Skip to content

Provide GitHub Actions pinning #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lucperkins wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Provide GitHub Actions pinning #43

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
717606f
Decommission nixpkgs-fmt
lucperkins Jun 22, 2026
560ed68
Provide GitHub Actions pinning
lucperkins Jun 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 16 additions & 9 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,25 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
- package-ecosystem: github-actions
directory: /
schedule:
interval: "weekly"
interval: weekly
cooldown:
default-days: 7
groups:
actions-deps:
patterns:
- "*"
actions:
patterns: ["*"]
ignore:
- dependency-name: DeterminateSystems/*
commit-message:
prefix: ci

- package-ecosystem: "cargo"
directory: "/"
- package-ecosystem: cargo
directory: /
schedule:
interval: "weekly"
interval: weekly
cooldown:
default-days: 7
groups:
cargo-deps:
patterns:
Expand Down
12 changes: 9 additions & 3 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,19 @@ jobs:
contents: read
id-token: write
steps:
- uses: actions/checkout@v7
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false

- uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/flakehub-cache-action@main
- name: Check Nixpkgs input
uses: DeterminateSystems/flake-checker-action@main
Comment on lines 26 to 29

@coderabbitai coderabbitai Bot Jun 22, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Non-SHA action refs =="
rg -nP '^\s*-\s*uses:\s*[^@]+@(?![0-9a-f]{40}\b)' .github/workflows

echo "== Floating `@main` refs =="
rg -nP '^\s*-\s*uses:\s*[^@]+@main\b' .github/workflows

Repository: DeterminateSystems/detsys-ids-client

Length of output: 482

🏁 Script executed:

cd .github/workflows && sed -n '24,32p' ci.yml

Repository: DeterminateSystems/detsys-ids-client

Length of output: 386

Pin DeterminateSystems actions to immutable commit SHAs.

Lines 26-29 still use floating @main refs for all three DeterminateSystems actions (nix-installer-action, flakehub-cache-action, and flake-checker-action), which weakens supply-chain integrity and reproducibility compared to SHA pinning.

Suggested change 
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/flakehub-cache-action@main
+      - uses: DeterminateSystems/nix-installer-action@<40-char-commit-sha>
+      - uses: DeterminateSystems/flakehub-cache-action@<40-char-commit-sha>
       - name: Check Nixpkgs input
-        uses: DeterminateSystems/flake-checker-action@main
+        uses: DeterminateSystems/flake-checker-action@<40-char-commit-sha>
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 26 - 29, Replace the floating `@main`
references with immutable commit SHAs for all three DeterminateSystems actions:
nix-installer-action, flakehub-cache-action, and flake-checker-action. For each
action, change the `@main` tag to a specific commit SHA (format `@abc123`...) to
ensure reproducibility and strengthen supply-chain integrity. Look up the
current stable commit hash for each action and apply it consistently across all
three uses directives.


- name: Lint GitHub Actions
if: always()
run: nix develop --command zizmor .github

- name: Check EditorConfig conformance
if: always()
run: nix develop --command check-editorconfig
Expand All @@ -34,9 +40,9 @@ jobs:
if: always()
run: nix develop --command check-spelling

- name: Check nixpkgs-fmt formatting
- name: Check Nix formatting
if: always()
run: nix develop --command check-nixpkgs-fmt
run: nix develop --command check-nix-fmt

- name: Check rustfmt
if: always()
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,10 @@ jobs:
permissions:
id-token: write # Required for OIDC token exchange
steps:
- uses: actions/checkout@v7
- uses: rust-lang/crates-io-auth-action@v1
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- uses: rust-lang/crates-io-auth-action@c6f97d42243bad5fab37ca0427f495c86d5b1a18 # v1.0.5
id: auth
- run: cargo publish
env:
Expand Down
5 changes: 5 additions & 0 deletions .github/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
rules:
unpinned-uses:
config:
policies:
DeterminateSystems/*: ref-pin
32 changes: 16 additions & 16 deletions flake.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

109 changes: 68 additions & 41 deletions flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,39 +16,53 @@
};

outputs =
{ self
, nixpkgs
, fenix
, naersk
, ...
} @ inputs:
{
self,
nixpkgs,
fenix,
naersk,
...
}@inputs:
let
supportedSystems = [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" ];
supportedSystems = [
"x86_64-linux"
"aarch64-linux"
"aarch64-darwin"
];

forAllSystems = f: nixpkgs.lib.genAttrs supportedSystems (system: (forSystem system f));

forSystem = system: f: f rec {
inherit system;
pkgs = nixpkgs.legacyPackages.${system};
lib = pkgs.lib;
};
forSystem =
system: f:
f rec {
inherit system;
pkgs = nixpkgs.legacyPackages.${system};
lib = pkgs.lib;
};

fenixToolchain = system: with fenix.packages.${system};
combine ([
stable.clippy
stable.rustc
stable.cargo
stable.rustfmt
stable.rust-src
stable.rust-analyzer
] ++ nixpkgs.lib.optionals (system == "x86_64-linux") [
targets.x86_64-unknown-linux-musl.stable.rust-std
] ++ nixpkgs.lib.optionals (system == "aarch64-linux") [
targets.aarch64-unknown-linux-musl.stable.rust-std
]);
fenixToolchain =
system:
with fenix.packages.${system};
combine (
[
stable.clippy
stable.rustc
stable.cargo
stable.rustfmt
stable.rust-src
stable.rust-analyzer
]
++ nixpkgs.lib.optionals (system == "x86_64-linux") [
targets.x86_64-unknown-linux-musl.stable.rust-std
]
++ nixpkgs.lib.optionals (system == "aarch64-linux") [
targets.aarch64-unknown-linux-musl.stable.rust-std
]
);
in
{
devShells = forAllSystems ({ system, pkgs, ... }:
devShells = forAllSystems (
{ system, pkgs, ... }:
let
toolchain = fenixToolchain system;
check = import ./nix/check.nix { inherit pkgs toolchain; };
Expand All @@ -58,29 +72,33 @@
default = pkgs.mkShell.override { stdenv = pkgs.clangStdenv; } {
name = "detsys-ids-client-shell";

RUST_SRC_PATH = "${toolchain}/lib/rustlib/src/rust/library";
env.RUST_SRC_PATH = "${toolchain}/lib/rustlib/src/rust/library";

nativeBuildInputs = with pkgs; [ ];
buildInputs = with pkgs; [
packages = with pkgs; [
toolchain
cargo-outdated
cacert
cargo-audit
cargo-watch
cargo-nextest
cargo-machete
nixpkgs-fmt
zizmor
self.formatter.${system}
check.check-rustfmt
check.check-spelling
check.check-nixpkgs-fmt
check.check-nix-fmt
check.check-editorconfig
check.check-clippy
libiconv
];
};
});
}
);

formatter = forAllSystems ({ pkgs, ... }: pkgs.nixfmt-tree);

checks = forAllSystems ({ system, pkgs, ... }:
checks = forAllSystems (
{ system, pkgs, ... }:
let
toolchain = fenixToolchain system;
check = import ./nix/check.nix { inherit pkgs toolchain; };
Expand All @@ -96,16 +114,25 @@
check-spelling
touch $out
'';
check-nixpkgs-fmt = pkgs.runCommand "check-nixpkgs-fmt" { buildInputs = [ check.check-nixpkgs-fmt ]; } ''
cd ${./.}
check-nixpkgs-fmt
touch $out
'';
check-editorconfig = pkgs.runCommand "check-editorconfig" { buildInputs = [ pkgs.git check.check-editorconfig ]; } ''
check-nix-fmt = pkgs.runCommand "check-nix-fmt" { buildInputs = [ check.check-nix-fmt ]; } ''
cd ${./.}
check-editorconfig
check-nix-fmt
touch $out
'';
});
check-editorconfig =
pkgs.runCommand "check-editorconfig"
{
buildInputs = [
pkgs.git
check.check-editorconfig
];
}
''
cd ${./.}
check-editorconfig
touch $out
'';
}
);
};
}
Loading
Loading