c77a88c247
Supply-chain hardening for the CI pipeline. 23 workflow files
modified, 59 mutable-tag refs replaced with commit SHAs.
The risk
Every `uses:` reference in .github/workflows/*.yml was pinned to a
mutable tag (e.g., `actions/checkout@v4`). A maintainer of an
action — or a compromised maintainer account — can repoint that
tag to malicious code, and our pipelines silently pull it on the
next run. The tj-actions/changed-files compromise of March 2025 is
the canonical example: maintainer credential leak, attacker
repointed several `@v<N>` tags to a payload that exfiltrated
repository secrets. Repos that pinned to SHAs were unaffected.
The fix
Replace each `@v<N>` with `@<commit-sha> # v<N>`. The trailing
comment preserves human readability ("ah, this is v4"); the SHA
makes the reference immutable.
Actions covered (10 distinct):
actions/{checkout,setup-go,setup-python,setup-node,upload-artifact,github-script}
docker/{login-action,setup-buildx-action,build-push-action}
github/codeql-action/{init,autobuild,analyze}
dorny/paths-filter
imjasonh/setup-crane
pnpm/action-setup (already pinned in molecule-app, listed here for completeness)
Excluded:
Molecule-AI/molecule-ci/.github/workflows/disable-auto-merge-on-push.yml@main
— internal org reusable workflow; we control its repo, threat model
is different from third-party actions. Conventional to pin to @main
rather than SHA for internal reusables.
The maintenance cost
SHA pinning means upstream fixes require manual SHA bumps. Without
automation, pinned SHAs go stale. So this PR also enables Dependabot
across four ecosystems:
- github-actions (workflows)
- gomod (workspace-server)
- npm (canvas)
- pip (workspace runtime requirements)
Weekly cadence — the supply-chain attack window is "minutes between
repoint and pull"; weekly auto-bumps don't help with zero-days
regardless. The point is to pull in non-zero-day fixes without
operator effort.
Aligns with user-stated principle: "long-term, robust, fully-
automated, eliminate human error."
Companion PR: Molecule-AI/molecule-controlplane#308 (same pattern,
smaller surface).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
129 lines
5.2 KiB
YAML
129 lines
5.2 KiB
YAML
name: CodeQL
|
|
|
|
# Controls CodeQL scan triggers for this repo.
|
|
#
|
|
# GitHub's "Code quality" default setup (the UI-configured one) is
|
|
# hardcoded to only scan the default branch — on this repo that's
|
|
# `staging`, so PRs promoting staging→main would otherwise never be
|
|
# scanned. This workflow fills that gap by explicitly scanning both
|
|
# branches on push and PR.
|
|
#
|
|
# Runs on ubuntu-latest (GHA-hosted — public repo, free). GHAS is NOT
|
|
# enabled on this repo, so results are not uploaded to the Security
|
|
# tab — the scan fails the PR check on findings, and the SARIF is
|
|
# kept as a workflow artifact for triage.
|
|
|
|
on:
|
|
push:
|
|
branches: [main, staging]
|
|
pull_request:
|
|
branches: [main, staging]
|
|
# GitHub merge queue fires `merge_group` for the queue's pre-merge CI run.
|
|
# Required so CodeQL Analyze checks get a real result on the queued
|
|
# commit instead of a false-green. Event only fires once merge queue is
|
|
# enabled on the target branch — safe to add unconditionally.
|
|
merge_group:
|
|
types: [checks_requested]
|
|
schedule:
|
|
# Weekly run picks up findings in code that hasn't been touched.
|
|
- cron: '30 1 * * 0'
|
|
|
|
# Workflow-level concurrency: only one CodeQL run per branch/PR at a time.
|
|
# `cancel-in-progress: false` queues new runs so a quick follow-up push
|
|
# doesn't nuke a 45-min analysis mid-flight.
|
|
concurrency:
|
|
group: codeql-${{ github.ref }}
|
|
cancel-in-progress: false
|
|
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
# No security-events: write — we don't call the upload API.
|
|
|
|
jobs:
|
|
analyze:
|
|
name: Analyze (${{ matrix.language }})
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 45
|
|
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
language: [go, javascript-typescript, python]
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
|
|
- name: Checkout sibling plugin repo
|
|
# Same reasoning as publish-workspace-server-image.yml — the Go
|
|
# module's replace directive needs the plugin source so
|
|
# CodeQL's "go build" phase can resolve.
|
|
if: matrix.language == 'go'
|
|
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
with:
|
|
repository: Molecule-AI/molecule-ai-plugin-github-app-auth
|
|
path: molecule-ai-plugin-github-app-auth
|
|
token: ${{ secrets.PLUGIN_REPO_PAT || secrets.GITHUB_TOKEN }}
|
|
|
|
# jq is pre-installed on ubuntu-latest — no setup step needed.
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3
|
|
with:
|
|
languages: ${{ matrix.language }}
|
|
# security-extended widens past the default to include the
|
|
# full security-query set for a public SaaS surface.
|
|
queries: security-extended
|
|
|
|
- name: Autobuild
|
|
uses: github/codeql-action/autobuild@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3
|
|
|
|
- name: Perform CodeQL Analysis
|
|
id: analyze
|
|
uses: github/codeql-action/analyze@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3
|
|
with:
|
|
category: "/language:${{ matrix.language }}"
|
|
# upload: never — GHAS isn't enabled on this repo, so the
|
|
# upload API 403s. Write SARIF locally instead.
|
|
upload: never
|
|
output: sarif-results/${{ matrix.language }}
|
|
|
|
- name: Parse SARIF + fail on findings
|
|
# The analyze step writes <database>.sarif into the output
|
|
# directory — database name is the short CodeQL lang id, not
|
|
# the matrix value (e.g. "javascript-typescript" →
|
|
# javascript.sarif), so glob rather than hardcode.
|
|
# Filter to error/warning severity: security-extended emits
|
|
# "note" rows for informational findings we don't want to fail
|
|
# the build over.
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
dir="sarif-results/${{ matrix.language }}"
|
|
sarif=$(ls "$dir"/*.sarif 2>/dev/null | head -1 || true)
|
|
if [ -z "$sarif" ] || [ ! -f "$sarif" ]; then
|
|
echo "::error::No SARIF file found under $dir"
|
|
ls -la "$dir" 2>/dev/null || true
|
|
exit 1
|
|
fi
|
|
echo "Parsing $sarif"
|
|
count=$(jq '[.runs[].results[] | select(.level == "error" or .level == "warning")] | length' "$sarif")
|
|
echo "CodeQL findings (error+warning) for ${{ matrix.language }}: $count"
|
|
if [ "$count" -gt 0 ]; then
|
|
echo "::error::CodeQL found $count issues. Details below; full SARIF in the artifact."
|
|
jq -r '.runs[].results[] | select(.level == "error" or .level == "warning") | " - [\(.level)] \(.ruleId // "?"): \(.message.text // "(no message)") @ \(.locations[0].physicalLocation.artifactLocation.uri // "?"):\(.locations[0].physicalLocation.region.startLine // "?")"' "$sarif"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Upload SARIF artifact
|
|
# Keep SARIF around on success + failure so triagers can diff.
|
|
# 14-day retention — longer than default 3, short enough not
|
|
# to bloat quota.
|
|
if: always()
|
|
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
|
|
with:
|
|
name: codeql-sarif-${{ matrix.language }}
|
|
path: sarif-results/${{ matrix.language }}/
|
|
retention-days: 14
|