Skip to content

ci: add GitHub Actions workflow mirroring Prow CI jobs#275

Open
sebrandon1 wants to merge 1 commit into
openshift:mainfrom
sebrandon1:ci/github-actions-workflow
Open

ci: add GitHub Actions workflow mirroring Prow CI jobs#275
sebrandon1 wants to merge 1 commit into
openshift:mainfrom
sebrandon1:ci/github-actions-workflow

Conversation

@sebrandon1

@sebrandon1 sebrandon1 commented May 1, 2026

Copy link
Copy Markdown
Member

Summary

Adds a GitHub Actions workflow (.github/workflows/pre-main.yml) that mirrors all 7 existing Prow CI jobs. This provides redundant CI coverage while the OpenShift CI cluster experiences capacity/scheduling issues (e.g., pod scheduling timeouts on ci/prow/verify-deps).

Supersedes #246 — that PR was closed because it bundled too many changes together (golangci-lint config migration to v2 format, source code fixes, golden file updates). This PR takes a minimal approach: only the workflow file is added, no other files are modified.

Jobs

GitHub Actions Job Prow Equivalent What it does
golint ci/prow/golint Runs golangci-lint v1.64 (pinned to v1.x for config compatibility)
modtidy ci/prow/modtidy Verifies go mod tidy produces no changes
verify-deps ci/prow/verify-deps Verifies vendor directory is in sync
unit ci/prow/unit Runs make test-all (pkg + addon tools)
security ci/prow/security Runs gosec + govulncheck (open-source alternative to Snyk)
images ci/prow/images Verifies linux/amd64 build compiles (Dockerfile uses private OpenShift base images)
markdownlint ci/prow/markdownlint Runs markdownlint-cli2 with existing config

Key decisions vs #246

  • No .golangci.yml changes — the existing v1 config is used as-is
  • No source code changes — purely CI infrastructure
  • golangci-lint pinned to v1.64 since the config uses v1 format
  • Security scanning uses gosec + govulncheck instead of Snyk (no API tokens needed)
  • Image build verification compiles the Go binary only (OpenShift CI base images are private)

Test plan

  • All 7 GitHub Actions jobs trigger and run on this PR
  • Jobs that should pass do pass; any failures are CI config issues to iterate on
  • Existing Prow checks continue to run alongside the new GHA checks

Summary by CodeRabbit

  • Chores
    • Added an automated CI workflow for main-branch pull requests and pushes that runs: Go linting, Go module hygiene and vendoring verification, unit tests, security scans, Markdown linting, and a Linux/amd64 build check.

@coderabbitai

coderabbitai Bot commented May 1, 2026

Copy link
Copy Markdown

Walkthrough

Adds a GitHub Actions workflow for pull requests and pushes to main that runs linting, module and vendor checks, unit tests, security scans, a Linux build, and Markdown linting.

Changes

Pre-Main CI Workflow

Layer / File(s) Summary
Workflow triggers and permissions
.github/workflows/pre-main.yml
Defines the workflow trigger on pull_request and push to main and sets contents: read permissions.
Go lint job
.github/workflows/pre-main.yml
Runs golangci-lint v1.64 with verbose resource usage reporting after setting up Go from go.mod.
Module and vendor verification
.github/workflows/pre-main.yml
Runs go mod tidy with a git diff --exit-code check for go.mod and go.sum, then regenerates vendored dependencies and checks for repository diffs.
Tests and security scans
.github/workflows/pre-main.yml
Runs make test-all, then installs and runs gosec and govulncheck across ./... with generated code and vendor/ exclusions.
Build and Markdown checks
.github/workflows/pre-main.yml
Runs make build for linux/amd64 and markdownlint-cli2-action for Markdown files excluding vendor/**/*.md.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding a GitHub Actions workflow that mirrors existing Prow CI jobs.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR only adds a GitHub Actions workflow; no Ginkgo test titles or test files were changed, so there are no dynamic test names to flag.
Test Structure And Quality ✅ Passed Workflow-only PR; no Ginkgo test files or test code changes to evaluate against the test-structure checklist.
Microshift Test Compatibility ✅ Passed PR only adds .github/workflows/pre-main.yml; no new Go/Ginkgo tests or MicroShift-relevant APIs were introduced.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No Ginkgo e2e tests were added or modified; this PR only adds a GitHub Actions workflow, so SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed PR only adds a GitHub Actions workflow; no deployment manifests, operators, or controllers, and no scheduling fields like affinity/nodeSelector are present.
Ote Binary Stdout Contract ✅ Passed PR only adds .github/workflows/pre-main.yml; no Go/binary code changed, so there are no process-level stdout writes to assess.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PR only adds a GitHub Actions workflow; no new Ginkgo e2e tests or networking code were added.
No-Weak-Crypto ✅ Passed PASS: The PR only adds a CI workflow, and it contains no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB usage, custom crypto, or secret comparisons.
Container-Privileges ✅ Passed The PR only adds a GitHub Actions workflow; it contains no container/K8s privilege settings like privileged, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation.
No-Sensitive-Data-In-Logs ✅ Passed The new workflow contains no commands that echo or print secrets, PII, hostnames, or customer data; only standard CI steps are run.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from imiller0 and lack May 1, 2026 19:40
@openshift-ci

openshift-ci Bot commented May 1, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign pixelsoccupied for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (2)
.github/workflows/pre-main.yml (2)

3-10: ⚡ Quick win

Consider adding concurrency to cancel superseded runs (optional).

Since this workflow runs on every PR update and every push to main, adding a top-level concurrency block (cancel-in-progress: true) can reduce wasted compute when multiple commits land close together.

🟡 Optional concurrency block
 on:
   pull_request:
     branches:
       - main
   push:
     branches:
       - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pre-main.yml around lines 3 - 10, Add a top-level GitHub
Actions concurrency block to the workflow to cancel superseded runs: under the
top-level (same level as "on:") add a "concurrency" stanza with a descriptive
group key (e.g. using "${{ github.workflow }}-${{ github.ref }}" or similar) and
set "cancel-in-progress: true" so that when multiple commits/PR updates trigger
the workflow only the latest run proceeds; update the workflow metadata near the
existing "on:" block to include this "concurrency" key.

88-109: ⚖️ Poor tradeoff

Pin security scanner tool versions; verify CLI flags & whether vendor/ is scanned.

The security job installs both scanners with @latest:

  • gosec ...@latest (Line 102)
  • govulncheck ...@latest (Line 107)

This can break CI unpredictably when either tool changes behavior/defaults. Also, please verify two things:

  1. The gosec flag -exclude-generated and -exclude-dir=vendor are valid for gosec/v2 as installed.
  2. Whether govulncheck ./... effectively excludes vendor/ in module/package discovery (to avoid slow/duplicate scanning).
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pre-main.yml around lines 88 - 109, Pin the scanner
installs in the security job by replacing the two `@latest` installs (the `go
install github.com/securego/gosec/v2/cmd/gosec@latest` and `go install
golang.org/x/vuln/cmd/govulncheck@latest` commands) with explicit, tested
version tags (e.g. `@vX.Y.Z`), then validate the gosec CLI flags
`-exclude-generated` and `-exclude-dir=vendor` used in the `gosec
-exclude-generated -exclude-dir=vendor ./...` line against the pinned gosec v2
release and correct them if the flag names differ; finally confirm whether
`govulncheck ./...` will include `vendor/` for the pinned govulncheck release
and if it does, change the invocation to either pass an explicit package list
that excludes vendor (via `go list` filtering) or use the govulncheck
flag/option supported by that pinned release to exclude vendor, so CI behavior
is stable and vendor is not scanned twice.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pre-main.yml:
- Around line 110-124: The images job's checkout step uses a shallow fetch which
can omit tags/history needed by make build's git describe --tag versioning;
update the actions/checkout@v4 step in the images job to fetch full history/tags
(e.g., set fetch-depth: 0 or otherwise enable fetching tags) so git describe
--tag (used by make build/BUILD_VERSION) can find tags and produce stable build
metadata.
- Around line 53-72: The verify-deps job currently regenerates the vendor dir
and then runs git diff --exit-code which misses untracked files; modify the
check step in the verify-deps job (the step after "Regenerate vendor directory"
that currently runs git diff --exit-code) to also detect untracked files — e.g.,
run git status --porcelain and fail if any output exists (or use git ls-files
--others --exclude-standard and fail on output) so untracked vendor changes
cause the job to fail.

---

Nitpick comments:
In @.github/workflows/pre-main.yml:
- Around line 3-10: Add a top-level GitHub Actions concurrency block to the
workflow to cancel superseded runs: under the top-level (same level as "on:")
add a "concurrency" stanza with a descriptive group key (e.g. using "${{
github.workflow }}-${{ github.ref }}" or similar) and set "cancel-in-progress:
true" so that when multiple commits/PR updates trigger the workflow only the
latest run proceeds; update the workflow metadata near the existing "on:" block
to include this "concurrency" key.
- Around line 88-109: Pin the scanner installs in the security job by replacing
the two `@latest` installs (the `go install
github.com/securego/gosec/v2/cmd/gosec@latest` and `go install
golang.org/x/vuln/cmd/govulncheck@latest` commands) with explicit, tested
version tags (e.g. `@vX.Y.Z`), then validate the gosec CLI flags
`-exclude-generated` and `-exclude-dir=vendor` used in the `gosec
-exclude-generated -exclude-dir=vendor ./...` line against the pinned gosec v2
release and correct them if the flag names differ; finally confirm whether
`govulncheck ./...` will include `vendor/` for the pinned govulncheck release
and if it does, change the invocation to either pass an explicit package list
that excludes vendor (via `go list` filtering) or use the govulncheck
flag/option supported by that pinned release to exclude vendor, so CI behavior
is stable and vendor is not scanned twice.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e848a127-7523-4d4f-a419-3850f9fc5531

📥 Commits

Reviewing files that changed from the base of the PR and between 0074fee and 6d4a721.

📒 Files selected for processing (1)
  • .github/workflows/pre-main.yml

Comment on lines +53 to +72
verify-deps:
name: Verify vendor dependencies
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod

- name: Regenerate vendor directory
run: |
go mod tidy
go mod vendor

- name: Check for changes
run: git diff --exit-code

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Make verify-deps fail on untracked changes (not just diffs).

verify-deps regenerates vendor and then runs git diff --exit-code (Line 71). git diff won’t fail on newly-created untracked files. If regeneration introduces any untracked outputs (or if vendor/ isn’t fully tracked for some reason), the job can incorrectly pass.

✅ Suggested change (use `git status --porcelain` gate)
       - name: Check for changes
-        run: git diff --exit-code
+        run: |
+          git diff --exit-code
+          status="$(git status --porcelain)"
+          if [ -n "$status" ]; then
+            echo "$status"
+            exit 1
+          fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
verify-deps:
name: Verify vendor dependencies
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Regenerate vendor directory
run: |
go mod tidy
go mod vendor
- name: Check for changes
run: git diff --exit-code
verify-deps:
name: Verify vendor dependencies
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Regenerate vendor directory
run: |
go mod tidy
go mod vendor
- name: Check for changes
run: |
git diff --exit-code
status="$(git status --porcelain)"
if [ -n "$status" ]; then
echo "$status"
exit 1
fi
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pre-main.yml around lines 53 - 72, The verify-deps job
currently regenerates the vendor dir and then runs git diff --exit-code which
misses untracked files; modify the check step in the verify-deps job (the step
after "Regenerate vendor directory" that currently runs git diff --exit-code) to
also detect untracked files — e.g., run git status --porcelain and fail if any
output exists (or use git ls-files --others --exclude-standard and fail on
output) so untracked vendor changes cause the job to fail.

Comment on lines +110 to +124
images:
name: Build verification
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod

- name: Build for linux/amd64
run: GOOS=linux GOARCH=amd64 make build

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Ensure images checkout fetches git tags/history for make build versioning.

Your images job checks out with default depth, but make build (per the project Makefile) appears to use git describe --tag to derive BUILD_VERSION when OS_GIT_VERSION isn’t set. With a shallow checkout, tags may be missing, which can make build metadata unstable or fail the version extraction.

✅ Suggested change (fetch full history/tags in `images`)
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
images:
name: Build verification
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Build for linux/amd64
run: GOOS=linux GOARCH=amd64 make build
images:
name: Build verification
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Build for linux/amd64
run: GOOS=linux GOARCH=amd64 make build
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pre-main.yml around lines 110 - 124, The images job's
checkout step uses a shallow fetch which can omit tags/history needed by make
build's git describe --tag versioning; update the actions/checkout@v4 step in
the images job to fetch full history/tags (e.g., set fetch-depth: 0 or otherwise
enable fetching tags) so git describe --tag (used by make build/BUILD_VERSION)
can find tags and produce stable build metadata.

@sebrandon1 sebrandon1 force-pushed the ci/github-actions-workflow branch from 6d4a721 to b2c2049 Compare May 5, 2026 17:22
@sebrandon1 sebrandon1 force-pushed the ci/github-actions-workflow branch from b2c2049 to 08112aa Compare June 15, 2026 17:13

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

♻️ Duplicate comments (1)
.github/workflows/pre-main.yml (1)

70-71: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

verify-deps still misses untracked-file drift after vendoring.

git diff --exit-code on Line 71 does not fail for newly created untracked files, so dependency regeneration can still pass with repository drift.

Suggested fix
       - name: Check for changes
-        run: git diff --exit-code
+        run: |
+          git diff --exit-code
+          status="$(git status --porcelain)"
+          if [ -n "$status" ]; then
+            echo "$status"
+            exit 1
+          fi

As per coding guidelines, dependency verification in CI should be robust enough to fail on all repo mutations, including untracked outputs.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pre-main.yml around lines 70 - 71, The current git diff
command on line 71 only detects modifications to already-tracked files but does
not fail when new untracked files are created during the vendoring process.
Modify the run command to check for both tracked file changes and untracked
files. You should combine the git diff check with an additional check for
untracked files using git status --porcelain or similar to ensure the
verification fails on any repository mutations including newly generated
untracked outputs.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pre-main.yml:
- Line 20: Replace all mutable version tags in the `uses:` statements throughout
the workflow file with their corresponding immutable commit SHAs to strengthen
supply-chain integrity. For each action reference (such as
`actions/checkout@v4`, `actions/setup-node@v*`, `actions/upload-artifact@v*`,
etc.), replace the `@v*` tag with the full commit SHA of that specific version.
This prevents maintainers from re-tagging versions and introducing unexpected
code changes during workflow execution.
- Around line 19-22: The GitHub Actions checkout steps in the pre-main.yml
workflow are not hardened against security risks. Update all checkout action
references (at lines 19–22, 39–40, 57–58, 77–78, 92–93, 114–115, and 129–130) by
replacing the tag-based reference `actions/checkout@v4` with the pinned full
commit SHA `4823ef7dded2f227249189a5d8cc3efa39f98340`, and add the
`persist-credentials: false` parameter to each checkout step to prevent
credential persistence. Additionally, pin the other GitHub Actions used in the
workflow: replace `actions/setup-go@v5` with its full SHA,
`golangci-lint-action@v6` with its full SHA, and `markdownlint-cli2-action@v19`
with its full SHA according to CI/CD security guidelines, ensuring no tag-based
references remain in the workflow.

---

Duplicate comments:
In @.github/workflows/pre-main.yml:
- Around line 70-71: The current git diff command on line 71 only detects
modifications to already-tracked files but does not fail when new untracked
files are created during the vendoring process. Modify the run command to check
for both tracked file changes and untracked files. You should combine the git
diff check with an additional check for untracked files using git status
--porcelain or similar to ensure the verification fails on any repository
mutations including newly generated untracked outputs.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 060cdfc3-28dc-4482-96a1-6decf24cd201

📥 Commits

Reviewing files that changed from the base of the PR and between b2c2049 and 08112aa.

📒 Files selected for processing (1)
  • .github/workflows/pre-main.yml

Comment on lines +19 to +22
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/pre-main.yml

Repository: openshift/kube-compare

Length of output: 3927


🏁 Script executed:

# Check the GitHub Actions releases to get the current v4 SHA
web_search_result=$(curl -s "https://api.github.com/repos/actions/checkout/releases/tags/v4" 2>/dev/null | python3 -c "import sys, json; data = json.load(sys.stdin); print(data.get('target_commitish', 'N/A'))" 2>/dev/null)
echo "actions/checkout@v4 commit: $web_search_result"

# Alternatively, let's check what the actual risk is by understanding the broader context
echo "Checking for all action usages in workflow:"
rg 'uses: ' .github/workflows/pre-main.yml

Repository: openshift/kube-compare

Length of output: 685


🌐 Web query:

actions/checkout v4 latest commit SHA

💡 Result:

As of June 15, 2026, the branch v4 of the actions/checkout repository points to the latest commit SHA 4823ef7dded2f227249189a5d8cc3efa39f98340 [1]. It is important to note that actions/checkout@v4 is a floating tag/branch reference [2][3]. In GitHub Actions, specifying a version like @v4 means your workflow will automatically use the latest changes pushed to that branch [2][3]. If you require a static, immutable version for security or reproducibility, you should use the full 40-character commit SHA in your workflow configuration instead of the v4 tag: - uses: actions/checkout@4823ef7 [1]

Citations:


Harden checkout steps with persist-credentials: false and pin actions by full SHA.

Checkout steps use tag-based references (@v4) instead of full commit SHAs, and omit persist-credentials: false. This leaves credentials persisted in the environment, increasing token exposure risk, and allows unexpected changes from tag updates.

Apply both fixes to all checkout steps:

  • Pin actions/checkout@v4 to SHA 4823ef7dded2f227249189a5d8cc3efa39f98340
  • Add persist-credentials: false to disable credential persistence

Applies to lines: 19–22, 39–40, 57–58, 77–78, 92–93, 114–115, 129–130

Also pin other GitHub Actions (setup-go@v5, golangci-lint-action@v6, markdownlint-cli2-action@v19) to their respective commit SHAs per CI/CD security guidelines.

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 19-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 20-20: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pre-main.yml around lines 19 - 22, The GitHub Actions
checkout steps in the pre-main.yml workflow are not hardened against security
risks. Update all checkout action references (at lines 19–22, 39–40, 57–58,
77–78, 92–93, 114–115, and 129–130) by replacing the tag-based reference
`actions/checkout@v4` with the pinned full commit SHA
`4823ef7dded2f227249189a5d8cc3efa39f98340`, and add the `persist-credentials:
false` parameter to each checkout step to prevent credential persistence.
Additionally, pin the other GitHub Actions used in the workflow: replace
`actions/setup-go@v5` with its full SHA, `golangci-lint-action@v6` with its full
SHA, and `markdownlint-cli2-action@v19` with its full SHA according to CI/CD
security guidelines, ensuring no tag-based references remain in the workflow.

Sources: Coding guidelines, Linters/SAST tools

runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/pre-main.yml | head -150

Repository: openshift/kube-compare

Length of output: 3927


Pin every uses: reference to immutable commit SHAs.

Lines 20, 25, 30, 40, 43, 58, 61, 78, 81, 93, 96, 115, 118, 130, and 133 all use mutable tags (@v*). This weakens supply-chain integrity for CI execution; version tags can be re-tagged by maintainers, introducing unexpected code changes.

Suggested pattern
- uses: actions/checkout@v4
+ uses: actions/checkout@<full_commit_sha>

- uses: actions/setup-go@v5
+ uses: actions/setup-go@<full_commit_sha>

- uses: golangci/golangci-lint-action@v6
+ uses: golangci/golangci-lint-action@<full_commit_sha>

- uses: DavidAnson/markdownlint-cli2-action@v19
+ uses: DavidAnson/markdownlint-cli2-action@<full_commit_sha>
🧰 Tools
🪛 zizmor (1.25.2)

[error] 20-20: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pre-main.yml at line 20, Replace all mutable version tags
in the `uses:` statements throughout the workflow file with their corresponding
immutable commit SHAs to strengthen supply-chain integrity. For each action
reference (such as `actions/checkout@v4`, `actions/setup-node@v*`,
`actions/upload-artifact@v*`, etc.), replace the `@v*` tag with the full commit
SHA of that specific version. This prevents maintainers from re-tagging versions
and introducing unexpected code changes during workflow execution.

Sources: Coding guidelines, Linters/SAST tools

Add a pre-main workflow with 7 independent jobs that mirror the
existing Prow CI checks: golint, modtidy, verify-deps, unit tests,
security scanning, build verification, and markdownlint.

This provides redundant CI coverage via GitHub Actions while the
OpenShift CI cluster experiences capacity issues.
@sebrandon1 sebrandon1 force-pushed the ci/github-actions-workflow branch from 08112aa to 86faba8 Compare June 26, 2026 18:05

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pre-main.yml:
- Around line 100-108: The workflow steps for Run gosec and Run govulncheck
currently install tooling with mutable latest tags, which can change behavior
without code changes. Update the install commands in the security scan jobs to
use fixed release versions for gosec and govulncheck instead of `@latest`, keeping
the rest of the step logic unchanged. Use the existing step names and the
gosec/govulncheck invocations to locate the workflow entries.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6bdaa2e6-548b-4677-abdf-a685a2e74e38

📥 Commits

Reviewing files that changed from the base of the PR and between 08112aa and 86faba8.

📒 Files selected for processing (1)
  • .github/workflows/pre-main.yml

Comment on lines +100 to +108
- name: Run gosec
run: |
go install github.com/securego/gosec/v2/cmd/gosec@latest
gosec -exclude-generated -exclude-dir=vendor ./...

- name: Run govulncheck
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate the workflow and inspect the relevant section with line numbers.
git ls-files '.github/workflows/pre-main.yml'
wc -l .github/workflows/pre-main.yml
sed -n '85,120p' .github/workflows/pre-main.yml | cat -n

Repository: openshift/kube-compare

Length of output: 1332


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate the workflow and inspect the relevant section with line numbers.
git ls-files '.github/workflows/pre-main.yml'
wc -l .github/workflows/pre-main.yml
sed -n '85,120p' .github/workflows/pre-main.yml | cat -n

Repository: openshift/kube-compare

Length of output: 1332


Pin gosec and govulncheck to explicit release versions. @latest makes these security checks mutable over time; use fixed versions so the workflow does not change behavior without a repo diff.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pre-main.yml around lines 100 - 108, The workflow steps
for Run gosec and Run govulncheck currently install tooling with mutable latest
tags, which can change behavior without code changes. Update the install
commands in the security scan jobs to use fixed release versions for gosec and
govulncheck instead of `@latest`, keeping the rest of the step logic unchanged.
Use the existing step names and the gosec/govulncheck invocations to locate the
workflow entries.

@openshift-ci

openshift-ci Bot commented Jun 26, 2026

Copy link
Copy Markdown

@sebrandon1: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant