chore: pin github actions#1246
Conversation
|
Preview (prod backend + PR dashboard) → https://1246.ns-preview.trapti.tech/ |
📝 WalkthroughWalkthrough複数のCI/CDワークフロー定義ファイルで、GitHub Actionsアクション参照を浮動バージョンタグから固定コミットSHAへ一括更新しました。Helm、Protobuf、Go、ダッシュボード、プレビュー、リリース、Renovateの各パイプラインおよびタグ管理ワークフロー全体でセキュリティと再現性が向上します。 ChangesGitHub Actions アクション参照の固定化
🎯 2 (Simple) | ⏱️ ~12 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 7
🧹 Nitpick comments (1)
.github/workflows/renovate.yaml (1)
49-49: ⚡ Quick winRenovate ジョブの checkout の
persist-credentials: falseは機能面では必須ではないが、セキュリティ硬化として検討余地あり。
.github/workflows/renovate.yamlではactions/checkout@...にpersist-credentialsが指定されていないため、デフォルト(true)で checkout 時の Git 認証情報(主にGITHUB_TOKEN)がジョブ内に残ります。
一方でrenovatebot/github-actionは、token: ${{ steps.generate-token.outputs.token }}に渡した GitHub App トークンを使って GitHub API 経由で処理する前提のため、checkout 後にgit pushがなくても大きな不整合は起きません。
不要な credential 永続化を避ける目的でpersist-credentials: falseを設定するのは有効です。🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/renovate.yaml at line 49, Update the Renovate workflow's checkout step to disable credential persistence: in the checkout step that uses "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" (the Renovate job's checkout), add the option persist-credentials: false so the default GITHUB_TOKEN credentials are not left in the runner after checkout and Renovate uses the generated GitHub App token instead.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci-helm.yaml:
- Around line 12-14: The actions/checkout step (uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) is leaving Git
credentials persisted; update the Checkout step by adding the with key
persist-credentials: false so credentials are not stored in the repo config for
downstream steps or referenced workflows, i.e., modify the checkout step's with
block to include persist-credentials: false alongside fetch-depth.
In @.github/workflows/ci-protobuf.yaml:
- Line 18: Add explicit persist-credentials: false to each actions/checkout step
in the ci-protobuf workflow: locate the three uses of "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" and add a
corresponding "with:" block containing "persist-credentials: false" so the
checkout actions do not leave credentials available between jobs (update all
occurrences in the file).
In @.github/workflows/ci.yaml:
- Around line 26-27: The checkout steps using actions/checkout (e.g., the
occurrences of "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd") are missing
persist-credentials configuration; update each checkout step (all six
occurrences) to include a with: persist-credentials: false block so the PAT is
not left in the workspace. Locate every "uses: actions/checkout@..." entry in
the CI workflow and add the with: persist-credentials: false setting without
changing other step behavior.
In @.github/workflows/dashboard-ci.yaml:
- Line 22: 各 actions/checkout steps in .github/workflows/dashboard-ci.yaml
currently call "uses: actions/checkout@..." without disabling credential
persistence; update each checkout invocation (the five occurrences matching the
existing "uses: actions/checkout@..." lines) to add a with: block containing
persist-credentials: false so that the action runs with credentials persistence
disabled (i.e., add with: persist-credentials: false under each actions/checkout
usage).
In @.github/workflows/release-helm.yaml:
- Around line 40-42: The checkout step using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd should disable token
persistence because the job later switches origin to an SSH URL and uses
HELM_PUSH_KEY for pushes; add persist-credentials: false under that checkout
step so the OAuth token is not written into the checked-out repository
credentials and SSH push uses the provided key instead.
In @.github/workflows/release.yaml:
- Line 44: release.yaml の image/release ジョブともう一つの checkout ステップで使われている
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
の両方に、チェックアウト後に認証情報を残さないように with: persist-credentials: false を追加してください;具体的には該当する
actions/checkout ステップ(image/release ジョブで使われているものともう一つの checkout ステップ)それぞれに with
セクションを追加し、persist-credentials: false を設定してコミットや git push
の資格情報がワークフロー内に残らないようにします。
In @.github/workflows/renovate.yaml:
- Around line 45-48: The GitHub App token step using
actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1
currently omits explicit permissions and may inherit broad rights; update that
step (the one supplying app-id and private-key) to include a minimal permissions
map using the permission-<scope>-<verb> form for only the scopes Renovate needs
(e.g., contents-read, contents-write, pull-requests-read, pull-requests-write,
metadata-read) and, if applicable, set owner and repositories to restrict the
installation targets; ensure the new permissions keys are explicit and minimal
and add owner/repositories entries only if you must limit which installs the
token can act on.
---
Nitpick comments:
In @.github/workflows/renovate.yaml:
- Line 49: Update the Renovate workflow's checkout step to disable credential
persistence: in the checkout step that uses
"actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" (the Renovate job's
checkout), add the option persist-credentials: false so the default GITHUB_TOKEN
credentials are not left in the runner after checkout and Renovate uses the
generated GitHub App token instead.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 6a988a3c-6bd4-47f3-8847-2f2367bbe23e
📒 Files selected for processing (10)
.github/workflows/ci-helm.yaml.github/workflows/ci-protobuf.yaml.github/workflows/ci.yaml.github/workflows/dashboard-ci.yaml.github/workflows/preview-comment.yaml.github/workflows/preview.yaml.github/workflows/release-helm.yaml.github/workflows/release.yaml.github/workflows/renovate.yaml.github/workflows/tag.yaml
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Locate and print the relevant workflow section
if [ -f ".github/workflows/ci-helm.yaml" ]; then
echo "== .github/workflows/ci-helm.yaml =="
nl -ba .github/workflows/ci-helm.yaml | sed -n '1,200p'
else
echo "File not found: .github/workflows/ci-helm.yaml" >&2
exit 1
fiRepository: traPtitech/NeoShowcase
Length of output: 164
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci-helm.yaml"
if [ -f "$FILE" ]; then
echo "== $FILE =="
# Print first 200 lines with line numbers using awk (since nl is unavailable)
awk '{printf "%4d\t%s\n", NR, $0}' "$FILE" | sed -n '1,200p'
else
echo "File not found: $FILE" >&2
exit 1
fiRepository: traPtitech/NeoShowcase
Length of output: 4047
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci-helm.yaml"
echo "== grep persist-credentials =="
rg -n "persist-credentials" "$FILE" || true
echo "== grep git push / config auth =="
rg -n "(git push|persist-credentials|GITHUB_TOKEN|remote set-url|credential|http(s)://)" "$FILE" || true
echo "== grep uses: actions/checkout occurrences =="
rg -n "uses:\s*actions/checkout@" "$FILE" || true
echo "== show tail =="
wc -l "$FILE"
awk '{printf "%4d\t%s\n", NR, $0}' "$FILE" | tail -n 80Repository: traPtitech/NeoShowcase
Length of output: 4504
actions/checkout の資格情報永続化を無効化してください
.github/workflows/ci-helm.yaml の Checkout ステップ(actions/checkout)に with: persist-credentials: false を追加して、参照系のワークフローでも資格情報が git 設定に残らないようにしてください。
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 11-14: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci-helm.yaml around lines 12 - 14, The actions/checkout
step (uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd) is
leaving Git credentials persisted; update the Checkout step by adding the with
key persist-credentials: false so credentials are not stored in the repo config
for downstream steps or referenced workflows, i.e., modify the checkout step's
with block to include persist-credentials: false alongside fetch-depth.
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: jdx/mise-action@v4 | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
ci-protobuf.yaml の actions/checkout に persist-credentials: false を追加
.github/workflows/ci-protobuf.yaml の actions/checkout(該当箇所: 18, 31, 46)で persist-credentials が明示されていないため、ジョブ間で不要な認証情報が残らないように with: persist-credentials: false を追加してください。
推奨が妥当な前提(push 操作なし)も維持されているため、この変更は低コストです。
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 18-18: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci-protobuf.yaml at line 18, Add explicit
persist-credentials: false to each actions/checkout step in the ci-protobuf
workflow: locate the three uses of "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" and add a
corresponding "with:" block containing "persist-credentials: false" so the
checkout actions do not leave credentials available between jobs (update all
occurrences in the file).
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/ci.yaml"
if [ ! -f "$FILE" ]; then
echo "Missing file: $FILE" >&2
exit 1
fi
echo "== checkout occurrences =="
rg -n "uses:\s*actions/checkout@" "$FILE" || true
echo
echo "== checkout step blocks (context) =="
# Print around each checkout usage
rg -n "uses:\s*actions/checkout@" "$FILE" | cut -d: -f1 | while read -r l; do
start=$((l-5))
end=$((l+12))
echo "---- $FILE:$l ----"
sed -n "${start},${end}p" "$FILE" | cat -n
echo
done
echo "== push/commit detection =="
rg -n "(git push|push:|create-release|gh release|soft|commit -m|actions/create|repository:.*push)" "$FILE" || true
echo "== any persist-credentials usage =="
rg -n "persist-credentials" "$FILE" || trueRepository: traPtitech/NeoShowcase
Length of output: 5524
actions/checkout の persist-credentials: false を全 checkout ステップに追加してください
.github/workflows/ci.yaml の actions/checkout@de0fac2e...(6箇所)で persist-credentials が未指定のため、トークン残留リスクを下げる目的で各ステップに with: persist-credentials: false を明示してください。
修正例
- - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 |
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 26-26: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/ci.yaml around lines 26 - 27, The checkout steps using
actions/checkout (e.g., the occurrences of "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd") are missing
persist-credentials configuration; update each checkout step (all six
occurrences) to include a with: persist-credentials: false block so the PAT is
not left in the workspace. Locate every "uses: actions/checkout@..." entry in
the CI workflow and add the with: persist-credentials: false setting without
changing other step behavior.
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: jdx/mise-action@v4 | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/dashboard-ci.yaml"
echo "== File: $FILE =="
ls -la "$FILE" || true
echo
# Show around the referenced lines (22,32,43,54,65) with line numbers
for L in 22 32 43 54 65; do
echo "---- context around line $L ----"
sed -n "$((L-8)),$((L+8))p" "$FILE" | nl -ba -w2 -s': ' | sed "s/^/${L}:/"
echo
done
# Grep all checkout uses in this workflow
echo "== All checkout steps =="
rg -n "uses:\s*actions/checkout@" "$FILE" || true
# Show whether persist-credentials is already set near checkout
echo
echo "== checkout persist-credentials occurrences =="
rg -n "persist-credentials:\s*(false|true)" "$FILE" || true
# Check for any push steps or permissions affecting token persistence
echo
echo "== jobs content quick scan for 'persist-credentials' near checkout =="
rg -n "actions/checkout@|persist-credentials" "$FILE" || true
echo
echo "== Workflow triggers (on:) =="
# print on: section
awk '
BEGIN{p=0}
{
if($0 ~ /^on:/){p=1}
if(p==1){print}
if(p==1 && $0 ~ /^[^[:space:]]/ && $0 !~ /^on:/ && $0 !~ /^[[:space:]]/){p=0}
}
' "$FILE" 2>/dev/null || true
# fallback: show first 60 lines
echo
echo "== First 80 lines (for context) =="
head -n 80 "$FILE" | nl -ba -w2 -s': 'Repository: traPtitech/NeoShowcase
Length of output: 295
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/dashboard-ci.yaml"
echo "== File: $FILE =="
# Print whole file with line numbers (file is small per ls: 2002 bytes)
awk '{printf "%d: %s\n", NR, $0}' "$FILE"
echo
echo "== All checkout steps =="
rg -n "uses:\s*actions/checkout@" "$FILE" || true
echo
echo "== checkout persist-credentials occurrences =="
rg -n "persist-credentials:\s*(false|true)" "$FILE" || true
echo
echo "== Any push-ish steps (quick scan) =="
rg -n "(git push|push:|ref:|GITHUB_TOKEN|persist-credentials)" "$FILE" || trueRepository: traPtitech/NeoShowcase
Length of output: 2930
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/dashboard-ci.yaml"
echo "== File: $FILE =="
# Print whole file with line numbers (file is small per ls)
awk '{printf "%d: %s\n", NR, $0}' "$FILE"
echo
echo "== All checkout steps =="
rg -n "uses:\s*actions/checkout@" "$FILE" || true
echo
echo "== checkout persist-credentials occurrences =="
rg -n "persist-credentials:\s*(false|true)" "$FILE" || true
echo
echo "== Any push-ish steps (quick scan) =="
rg -n "(git push|push:|ref:|GITHUB_TOKEN|persist-credentials)" "$FILE" || trueRepository: traPtitech/NeoShowcase
Length of output: 2930
全ジョブの actions/checkout に persist-credentials: false を追加してください。
.github/workflows/dashboard-ci.yaml の各 checkout(22, 32, 43, 54, 65)で persist-credentials が未設定のため、workflow 内に git push 等が無い前提では資格情報の永続化を無効化してください。
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 22-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/dashboard-ci.yaml at line 22, 各 actions/checkout steps in
.github/workflows/dashboard-ci.yaml currently call "uses: actions/checkout@..."
without disabling credential persistence; update each checkout invocation (the
five occurrences matching the existing "uses: actions/checkout@..." lines) to
add a with: block containing persist-credentials: false so that the action runs
with credentials persistence disabled (i.e., add with: persist-credentials:
false under each actions/checkout usage).
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| fetch-depth: '0' |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
ls -la .github/workflows || true
sed -n '1,200p' .github/workflows/release-helm.yamlRepository: traPtitech/NeoShowcase
Length of output: 3676
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Show relevant parts around checkout step
rg -n "actions/checkout" .github/workflows/release-helm.yaml
rg -n "persist-credentials|remote set-url|ssh|GIT_SSH|id_rsa|known_hosts" .github/workflows/release-helm.yaml
# Print around line 35-60
nl -ba .github/workflows/release-helm.yaml | sed -n '30,80p'
# Print later push/ssh section
nl -ba .github/workflows/release-helm.yaml | sed -n '80,200p'Repository: traPtitech/NeoShowcase
Length of output: 518
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# identify full file for context but limit output
wc -l .github/workflows/release-helm.yaml
nl -ba .github/workflows/release-helm.yaml | sed -n '1,260p'Repository: traPtitech/NeoShowcase
Length of output: 167
🏁 Script executed:
#!/bin/bash
set -euo pipefail
wc -l .github/workflows/release-helm.yaml
nl -ba .github/workflows/release-helm.yaml | sed -n '1,160p'Repository: traPtitech/NeoShowcase
Length of output: 167
actions/checkout の persist-credentials を false にしてください(.github/workflows/release-helm.yaml の checkout step)
後続で git remote set-url origin git@github.com:... に切り替え、HELM_PUSH_KEY で SSH 経由の git push を行っているため、checkout のトークン永続化は不要です。checkout に persist-credentials: false を追加してください。
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 40-42: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release-helm.yaml around lines 40 - 42, The checkout step
using actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd should disable
token persistence because the job later switches origin to an SSH URL and uses
HELM_PUSH_KEY for pushes; add persist-credentials: false under that checkout
step so the OAuth token is not written into the checked-out repository
credentials and SSH push uses the provided key instead.
| fi | ||
|
|
||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/release.yaml"
echo "== File head =="
sed -n '1,140p' "$FILE" | nl -ba
echo
echo "== Matching persist-credentials =="
rg -n "persist-credentials" "$FILE" || true
echo
echo "== Matching git push =="
rg -n "git push" "$FILE" || true
echo
echo "== Checkout steps (uses: actions/checkout) =="
rg -n "uses:\s*actions/checkout@" "$FILE" || trueRepository: traPtitech/NeoShowcase
Length of output: 143
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/release.yaml"
if [ ! -f "$FILE" ]; then
echo "File not found: $FILE"
echo "Top-level listing:"; ls -la
echo "Workflows candidates:"; find .github -maxdepth 3 -type f 2>/dev/null | sed -n '1,200p'
exit 0
fi
echo "== File head (with line numbers) =="
awk '{printf "%5d\t%s\n", NR, $0}' "$FILE" | sed -n '1,180p'
echo
echo "== Matching persist-credentials =="
rg -n "persist-credentials" "$FILE" || true
echo
echo "== Matching git push =="
rg -n "git push" "$FILE" || true
echo
echo "== Checkout steps (uses: actions/checkout) =="
rg -n "uses:\s*actions/checkout@" "$FILE" || trueRepository: traPtitech/NeoShowcase
Length of output: 4963
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/release.yaml"
echo "== Matching git commands =="
rg -n "\\bgit\\b" "$FILE" || true
echo
echo "== Matching submodule =="
rg -n "submodule" "$FILE" || true
echo
echo "== Matching credential =="
rg -n "credential" "$FILE" || true
echo
echo "== Matching persist-credentials (again) =="
rg -n "persist-credentials" "$FILE" || trueRepository: traPtitech/NeoShowcase
Length of output: 272
actions/checkout の persist-credentials: false を両方の checkout ステップに追加してください。
.github/workflows/release.yaml では actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd が image/release ジョブで利用されていますが persist-credentials が未設定で、git push 等の git 書き込み操作は見当たりません。checkout 後に資格情報が保持されないよう、steps:44 と steps:93 の両方に with: persist-credentials: false を追加してください。
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 44-44: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yaml at line 44, release.yaml の image/release
ジョブともう一つの checkout ステップで使われている
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
の両方に、チェックアウト後に認証情報を残さないように with: persist-credentials: false を追加してください;具体的には該当する
actions/checkout ステップ(image/release ジョブで使われているものともう一つの checkout ステップ)それぞれに with
セクションを追加し、persist-credentials: false を設定してコミットや git push
の資格情報がワークフロー内に残らないようにします。
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | ||
| with: | ||
| app-id: ${{ secrets.RENOVATE_APP_ID }} | ||
| private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }} |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/renovate.yaml"
if [ ! -f "$FILE" ]; then
echo "Missing file: $FILE"
exit 1
fi
echo "== File: $FILE =="
echo "-- lines 1-120 --"
nl -ba "$FILE" | sed -n '1,120p'
echo "-- lines around 35-70 --"
nl -ba "$FILE" | sed -n '35,75p'
echo "-- grep for actions/checkout --"
rg -n "actions/checkout" "$FILE" || true
echo "-- grep for create-github-app-token --"
rg -n "actions/create-github-app-token" "$FILE" || trueRepository: traPtitech/NeoShowcase
Length of output: 190
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/renovate.yaml"
if [ ! -f "$FILE" ]; then
echo "Missing file: $FILE" >&2
exit 1
fi
echo "== File: $FILE =="
echo "-- lines 1-140 --"
awk '{printf "%5d\t%s\n", NR, $0}' "$FILE" | sed -n '1,140p'
echo "-- grep for actions/checkout --"
rg -n "actions/checkout" "$FILE" || true
echo "-- grep for create-github-app-token --"
rg -n "actions/create-github-app-token" "$FILE" || true
echo "-- show block around create-github-app-token (if present) --"
# Print a window around the match line
MATCH_LINE=$(rg -n "actions/create-github-app-token" "$FILE" | head -n 1 | cut -d: -f1 || true)
if [ -n "${MATCH_LINE:-}" ]; then
START=$((MATCH_LINE-15))
END=$((MATCH_LINE+25))
[ $START -lt 1 ] && START=1
awk -v s="$START" -v e="$END" '{if(NR>=s && NR<=e) printf "%5d\t%s\n", NR, $0}' "$FILE"
fi
echo "-- show block around actions/checkout (if present) --"
MATCH_LINE2=$(rg -n "actions/checkout" "$FILE" | head -n 1 | cut -d: -f1 || true)
if [ -n "${MATCH_LINE2:-}" ]; then
START2=$((MATCH_LINE2-15))
END2=$((MATCH_LINE2+25))
[ $START2 -lt 1 ] && START2=1
awk -v s="$START2" -v e="$END2" '{if(NR>=s && NR<=e) printf "%5d\t%s\n", NR, $0}' "$FILE"
fiRepository: traPtitech/NeoShowcase
Length of output: 6164
🌐 Web query:
GitHub Actions actions/create-github-app-token inputs owner repositories permissions default behavior
💡 Result:
The actions/create-github-app-token action manages GitHub App installation access tokens with the following default behaviors for the owner, repositories, and permissions inputs [1][2]: Owner The owner input is optional [1][3]. If left empty, it defaults to the owner of the current repository [1][4]. Repositories The repositories input is optional and accepts a comma or newline-separated list of repositories [1][4]. Its default behavior depends on the state of the owner input [1][2]: - If owner is provided and repositories is empty, the token is scoped to all repositories in that owner's installation [1][2]. - If both owner and repositories are empty, the token is scoped only to the current repository [1][2]. Permissions The permissions input allows you to specify the permissions to grant the token [1][4]. By default, if no permissions are explicitly defined, the generated token inherits all of the permissions granted to the GitHub App installation [1][2]. It is recommended to explicitly list required permissions as a security best practice, following the principle of least privilege [1][4]. If you choose to specify them, you can do so by prefixing the permission key with permission- (e.g., permission-pull-requests: write) [1][2]. Note that if you request a permission that the app installation does not actually possess, the action will return an error [4]. Additionally, installation permissions are distinct from the app's base permissions; they are defined at the time of installation and any subsequent additions must be approved by an account administrator [1][2].
Citations:
- 1: https://github.com/actions/create-github-app-token?tab=readme-ov-file
- 2: https://github.com/actions/create-github-app-token
- 3: https://github.com/actions/create-github-app-token/blob/main/action.yml
- 4: https://github.com/marketplace/actions/create-github-app-token
🌐 Web query:
GitHub Actions actions/checkout persist-credentials default value and security guidance
💡 Result:
The default value for the persist-credentials input in the actions/checkout GitHub Action is true [1][2]. When persist-credentials is set to true (the default), the action configures the authentication token (such as the GITHUB_TOKEN) or SSH key into the local Git configuration. This allows subsequent steps in the same job to perform authenticated Git operations (like git fetch or git push) without needing to manually re-authenticate [1][2]. Recent updates have improved security by storing these credentials in a separate file under $RUNNER_TEMP rather than directly in the repository's .git/config file [2][3]. Security Guidance: 1. Use persist-credentials: false whenever authenticated Git operations are not required for your workflow [4]. This prevents the storage of credentials in the environment and follows the principle of least privilege, reducing the potential impact if a workflow step is compromised [5][4]. 2. If your workflow relies on persist-credentials: true and later fails when you disable it, you may need to manually configure authentication for subsequent steps, for example, by using git remote set-url with a secret [5]. 3. Note that the GITHUB_TOKEN itself remains accessible to all steps within a job regardless of the persist-credentials setting. To secure your workflows, you should also apply the principle of least privilege to the GITHUB_TOKEN itself by restricting its permissions (e.g., using fine-grained permissions or read-only defaults) at the workflow or repository level [6][7]. 4. To mitigate supply chain risks, avoid running untrusted code in the same job context as a checkout, and consider pinning actions to specific commit SHAs rather than using floating tags [8][4].
Citations:
- 1: https://github.com/actions/checkout/blob/main/README.md
- 2: https://github.com/actions/checkout
- 3: Persist creds to a separate file actions/checkout#2286
- 4: https://cheatsheetseries.owasp.org/cheatsheets/GitHub_Actions_Security_Cheat_Sheet.html
- 5: Reconfigure credentials when `persist-credentials: false` is set stefanzweifel/git-auto-commit-action#356
- 6: Remove
persist-credentialsor change the default tofalseactions/checkout#485 - 7: https://www.aikido.dev/blog/checklist-github-actions
- 8: https://dev.to/duriantaco/github-actions-security-and-gitlab-ci-security-static-analysis-for-cicd-g9h
GitHub Appトークンの権限(permissions)を最小化してください。(.github/workflows/renovate.yaml 45-48)
actions/create-github-app-token に owner / repositories / permissions が指定されていないため、既定ではトークンが GitHub App のインストール時に付与された権限を継承しやすく、最小権限になっていません。permissions(permission-<scope>-<verb> 形式)を必要最小限に明示し、必要なら owner / repositories も明確に絞り込んでください。
🧰 Tools
🪛 zizmor (1.25.2)
[error] 45-45: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions
(github-app)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/renovate.yaml around lines 45 - 48, The GitHub App token
step using
actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1
currently omits explicit permissions and may inherit broad rights; update that
step (the one supplying app-id and private-key) to include a minimal permissions
map using the permission-<scope>-<verb> form for only the scopes Renovate needs
(e.g., contents-read, contents-write, pull-requests-read, pull-requests-write,
metadata-read) and, if applicable, set owner and repositories to restrict the
installation targets; ensure the new permissions keys are explicit and minimal
and add owner/repositories entries only if you must limit which installs the
token can act on.
なぜやるか
セキュリティのため
やったこと
pinactを利用した
やらなかったこと
資料
Summary by CodeRabbit
Chores