Skip to content

fix: sonar issues: Address security concerns regarding github actions#1622

Open
jcraiglo1 wants to merge 2 commits into
mainfrom
sonar/security-hotspots
Open

fix: sonar issues: Address security concerns regarding github actions#1622
jcraiglo1 wants to merge 2 commits into
mainfrom
sonar/security-hotspots

Conversation

@jcraiglo1

@jcraiglo1 jcraiglo1 commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

https://redhat.atlassian.net/browse/AAP-77394

One of multiple Sonarcloud PRs. Addresses multiple security concerns by:

  • Pinning all GitHub Actions to immutable commit SHAs to prevent supply-chain attacks via tag mutation
  • Move secrets out of run: block interpolation into env: declarations in e2e-dispatch.yml and ui-e2e.yml
  • Add persist-credentials: false to checkout steps that don't require authenticated git operations, reducing token exposure to subsequent steps

Assisted-by: Claude

Summary by CodeRabbit

  • Security & Reliability

    • Pinned third-party GitHub Actions to specific commit SHAs across linting, validation, CI, image builds, E2E (UI/API), OpenAPI syncing, scheduled tests, and Sonar analysis for improved supply-chain stability.
    • Disabled credential persistence (persist-credentials: false) on checkout steps where applicable.
  • Workflow Maintenance

    • Preserved existing linting, testing, build, E2E, OpenAPI handling, and analysis behavior while improving workflow reproducibility.
    • Updated E2E dispatch and UI E2E artifact/result handling to use environment-based credentials/config when invoking external services and containers.

@jcraiglo1
jcraiglo1 requested a review from a team as a code owner July 17, 2026 18:26
@jcraiglo1

Copy link
Copy Markdown
Contributor Author

/run-e2e

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 13f416ab-59cb-422d-b54b-f1a1d1296366

📥 Commits

Reviewing files that changed from the base of the PR and between fcad508 and b478671.

📒 Files selected for processing (1)
  • .github/workflows/ui-e2e.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/ui-e2e.yml

📝 Walkthrough

Walkthrough

This change replaces floating GitHub Actions tags with commit-pinned references across composite actions and CI, build, maintenance, API E2E, and UI E2E workflows. Selected checkout steps disable persisted credentials, and PDE uploads use environment variables.

Changes

Workflow hardening

Layer / File(s) Summary
Shared actions and core workflow pinning
.github/actions/*, .github/workflows/{ci,autoupdate-poetry,build-image,scheduled,sonar-pr,sync-openapi-spec}.yml
Composite actions and general workflows now use SHA-pinned action revisions, with selected checkout steps setting persist-credentials: false.
API E2E workflow updates
.github/workflows/e2e-dispatch.yml
API E2E action references and checkout settings are pinned, and PDE upload commands use PDE_UPLOAD_* environment variables.
UI E2E workflow updates
.github/workflows/ui-e2e.yml
GitHub Script, checkout, and registry actions are pinned, while EDA credentials are passed into the Docker test container through step environment variables.

Estimated code review effort: 3 (Moderate) | ~20 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: hardening GitHub Actions by addressing security concerns.
Description check ✅ Passed The description covers the issue link, what changed, why it changed, and how it addresses the security concerns.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch sonar/security-hotspots

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@jcraiglo1

Copy link
Copy Markdown
Contributor Author

/run-atf-tests

@github-actions
github-actions Bot deployed to e2e-tests July 17, 2026 18:27 Active

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ui-e2e.yml:
- Around line 157-164: Quote the EDA_USERNAME and EDA_PASSWORD variable
expansions in the docker run command within the workflow’s run block so each
secret is passed as a single argument, preserving values containing spaces or
glob characters.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 8a940ff1-d11f-4219-bd22-cf805bd39a59

📥 Commits

Reviewing files that changed from the base of the PR and between 51086aa and fcad508.

📒 Files selected for processing (11)
  • .github/actions/lint/action.yml
  • .github/actions/test/action.yml
  • .github/actions/validate-openapi-spec/action.yml
  • .github/workflows/autoupdate-poetry.yml
  • .github/workflows/build-image.yml
  • .github/workflows/ci.yaml
  • .github/workflows/e2e-dispatch.yml
  • .github/workflows/scheduled.yml
  • .github/workflows/sonar-pr.yml
  • .github/workflows/sync-openapi-spec.yml
  • .github/workflows/ui-e2e.yml

Comment thread .github/workflows/ui-e2e.yml Outdated
@codecov-commenter

codecov-commenter commented Jul 17, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.75%. Comparing base (51086aa) to head (b478671).

@@           Coverage Diff           @@
##             main    #1622   +/-   ##
=======================================
  Coverage   92.75%   92.75%           
=======================================
  Files         244      244           
  Lines       11346    11346           
=======================================
  Hits        10524    10524           
  Misses        822      822           
Flag Coverage Δ
unit-int-tests-3.11 92.75% <ø> (ø)
unit-int-tests-3.12 92.75% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@aap-pde-ci-bot

Copy link
Copy Markdown

❌ Test Results - FAILED

Summary

Metric Count
Total Tests 66
✅ Passed 33
❌ Failed 0
⚠️ Errors 17
⏭️ Skipped 16
⏱️ Duration 58.50s

Pass Rate: 50.0%

❌ Failed Tests

Test Class
test_activation_reaches_completed_status opt.test-suite.tests.api.test_activations.TestEdaActivations
test_delete_decision_environment_with_force_flag opt.test-suite.tests.api.test_decision_environments.TestDecisionEnvironments
test_list_projects[bulk_projects0] opt.test-suite.tests.api.test_projects.TestProjects
test_create_project_duplicated opt.test-suite.tests.api.test_projects.TestProjects
test_read_project opt.test-suite.tests.api.test_projects.TestProjects
test_delete_project opt.test-suite.tests.api.test_projects.TestProjects
test_update_project opt.test-suite.tests.api.test_projects.TestProjects
test_update_project_url opt.test-suite.tests.api.test_projects.TestProjects
test_update_project_bad_foreign_keys opt.test-suite.tests.api.test_projects.TestProjects
test_update_project_null_credential opt.test-suite.tests.api.test_projects.TestProjects
test_update_project_no_changes opt.test-suite.tests.api.test_projects.TestProjects
test_update_project_duplicated_name opt.test-suite.tests.api.test_projects.TestProjects
test_create_update_project_empty_name opt.test-suite.tests.api.test_projects.TestProjects
test_filter_project_name[bulk_projects0] opt.test-suite.tests.api.test_projects.TestProjects
test_filter_project_name[bulk_projects1] opt.test-suite.tests.api.test_projects.TestProjects
test_filter_project_url[bulk_projects0] opt.test-suite.tests.api.test_projects.TestProjects
test_change_organization_of_project_to_invalid_value opt.test-suite.tests.api.test_projects.TestProjects

@jcraiglo1
jcraiglo1 marked this pull request as draft July 17, 2026 19:02
@sonarqubecloud

Copy link
Copy Markdown

@jcraiglo1
jcraiglo1 marked this pull request as ready for review July 17, 2026 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants