report directory: `audit-reports/govoplan-full-20260711-1238`
zemion added the
type
task
priority
p2
status
ready
module/core
codex/ready
labels 2026-07-11 12:51:08 +02:00
zemion added the
area/security
audit/quick-fix
source/security-audit
labels 2026-07-11 16:05:25 +02:00
Author
Owner

Codex State: done

Summary

  • The Gitea workflow files have moved out of govoplan-core into the meta repository.
  • The current finding is tracked in add-ideas/govoplan#2 and was fixed locally there by pinning the action references to immutable SHAs.
  • govoplan-core no longer has .gitea/workflows action references to remediate.

Closing this core issue as superseded by the meta issue.

## Codex State: done ### Summary - The Gitea workflow files have moved out of `govoplan-core` into the meta repository. - The current finding is tracked in `add-ideas/govoplan#2` and was fixed locally there by pinning the action references to immutable SHAs. - `govoplan-core` no longer has `.gitea/workflows` action references to remediate. Closing this core issue as superseded by the meta issue.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-core#241
No description provided.