ci: Add poutine custom rule for unpinned GitHub Actions detection (#24577)

2026-04-21 15:47:20 +00:00 · 2026-01-20 16:10:04 +01:00 · 2026-01-20 16:10:04 +01:00 · 924817d9fd
commit 924817d9fd
parent 2b4596eb66
9 changed files with 65 additions and 8 deletions
--- a/.github/poutine-rules/unpinned_action.rego
+++ b/.github/poutine-rules/unpinned_action.rego
@ -0,0 +1,43 @@
 # METADATA
 # title: Unpinned GitHub Action
 # description: |-
 #   GitHub Action not pinned to full commit SHA.
 #   Pin actions to SHA for supply chain security.
 # custom:
 #   level: error
 package rules.unpinned_action
 import data.poutine
 import rego.v1
 rule := poutine.rule(rego.metadata.chain())
 # Match 40-character hex SHA (Git) or 64-character sha256 digest (Docker)
 is_sha_pinned(uses) if {
 	regex.match(`@(sha256:[a-f0-9]{64}|[a-f0-9]{40})`, uses)
 }
 # Check if it's a local action (starts with ./)
 is_local_action(uses) if {
 	startswith(uses, "./")
 }
 # Check if it's a reusable workflow call
 is_reusable_workflow(uses) if {
 	contains(uses, ".github/workflows/")
 }
 results contains poutine.finding(rule, pkg.purl, {
 	"path": workflow.path,
 	"job": job.id,
 	"step": i,
 	"details": sprintf("Action '%s' should be pinned to a full commit SHA", [step.uses]),
 }) if {
 	pkg := input.packages[_]
 	workflow := pkg.github_actions_workflows[_]
 	job := workflow.jobs[_]
 	step := job.steps[i]
 	step.uses
 	not is_sha_pinned(step.uses)
 	not is_local_action(step.uses)
 }
--- a/.github/workflows/build-unit-test-pr-comment.yml
+++ b/.github/workflows/build-unit-test-pr-comment.yml
@ -18,7 +18,7 @@ jobs:
    steps:
      - name: Validate user permissions and collect PR data
        id: check_permissions
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
--- a/.github/workflows/ci-manual-unit-tests.yml
+++ b/.github/workflows/ci-manual-unit-tests.yml
@ -25,7 +25,7 @@ jobs:
    steps:
      - name: Create pending check run on PR
        id: create
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
@ -88,7 +88,7 @@ jobs:
    steps:
      - name: Update check run on PR (if triggered from PR comment)
        if: inputs.pr_number != ''
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
--- a/.github/workflows/create-patch-release-branch.yml
+++ b/.github/workflows/create-patch-release-branch.yml
@ -23,7 +23,7 @@ jobs:
      contents: write
      pull-requests: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 0
      - name: Validate inputs
--- a/.github/workflows/sec-poutine-reusable.yml
+++ b/.github/workflows/sec-poutine-reusable.yml
@ -27,6 +27,16 @@ jobs:
      - name: Run Poutine Security Scanner
        uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2
      - name: Fail on error-level findings
        run: |
          # Check SARIF for error-level findings
          if jq -e '.runs[].results[] | select(.level == "error")' results.sarif > /dev/null 2>&1; then
            echo "::error::Poutine found error-level security findings:"
            jq -r '.runs[].results[] | select(.level == "error") | "  - \(.ruleId): \(.message.text)"' results.sarif
            exit 1
          fi
          echo "No error-level findings detected"
      - name: Upload SARIF results
        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
        if: always()
--- a/.github/workflows/test-visual-chromatic.yml
+++ b/.github/workflows/test-visual-chromatic.yml
@ -16,7 +16,7 @@ jobs:
    runs-on: blacksmith-2vcpu-ubuntu-2204
    steps:
      - name: Determine changed files
-        uses: tomi/paths-filter-action@v3.0.2
+        uses: tomi/paths-filter-action@32c62f5ca100c1110406e3477d5b3ecef4666fec # v3.0.2
        id: changed
        if: github.event_name == 'pull_request_review'
        with:
--- a/.github/workflows/test-workflows-pr-comment.yml
+++ b/.github/workflows/test-workflows-pr-comment.yml
@ -21,7 +21,7 @@ jobs:
    steps:
      - name: Validate User, Get PR Details, and React
        id: pr_check_and_details
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
--- a/.github/workflows/util-claude.yml
+++ b/.github/workflows/util-claude.yml
@ -25,12 +25,12 @@ jobs:
      id-token: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          fetch-depth: 1
      - name: Run Claude PR Action
-        uses: anthropics/claude-code-action@beta
+        uses: anthropics/claude-code-action@de8e0b9c42c6cb58e904c857f164aa072244c1ac # beta
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          # Or use OAuth token instead:
--- a/.poutine.yml
+++ b/.poutine.yml
@ -4,6 +4,10 @@
 # This file defines skip rules for known-safe patterns.
 # Add new entries only after security review.
 # Custom rules for additional security checks
 include:
  - path: .github/poutine-rules
 skip:
  # === SELF-HOSTED RUNNERS ===
  # We use Blacksmith (trusted CI provider) for self-hosted runners.