Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/agents-71-codex-belt-dispatcher.yml
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,7 @@ jobs:
echo "dry_run=${{ inputs.dry_run }}" >>"$GITHUB_OUTPUT"

- name: Checkout repo (for retry helpers)
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Do not patch synced agents-* workflows locally.

Line 170, Line 186, and Line 296 update a synced agents-*.yml workflow in this repo. Per repo policy, this change needs to be made in stranske/Workflows and then synced here; otherwise local drift will be overwritten.

As per coding guidelines, .github/workflows/agents-*.yml workflows should be fixed in stranske/Workflows, not locally.

Also applies to: 186-186, 296-296

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/agents-71-codex-belt-dispatcher.yml at line 170, The
changes at line 170, line 186, and line 296 in the
agents-71-codex-belt-dispatcher.yml workflow file are modifications to a synced
workflow that should not be made locally. Per repo policy, revert all three
changes from this file and instead make those same modifications in the
stranske/Workflows repository. Once the changes are applied there, the sync
process will automatically update this agents-71-codex-belt-dispatcher.yml file,
preventing local drift that would otherwise be overwritten.

Sources: Coding guidelines, Linked repositories

with:
token: ${{ env.GH_DISPATCH_TOKEN }}
fetch-depth: 1
Expand All @@ -183,7 +183,7 @@ jobs:
uses: ./.github/actions/resolve-default-branch

- name: Checkout (for retry helpers)
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
repository: stranske/Workflows
ref: ${{ steps.workflows_ref.outputs.ref }}
Expand Down Expand Up @@ -293,7 +293,7 @@ jobs:

- name: Checkout default branch
if: ${{ steps.pick.outputs.issue != '' && steps.mode.outputs.dry_run != 'true' }}
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ steps.pick.outputs.base }}
token: ${{ env.GH_DISPATCH_TOKEN }}
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/agents-72-codex-belt-worker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -290,7 +290,7 @@ jobs:
.write();

- name: Checkout repo (for retry helpers)
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ env.GH_BELT_TOKEN }}
fetch-depth: 1
Expand All @@ -306,7 +306,7 @@ jobs:
uses: ./.github/actions/resolve-default-branch

- name: Checkout Workflows scripts
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
repository: stranske/Workflows
ref: ${{ steps.workflows_ref.outputs.ref }}
Expand Down Expand Up @@ -569,15 +569,15 @@ jobs:

- name: Checkout branch
if: ${{ steps.parallel.outputs.allowed == 'true' && (inputs.keepalive != true || steps.keepalive_gate.outputs.action != 'skip') }}
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ steps.ctx.outputs.branch }}
token: ${{ env.GH_BELT_TOKEN }}
fetch-depth: 0

- name: Checkout belt tooling
if: ${{ steps.parallel.outputs.allowed == 'true' && (inputs.keepalive != true || steps.keepalive_gate.outputs.action != 'skip') }}
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
repository: stranske/Workflows
ref: ${{ steps.workflows_ref.outputs.ref }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/agents-73-codex-belt-conveyor.yml
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@ jobs:
} >>"$GITHUB_OUTPUT"

- name: Checkout retry helpers
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
sparse-checkout: |
.github/actions/setup-api-client
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/agents-80-pr-event-hub.yml
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ jobs:
should_run: ${{ steps.eligibility.outputs.should-run || 'false' }}
steps:
- name: Checkout eligibility action
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: >-
${{ github.event.pull_request.base.sha ||
Expand Down Expand Up @@ -252,7 +252,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout scripts
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
sparse-checkout: |
.github/scripts/error_classifier.js
Expand Down Expand Up @@ -314,7 +314,7 @@ jobs:

- name: Checkout repository
if: steps.check-merged.outputs.merged == 'true'
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
repository: stranske/Workflows
token: ${{ secrets.SERVICE_BOT_PAT || github.token }}
Expand Down
16 changes: 8 additions & 8 deletions .github/workflows/agents-81-gate-followups.yml
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ jobs:
fingerprint_current_hash: ${{ steps.fingerprint.outputs.current_hash }}
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if the file exists and get its location
find . -name "agents-81-gate-followups.yml" -type f

Repository: stranske/trip-planner

Length of output: 114


🏁 Script executed:

#!/bin/bash
# If file exists, read the relevant lines around 84, 384, and 547
if [ -f ".github/workflows/agents-81-gate-followups.yml" ]; then
  echo "=== Lines 80-90 (around line 84) ==="
  sed -n '80,90p' ".github/workflows/agents-81-gate-followups.yml"
  echo ""
  echo "=== Lines 380-390 (around line 384) ==="
  sed -n '380,390p' ".github/workflows/agents-81-gate-followups.yml"
  echo ""
  echo "=== Lines 543-553 (around line 547) ==="
  sed -n '543,553p' ".github/workflows/agents-81-gate-followups.yml"
fi

Repository: stranske/trip-planner

Length of output: 1353


🏁 Script executed:

#!/bin/bash
# Check if the file also exists in stranske/Workflows
find . -name "agents-81-gate-followups.yml" -type f

Repository: stranske/Workflows

Length of output: 135


🏁 Script executed:

#!/bin/bash
# Get the job context for all three checkout instances
echo "=== Context for Line 84 checkout (job name and full job) ==="
sed -n '1,84p' ".github/workflows/agents-81-gate-followups.yml" | tail -30
echo ""
echo "=== Context for Line 384 checkout ==="
sed -n '370,390p' ".github/workflows/agents-81-gate-followups.yml"
echo ""
echo "=== Context for Line 547 checkout ==="
sed -n '535,560p' ".github/workflows/agents-81-gate-followups.yml"

Repository: stranske/trip-planner

Length of output: 3692


🏁 Script executed:

#!/bin/bash
# Search for git push commands in this workflow file
echo "=== Looking for git push, git commit, or write operations ==="
rg -n "git (push|commit|add)" ".github/workflows/agents-81-gate-followups.yml" || echo "No direct git push/commit found"

Repository: stranske/trip-planner

Length of output: 159


🏁 Script executed:

#!/bin/bash
# Check the template file in Workflows repo
echo "=== Template file in Workflows repo ==="
if [ -f "templates/consumer-repo/.github/workflows/agents-81-gate-followups.yml" ]; then
  echo "File exists. Checking for persist-credentials setting:"
  rg "persist-credentials" "templates/consumer-repo/.github/workflows/agents-81-gate-followups.yml" || echo "No persist-credentials found in template"
fi

Repository: stranske/Workflows

Length of output: 198


🏁 Script executed:

#!/bin/bash
# Get exact job names
echo "=== Job name for line 84 ==="
sed -n '50,90p' ".github/workflows/agents-81-gate-followups.yml" | grep -E "^  [a-z-]+:" | tail -1

echo ""
echo "=== Full job for line 384 ==="
sed -n '370,395p' ".github/workflows/agents-81-gate-followups.yml" | head -20

echo ""
echo "=== Full job name for line 547 ==="
sed -n '510,550p' ".github/workflows/agents-81-gate-followups.yml" | grep -E "^  [a-z-]+:" | tail -1

Repository: stranske/trip-planner

Length of output: 836


🏁 Script executed:

#!/bin/bash
# Check the full file for any git operations that might be hidden in steps
echo "=== All step names in this workflow ==="
rg "name:" ".github/workflows/agents-81-gate-followups.yml" | head -40

Repository: stranske/trip-planner

Length of output: 1571


🏁 Script executed:

#!/bin/bash
# Get the complete list of what each of the three jobs does after checkout
echo "=== Job at line 84 (full context) ==="
sed -n '1,150p' ".github/workflows/agents-81-gate-followups.yml" | tail -60

echo ""
echo "=== Job at line 384 ==="
sed -n '375,430p' ".github/workflows/agents-81-gate-followups.yml"

Repository: stranske/trip-planner

Length of output: 4935


Apply this security hardening to the source template in stranske/Workflows instead.

This is a synced workflow from the Workflows repository template. Per the coding guidelines, agents-*.yml workflows should be fixed in stranske/Workflows, not locally. The three checkout instances (lines 84, 384, 547) are in read-only jobs that do not push commits—persist-credentials: false is a valid hardening measure to reduce token exposure surface.

Apply the following patch to stranske/Workflows/templates/consumer-repo/.github/workflows/agents-81-gate-followups.yml:

Proposed hardening patch for Workflows template
       - name: Checkout
         uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        with:
+          persist-credentials: false
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 83-84: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/agents-81-gate-followups.yml at line 84, This is a synced
workflow file from the stranske/Workflows repository template, so changes must
be applied to the source template instead of locally. Navigate to
stranske/Workflows and locate the template file at
templates/consumer-repo/.github/workflows/agents-81-gate-followups.yml. In that
file, add persist-credentials: false to the three
actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 instances (at lines
84, 384, and 547) to harden the workflow by reducing token exposure surface in
these read-only jobs that do not push commits.

Source: Linters/SAST tools


- name: Setup API client
uses: ./.github/actions/setup-api-client
Expand Down Expand Up @@ -381,7 +381,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Setup API client
uses: ./.github/actions/setup-api-client
Expand Down Expand Up @@ -483,7 +483,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout runner library
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
sparse-checkout: |
scripts/runner_lib
Expand Down Expand Up @@ -544,7 +544,7 @@ jobs:
environment: agent-standard
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Setup API client
uses: ./.github/actions/setup-api-client
Expand Down Expand Up @@ -843,7 +843,7 @@ jobs:
dispatch_reason: ${{ steps.runner_dispatch.outputs.reason }}
steps:
- name: Checkout (for security gate + agent registry)
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
sparse-checkout: |
.github/actions/setup-api-client
Expand Down Expand Up @@ -1280,7 +1280,7 @@ jobs:
environment: agent-standard
steps:
- name: Checkout (for retry helpers)
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
sparse-checkout: |
.github/scripts/github-api-with-retry.js
Expand Down Expand Up @@ -1350,7 +1350,7 @@ jobs:
environment: agent-standard
steps:
- name: Checkout (for retry helpers)
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
sparse-checkout: |
.github/scripts/github-api-with-retry.js
Expand Down Expand Up @@ -1548,7 +1548,7 @@ jobs:
steps:
# Do not remove checkout; the retry helper is required.
- name: Checkout (for retry helpers)
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
sparse-checkout: |
.github/scripts/github-api-with-retry.js
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/agents-auto-label.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:

steps:
- name: Checkout eligibility action
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: >-
${{ github.event.pull_request.base.sha ||
Expand All @@ -54,7 +54,7 @@ jobs:

- name: Checkout repository
if: steps.eligibility.outputs.should-run == 'true'
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Setup API client
if: steps.eligibility.outputs.should-run == 'true'
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/agents-auto-pilot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ jobs:
proceed: ${{ steps.eligibility.outputs.should-run }}
steps:
- name: Checkout eligibility action
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Update synced agents-*.yml workflows in stranske/Workflows, not in this repo.

These changes should be made upstream in stranske/Workflows and then synced down; local edits here risk drift and overwrite on next sync.

As per coding guidelines, "agents-*.yml workflows should be fixed in stranske/Workflows, not locally".

Also applies to: 158-158, 184-184

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/agents-auto-pilot.yml at line 74, Revert the changes you
made to the agents-auto-pilot.yml workflow file (including the actions/checkout
update at line 74 and the additional changes at lines 158 and 184) since
agents-*.yml workflows must be modified upstream in the stranske/Workflows
repository, not locally in this repo. Apply these same changes to the
corresponding agents-auto-pilot.yml file in the stranske/Workflows repository
instead, and then allow the sync process to propagate the changes back down to
this repository to avoid drift and unintended overwrites during future syncs.

Source: Coding guidelines

with:
ref: >-
${{ github.event.pull_request.base.sha ||
Expand Down Expand Up @@ -155,7 +155,7 @@ jobs:

- name: Checkout repository
if: steps.check_enabled.outputs.enabled == 'true'
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ steps.app_token.outputs.token || github.token }}

Expand All @@ -181,7 +181,7 @@ jobs:

- name: Checkout Workflows scripts
if: steps.check_enabled.outputs.enabled == 'true'
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ steps.app_token.outputs.token || github.token }}
repository: stranske/Workflows
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/agents-autofix-dispatcher.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jobs:
owner: ${{ github.repository_owner }}

- name: Checkout workflow helpers
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ steps.app_token.outputs.token || github.token }}
sparse-checkout: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/agents-capability-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Setup API client
uses: ./.github/actions/setup-api-client
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/agents-decompose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Setup API client
uses: ./.github/actions/setup-api-client
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/agents-dedup.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Setup API client
uses: ./.github/actions/setup-api-client
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/agents-guard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:

steps:
- name: Checkout eligibility action
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: >-
${{ github.event.pull_request.base.sha ||
Expand Down Expand Up @@ -67,7 +67,7 @@ jobs:
if: >-
steps.eligibility.outputs.should-run == 'true' &&
github.event_name == 'pull_request_target'
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ github.event.pull_request.base.sha }}
sparse-checkout-cone-mode: false
Expand Down Expand Up @@ -138,7 +138,7 @@ jobs:
if: >-
steps.eligibility.outputs.should-run == 'true' &&
github.event_name == 'pull_request'
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
sparse-checkout-cone-mode: false
sparse-checkout: |
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/agents-issue-optimizer.yml
Original file line number Diff line number Diff line change
Expand Up @@ -117,11 +117,11 @@ jobs:

- name: Checkout repository
if: steps.check.outputs.should_run == 'true'
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Checkout Workflows repository for scripts
if: steps.check.outputs.should_run == 'true'
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
repository: stranske/Workflows
path: workflows-scripts
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/agents-keepalive-loop-reporter.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout keepalive scripts
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
sparse-checkout: |
.github/scripts
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/agents-verifier.yml
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ jobs:
fingerprint_current_hash: ${{ steps.fingerprint.outputs.current_hash }}
steps:
- name: Checkout retry helpers
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
sparse-checkout: |
.github/actions/setup-api-client
Expand Down Expand Up @@ -330,7 +330,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout state fingerprint helper
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
sparse-checkout: scripts/state_fingerprint.py
sparse-checkout-cone-mode: false
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/agents-verify-to-new-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ jobs:

- name: Checkout repository
if: steps.check-merged.outputs.merged == 'true'
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
repository: stranske/Workflows
token: ${{ steps.select-token.outputs.token }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/agents-weekly-metrics.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
owner: ${{ github.repository_owner }}

- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:

token: ${{ steps.app_token.outputs.token || github.token }}
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/autofix.yml
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ jobs:
dispatch_reason: ${{ steps.runner_dispatch.outputs.reason }}
steps:
- name: Checkout eligibility action
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

GitHub Actions checkout v7.0.0 fork pull request blocking behavior and whether explicit ref parameter bypasses fork blocking for pull_request_target events

💡 Result:

In version 7.0.0 and later, the actions/checkout action implements security guardrails that block the checkout of fork pull request code when the workflow is triggered by pull_request_target or workflow_run [1][2]. This change was introduced to prevent "pwn request" vulnerabilities, where executing untrusted fork code in a privileged context (i.e., one with access to base repository secrets and the GITHUB_TOKEN) could lead to unauthorized access [1][2]. Regarding the behavior of the ref parameter: 1. Blocking Mechanism: By default, the checkout action will refuse to fetch fork-based content in these privileged triggers [1][3]. Attempting to use an explicit ref parameter (such as a pull request head SHA) without the required opt-in will result in a failure [1][2]. 2. Bypassing the Block: To legitimately check out fork code in these scenarios, you must explicitly opt in by setting the allow-unsafe-pr-checkout input to true [1][2]. This should only be done after reviewing the associated security risks, as it effectively authorizes the execution of untrusted fork code in a trusted, privileged environment [1]. 3. Trusted Base-Branch Checkouts: Recent updates have refined this security validation [4]. The action now recognizes explicit checkout configurations targeting the base repository and its trusted base references as safe [4]. Specifically, checkouts are treated as safe if the repository is the base repository (or omitted) and the ref refers to the base SHA or base ref [4]. These safe patterns do not trigger the security block and do not require setting allow-unsafe-pr-checkout to true [4]. In summary, an explicit ref pointing to a fork's head SHA does not bypass the security block; rather, the block is enforced to prevent such unsafe checkouts unless you explicitly acknowledge the risk by enabling the safety bypass [1][2].

Citations:


🏁 Script executed:

#!/bin/bash
# Check reusable-18-autofix.yml for allow-unsafe-pr-checkout configuration
rg -A 5 "actions/checkout" .github/workflows/reusable-18-autofix.yml || true

Repository: stranske/Workflows

Length of output: 964


🏁 Script executed:

#!/bin/bash
# Search for any allow-unsafe-pr-checkout usage in the workflows
rg "allow-unsafe-pr-checkout" .github/workflows/ || true

Repository: stranske/Workflows

Length of output: 44


🏁 Script executed:

#!/bin/bash
# Check the checkout actions in trip-planner's autofix.yml
sed -n '65,100p' .github/workflows/autofix.yml

Repository: stranske/trip-planner

Length of output: 1755


🏁 Script executed:

#!/bin/bash
# Check context around line 521 for the third checkout
sed -n '515,530p' .github/workflows/autofix.yml

Repository: stranske/trip-planner

Length of output: 584


🏁 Script executed:

#!/bin/bash
# Also check the full event trigger context for the resolve job
sed -n '80,95p' .github/workflows/autofix.yml

Repository: stranske/trip-planner

Length of output: 840


Remove upgrade to v7.0.0—stay with v6 to maintain compatibility with reusable-18-autofix.yml.

The reusable-18-autofix.yml in stranske/Workflows still uses actions/checkout@v6 and will not be updated as part of this PR. Since this reusable workflow is called on line 495 and handles fork PR scenarios by passing ref: ${{ env.PR_HEAD_REF || github.ref }}, upgrading to v7.0.0 in the caller workflow while the reusable workflow remains on v6 creates version mismatch inconsistency. Additionally, to maintain backward compatibility across all 13 consumer repositories that depend on these workflows, version consistency is preferable. Revert lines 70, 94, and 521 to @v6.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/autofix.yml at line 70, Revert the actions/checkout action
from v7.0.0 back to v6 in three locations within the autofix.yml workflow file
(lines 70, 94, and 521). Replace each instance of
`actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0` with
`actions/checkout@v6` to maintain consistency with the reusable workflow
reusable-18-autofix.yml which still uses v6, ensuring version compatibility
across all consumer repositories that depend on these workflows.

with:
ref: >-
${{ github.event.pull_request.base.sha ||
Expand All @@ -91,7 +91,7 @@ jobs:

- name: Checkout for API helpers
if: steps.eligibility.outputs.should-run == 'true'
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
sparse-checkout: |
.github/actions/setup-api-client
Expand Down Expand Up @@ -518,7 +518,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout runner library
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
sparse-checkout: |
scripts/runner_lib
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/backplane-conformance.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
run_json: artifacts/reference/run.json
manifest: artifacts/reference/manifest.json
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
with:
python-version: '3.14'
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/baseline-report.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
refresh:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Pin checkout action to commit SHA instead of @v7 tag.

This file uses an unpinned tag reference (@v7) which violates the coding guideline that .github/workflows/*.yml files should pin action references to specific commit SHAs. Other workflows in this PR correctly use the pinned v7.0.0 commit SHA format.

Update line 28 to use the commit SHA with an inline version comment for consistency across the repository.

🔧 Proposed fix
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@v7
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 28-30: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 28-28: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/baseline-report.yml at line 28, In the baseline-report.yml
file, update the actions/checkout action reference from the unpinned tag `@v7` to
a pinned commit SHA format. Replace the tag reference with the specific commit
SHA used in other workflows in this repository (mentioned as v7.0.0 format) and
include an inline version comment to maintain consistency with other workflow
files that follow this pinning convention.

Source: Coding guidelines

with:
token: ${{ secrets.ACTIONS_BOT_PAT || secrets.GITHUB_TOKEN }}

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ jobs:
name: Runtime CI
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@v7

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Pin checkout action to commit SHA instead of @v7 tag.

This file uses an unpinned tag reference (@v7) which violates the coding guideline that .github/workflows/*.yml files should pin action references to specific commit SHAs. Other workflows in this PR correctly use the pinned v7.0.0 commit SHA format.

Update line 43 to use the commit SHA with an inline version comment for consistency across the repository.

🔧 Proposed fix
-      - uses: actions/checkout@v7
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@v7
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 43-43: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 43-43: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 43, The `actions/checkout@v7` reference in
the workflow file uses an unpinned tag instead of a specific commit SHA, which
violates the repository's security guideline for GitHub Actions. Replace the
`@v7` tag reference with the pinned commit SHA format for v7.0.0, including an
inline version comment for clarity, to match the pattern used consistently in
other workflows in the repository.

Source: Coding guidelines


- name: Set up Python
uses: actions/setup-python@v6
Expand Down
Loading
Loading