Skip to content

VLN-1354: remediate unpinned-github-actions#1054

Merged
chaptersix merged 4 commits into
mainfrom
camper/unpinned-github-actions-finding-pin-actions-cli
May 29, 2026
Merged

VLN-1354: remediate unpinned-github-actions#1054
chaptersix merged 4 commits into
mainfrom
camper/unpinned-github-actions-finding-pin-actions-cli

Conversation

@picatz

@picatz picatz commented May 27, 2026

Copy link
Copy Markdown
Contributor

🏕️ This pull request was created by camper, an automated security campaign tool.

Finding

Ruleunpinned-github-actions
SeverityHIGH
Repositorytemporalio/cli
TicketVLN-1354

Summary

  • .github/workflows/trigger-docs.yml: Pinned actions/create-github-app-token from @v2 to a full 40-character commit SHA with exact semver comment # v2.2.2.
  • .github/workflows/build-and-publish-docker.yml: Pinned actions/checkout, actions/github-script, docker/setup-qemu-action, docker/setup-buildx-action, and docker/login-action to full 40-character commit SHAs with exact semver comments.
  • .github/workflows/release.yml: Pinned actions/checkout, actions/setup-go, and goreleaser/goreleaser-action to full 40-character commit SHAs with exact semver comments.
  • .github/workflows/ci.yaml: Pinned both actions/checkout refs, both actions/setup-go refs, and actions/upload-artifact to full 40-character commit SHAs with exact semver comments.
  • .github/workflows/govulncheck.yml: Pinned actions/checkout and actions/setup-go to full 40-character commit SHAs with exact semver comments; left temporalio/public-actions/... unchanged per exception.

Instructions

  • Approve to merge this fix
  • Request changes to trigger a new remediation attempt
  • /camper rebase — rebase onto the base branch
  • /camper close — close this PR without merging
  • /camper retry — close and retry with a new fix

@picatz picatz requested a review from a team as a code owner May 27, 2026 14:47
@chaptersix

Copy link
Copy Markdown
Contributor

@picatz does this play nice with dependabot?

@picatz

picatz commented May 27, 2026

Copy link
Copy Markdown
Contributor Author

Dependabot knows how to bump the SHAs, and it updates the comment too:

Screenshot 2026-05-27 at 11 50 04 AM

So it'll play nicely with our cooldown config from #1024:

- package-ecosystem: github-actions
directory: "/"
schedule:
interval: weekly
cooldown:
default-days: 14

@chaptersix

Copy link
Copy Markdown
Contributor

Dependabot knows how to bump the SHAs, and it updates the comment too:

Screenshot 2026-05-27 at 11 50 04 AM So it'll play nicely with our cooldown config from #1024:

- package-ecosystem: github-actions
directory: "/"
schedule:
interval: weekly
cooldown:
default-days: 14

what's the pal for enforcing this going forward? Is there a CI check or can dependabot revert it back to sha?

@chaptersix

Copy link
Copy Markdown
Contributor

it's be great if this PR could go ahead and bump action versions as well. It'd resolve a good but of the dependabot PRs and reviews are a bit slow in this repo right now.

@picatz

picatz commented May 27, 2026

Copy link
Copy Markdown
Contributor Author

what's the pal for enforcing this going forward? Is there a CI check or can dependabot revert it back to sha?

We plan to have a SAST check, likely as a required workflow we'll apply to repos; we have a few options we're exploring, but you will see alerts happen in PRs as feedback in the future.

Dependabot will not be able to revert it back to SHA.

it's be great if this PR could go ahead and bump action versions as well. It'd resolve a good but of the dependabot PRs and reviews are a bit slow in this repo right now.

The campaign scope aims to just pin to whatever users are using. But, if you'd like, I can bump the versions too. It just carries its own risk of not working, or causing different churn / issues than pinning to what's working.

picatz and others added 2 commits May 29, 2026 09:49
Bump all GitHub Actions to their latest versions, kept pinned to commit
SHAs. Resolves the open Dependabot action PRs and brings the remaining
actions in line:

- actions/create-github-app-token v2.2.2 -> v3.1.1 (#1037)
- actions/github-script v8.0.0 -> v9.0.0 (#1036)
- docker/setup-buildx-action v3.10.0 -> v4.1.0 (#1035)
- goreleaser/goreleaser-action v6.4.0 -> v7.2.1 (#1039)
- actions/setup-go -> v6.4.0 across all workflows (#1038)
- actions/checkout v4.3.1 -> v6.0.2 in ci.yaml
- docker/setup-qemu-action v3.2.0 -> v4.1.0
- docker/login-action v3.5.0 -> v4.2.0
@chaptersix

Copy link
Copy Markdown
Contributor

Using this for the commit message:

VLN-1354: pin and bump GitHub Actions to latest versions

Pin all GitHub Actions to full 40-character commit SHAs and bump to
latest versions across all workflows:

- actions/checkout v4.3.1 -> v6.0.2
- actions/setup-go -> v6.4.0
- actions/upload-artifact (already pinned, kept current)
- actions/create-github-app-token v2.2.2 -> v3.1.1 (#1037)
- actions/github-script v8.0.0 -> v9.0.0 (#1036)
- docker/setup-qemu-action v3.2.0 -> v4.1.0
- docker/setup-buildx-action v3.10.0 -> v4.1.0 (#1035)
- docker/login-action v3.5.0 -> v4.2.0
- goreleaser/goreleaser-action v6.4.0 -> v7.2.1 (#1039)

Resolves open Dependabot PRs #1035, #1036, #1037, #1038, #1039.
Left temporalio/public-actions refs unchanged per exception policy.

@picatz

picatz commented May 29, 2026

Copy link
Copy Markdown
Contributor Author

Sounds good to me, thank you! 😄

@chaptersix chaptersix merged commit 12655a4 into main May 29, 2026
10 checks passed
@chaptersix chaptersix deleted the camper/unpinned-github-actions-finding-pin-actions-cli branch May 29, 2026 19:49
chaptersix added a commit that referenced this pull request Jul 6, 2026
…#1104)

## Summary

Backports server-independent changes from `main` into `release/1.8.x`.
Every commit here was verified to build and pass codegen against the
release line's current dependency pins (`server v1.31.0`, `sdk v1.41.1`,
`api v1.62.8`) — nothing pulls in the newer server/SDK/API that landed
on `main` via #1017.

Scope agreed as: bug fixes + CLI changes + CI/tooling. Dependency bumps
(#1040, #1052, #1063) and server-version-dependent features are
intentionally excluded.

## Included (22 commits, cherry-picked with `-x`)

**CLI / bug fixes**
- #1006 Fix help with value flags (addresses #1003 — `--help` with value
flags like `--address 123` surfaced `pflag: help requested` as an error)
- #1012 skip CountWorkflow in batch operations when `--yes` is set
- #1016 Sort output of listing search attributes
- #1029 Workflow delete now prompts for confirmation
- #1033 Add persistence info to start-dev banner
- #1047 Add `temporal schedule list-matching-times` command
- #1056 Fix task-queue config set help: use real fairness weight flag
names
- #1059 Prefix dev server cluster ID with `dev-server-`
- #1089 fix: tls is not added for profiles without tls
- #1099 Clarify activity pause timeout behavior
- #941 auto-generate deprecation warnings from YAML config

**Tests**
- #1005 Fix flakey test by disabling EC2 metadata lookup
- #1020 Remove `time.Sleep()` in commands.taskqueue_test.go

**CI / tooling**
- #1015 pin alpine docker image to 3.23.4
- #1024 remediate missing-dependency-cooldown
- #1034 Bump actions/upload-artifact from 4 to 7
- #1044 improve dependabot config
- #1045 add PR template
- #1054 pin and bump GitHub Actions to latest versions
- #1057 use allow instead of ignore for dependency-type in dependabot
config
- #1080 Bump the github-actions group with 2 updates

## Excluded (rely on the new server/SDK version)
#1017 (server bump v1.31.0 -> v1.32.0-157.0), #1046, #1087, #1001,
#1091, #1084

## Verification
- `go build ./...` passes
- all test packages compile
- `make gen` reports no codegen drift
- server/sdk/api pins unchanged from `release/1.8.x`



## CI endpoint fix (added)
Also backports the API-key CI test endpoint change from #1087
(`us-east-1` -> `ca-central-1`) as a standalone CI-only commit. This
resolves the `Request unauthorized` failure in the "Test cloud API key"
steps on `release/1.8.x`. The rest of #1087 (Nexus Operation command
code) is excluded as it depends on the new server version.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Sai Asish Y <say.apm35@gmail.com>
Co-authored-by: Kevin Woo <3469532+kevinawoo@users.noreply.github.com>
Co-authored-by: Rodrigo Zhou <rodrigo.zhou@temporal.io>
Co-authored-by: Stephan Behnke <stephanos@users.noreply.github.com>
Co-authored-by: Jiechen Zhong <jiechen.zhong@temporal.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Kent Gruber <kent.gruber@temporal.io>
Co-authored-by: picatz <14850816+picatz@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: John Votta <jpvotta@gmail.com>
Co-authored-by: Nasit  Sarwar Sony <nasitsony96@gmail.com>
Co-authored-by: hussam-salah <156124396+hussam-salah@users.noreply.github.com>
Co-authored-by: Sai Asish Y <say.apm35@gmail.com>
Co-authored-by: Bitalizer <23104115+bitalizer@users.noreply.github.com>
Co-authored-by: Sean Kane <spkane31@gmail.com>
Co-authored-by: Jessica Laughlin <JLDLaughlin@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants