Skip to content

Enhance reusable workflows#80

Open
Yaswant Pradhan (yaswant) wants to merge 166 commits into
mainfrom
develop
Open

Enhance reusable workflows#80
Yaswant Pradhan (yaswant) wants to merge 166 commits into
mainfrom
develop

Conversation

@yaswant

@yaswant Yaswant Pradhan (yaswant) commented Jun 5, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

PR Summary

Code Reviewer: James Bruten (@james-bruten-mo)

Hardens the GitHub Actions security baseline across all workflows.

Action pinning

  • All third-party actions replaced with immutable 40-char commit SHAs (e.g. actions/checkout@v6@df4cb1c…).
  • actions/github-script in track-review-project.yaml upgraded from v8 → v9 as part of the pin.

Credential & permission scoping

  • persist-credentials: false added to every actions/checkout step
  • Top-level permissions: {} set on caller workflows; granular contents: read / pull-requests: write / actions: read pushed down to job level in call-track-review-project.yaml, call-trigger-project-workflow.yaml, and trigger-project-workflow.yaml
  • fortran-lint.yaml gains an explicit contents: read job permission.

Template-injection fixes (zizmor)

  • cla-check.yaml: step outputs and inputs.cla-url moved to env: vars, read via process.env.* in the github-script block.
  • fortran-lint.yaml: all string/path inputs moved to env: vars; boolean flags resolved in shell using a bash array.
  • track-review-project.yaml: inputs.project_org and inputs.project_number moved to env: vars. Also, included PROJECT_ACTION_PAT secret as required parameter to avoid secret inheritance in caller workflow (breaking change! See updated README for usage).

CLA workflow logic

  • Merge-ref detection replaced: git ls-remote → gh api repos/.../pulls/… (avoids unauthenticated git network call).
  • CONTRIBUTORS.md modification check rewritten: git diff → GitHub Contents API + base64 | tr | cmp (avoids authenticated git fetch from fork). File modification now checked against content instead of just file state.

Tooling & config

  • New dependabot.yaml: monthly schedule, major-version updates blocked, all action updates grouped into a single PR
  • New zizmor.yaml: suppresses unpinned-uses, dangerous-triggers, and secrets-inherit for the two caller workflows that use secrets: inherit
  • .yamllint: updated ignore syntax; added comments and comments-indentation rules.
  • PR template: minor formatting tidy-up, emoji section headers, few typo fixes.

To enforce strict GitHub Actions security baselines, we now use immutable 40-character commit SHAs.

✅ Code Quality Checklist

(Some checks are automatically carried out via the CI pipeline)

  • I have performed a self-review of my own code
  • My code follows the project's style guidelines
  • The modified workflow's README has been updated, if required
  • The changes have been sufficiently tested (see MetOffice/git_playground/pull/137)

🤖 AI Assistance and Attribution

  • Some of the content of this change has been produced with the assistance of Generative AI tool name (e.g., Met Office Github Copilot Enterprise, Github Copilot Personal, ChatGPT GPT-4, etc) and I have followed the Simulation Systems AI policy (including attribution labels)

💻 Code Review

  • The changes are approriate and testing has been sufficient

@yaswant
update checkout action version to v6 in CLA workflow
d0af05e
@yaswant
refactor: enhance CLA check for contributor status in PR branch
fe826dc
@yaswant
refactor: update step name for contributor check in CLA workflow
e78dd86
@yaswant
refactor: update ref input handling for CLA verification
fc10ca3
@yaswant
refactor: add functionality to delete old CLA-related comments
2bd6f12
@yaswant
refactor: improve filtering of CLA-related comments from GitHub Actio…
ff15ce5 
…ns bot
@yaswant
refactor: remove unused ref input and simplify checkout ref handling
1181bdb
@yaswant
refactor: add error handling for deleting old CLA comments
e2f37e7
@yaswant
refactor: enhance error handling for label creation in CLA workflow
48dd503
@yaswant
refactor: update CONTRIBUTORS file references to CONTRIBUTORS.md in C…
4e23060 
…LA workflow
@yaswant
refactor: update CLA comment link to point to the correct repository …
548cddf 
…location
@yaswant
Update post message
dcf2c97
@yaswant
Handle the scenario where a contributor has already signed the CLA in…
a455d67 
… the base branch
@yaswant
Merge branch 'main' into develop
2415cc9
@yaswant
Empty Commit
8e563d5
@yaswant
Refactor CLA workflow to use base SHA for accurate comparison
0eeacb5
@yaswant
Add copyright notice to CLA Checker workflow file
49f528b
@yaswant
Merge branch 'main' into develop
91bf7c5
@james-bruten-mo @yaswant
remove labelling when cla already signed on base (#46)
61639ac 
Co-authored-by: Yaswant Pradhan <2984440+yaswant@users.noreply.github.com>
@james-bruten-mo
Remove label (#47)
61964fe
@james-bruten-mo
Remove label (#48)
dc0cdf9
@james-bruten-mo
Remove label (#49)
ba7228b
@james-bruten-mo
update cla action (#50)
641b29d
@james-bruten-mo
Project edit action (#53)
ac9a69a
@james-bruten-mo
add permissions to develop branch action
322090a
@james-bruten-mo
update permissions syntax
b57ad63
@james-bruten-mo
try read-all
6132c4b
@james-bruten-mo
revert to write
7dcbe75
@james-bruten-mo
test without assigning
05cadd4
@james-bruten-mo
update secret
c412c32
@yaswant
merge: sync history with main to fix README diff
e5b7a25
@yaswant
Add depandabot and zizmor configuration
437d782
@yaswant
Fix yamllint
e05254d
@yaswant
Fix yamllint config
a9577c5
@yaswant
Fix yamllint too many blank lines
c18be21
@yaswant
Use gh api to query merge ref metadata
ae02afa
@yaswant
Call gh files api directly to check modifcation status
fde7019
@yaswant
Check CONTRIBUTOR content changes
f30059d
@yaswant
Check CONTRIBUTOR content changes 2
6a419f4
@yaswant
Check CONTRIBUTOR content changes 3
e4549de
@yaswant
Revert
53d3c7e
@yaswant
Update pull request template to standardize checklist headings
2e4d833
@yaswant
Refactor CONTRIBUTORS.md modification check in CLA workflow to improv…
bfd31d8 
…e handling of merge conflicts and streamline file comparison
@yaswant
Enhance CONTRIBUTORS.md check in CLA workflow to improve handling of …
ce36a2b 
…private forks and streamline file comparison
@yaswant Yaswant Pradhan (yaswant) changed the title Pin third party actions Enhance reusable workflows Jun 8, 2026
@yaswant
Update linked README files
916299f
@yaswant
Fix formatting in README.md for permissions section
acdad39
@yaswant
Enhance workflow permissions
07d5a66
@yaswant
Refactor PR reviewer extraction and project metadata handling for imp…
3dc3aff 
…roved safety and clarity
@yaswant
Update README.md to clarify project entry handling and enhance permis…
499779a 
…sions for workflows
@yaswant
Update workflows and dependencies for improved validation and linting
a1c1b0f 
- Set 'requirements' in build-sphinx-docs.yaml to optional
- Update output redirection syntax in cla-check.yaml, sphinx-docs.yaml, and track-review-project.yaml for consistency
- Add Actionlint, Zizmor, and Markdown Lint steps to validate workflows in validate.yaml
- Change shell from Python to Bash in labeler action for input validation
- Update pyproject.toml to include new dependencies and configure Markdown Lint settings
- Improve formatting and clarity in README.md
@yaswant
Enhance shell script detection in validation workflow with improved m…
ba8edcb 
…essaging and error handling
@yaswant
Improve shell script detection messaging in validation workflow
c97548b
@yaswant
Empty Commit
5749f74
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@james-bruten-mo James Bruten (james-bruten-mo) Awaiting requested review from james-bruten-mo

At least 1 approving review is required to merge this pull request.

Assignees

@yaswant Yaswant Pradhan (yaswant)

Labels

CI security Changes to prevent code vulnerabilities

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security hardening: Pin third-party actions to immutable commit SHAs

3 participants

@yaswant @mo-ssd-bot @james-bruten-mo