Conversation
WalkthroughFour new GitHub Actions workflows are introduced to automate security scanning, dependency review, contributor licensing agreements, and supply-chain security scoring. These workflows execute on specified GitHub events (push, pull requests, comments, scheduled) and integrate third-party security tools and verification services. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Pull request overview
This pull request adds four new GitHub Actions workflows to enhance security and compliance checking for the repository: Scorecard supply-chain security analysis, dependency review for PRs, CodeQL code scanning, and CLA (Contributor License Agreement) assistant.
Changes:
- Add Scorecard workflow for supply-chain security analysis running weekly and on main branch pushes
- Add dependency review workflow to scan for vulnerable dependencies in pull requests
- Add CodeQL workflow for advanced code scanning of JavaScript/TypeScript and GitHub Actions
- Add CLA assistant workflow to manage contributor license agreement signatures
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 11 comments.
| File | Description |
|---|---|
.github/workflows/scorecard.yml |
Implements OSSF Scorecard analysis for supply-chain security, scheduled weekly and on main branch pushes |
.github/workflows/dependency-review.yml |
Adds dependency vulnerability scanning for pull requests |
.github/workflows/codeql.yml |
Configures CodeQL analysis for JavaScript/TypeScript and Actions, runs on PRs, pushes, and scheduled |
.github/workflows/cla.yml |
Implements CLA signing workflow for contributors using OpenZeppelin's CLA |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| statuses: write | ||
| checks: write | ||
| issues: write | ||
|
|
There was a problem hiding this comment.
The workflow uses pull_request_target trigger with broad write permissions (actions, contents, pull-requests, statuses, checks, issues). While this is necessary for the CLA Assistant action to function, pull_request_target runs in the context of the base repository and has access to secrets, which could be a security risk if the workflow checks out or executes code from the PR. However, this workflow only checks out the private cla-sigs repository and does not check out or execute any code from the pull request itself, so this appears to be safe. Consider adding a comment explaining this security consideration for future maintainers.
| # Security note: This workflow uses the pull_request_target trigger with broad write | |
| # permissions and access to repository secrets. It is considered safe because it does | |
| # NOT check out or execute any code from the pull request itself; it only checks out | |
| # the private OpenZeppelin/cla-sigs repository for managing CLA signatures. |
| security-events: write | ||
| # Needed to publish results and get a badge (see publish_results below). | ||
| id-token: write | ||
| # Comment/renmove the permissions below if installing in a public repository. |
There was a problem hiding this comment.
Spelling error in comment: "renmove" should be "remove".
| # Comment/renmove the permissions below if installing in a public repository. | |
| # Comment/remove the permissions below if installing in a public repository. |
|
|
||
| steps: | ||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 |
There was a problem hiding this comment.
The harden-runner action version differs from the existing workflow. The ci.yml uses v2.10.1 (commit 91182cccc01eb5e619899d80e4e971d6181294a7), but this workflow uses v2.13.0 (commit ec9f2d5744a09debf3a187a3f4f675c53b671911). For consistency and to ensure all workflows use the same security baseline, consider standardizing on the same version across all workflows. If v2.13.0 is the preferred version, the existing ci.yml should also be updated.
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 |
|
|
||
| # Upload the results to GitHub's code scanning dashboard. | ||
| - name: 'Upload to code-scanning' | ||
| uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v2.3.5 |
There was a problem hiding this comment.
The version comment indicates v2.3.5, but this appears to be incorrect. The codeql.yml file in this PR uses the same commit hash (64d10c13136e1c5bce3e5fbde8d4906eeaafc885) with version v3.30.6. Please update the version comment to match the actual version.
| uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v2.3.5 | |
| uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 |
| egress-policy: audit | ||
|
|
||
| - name: 'Checkout Repository' | ||
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 |
There was a problem hiding this comment.
The checkout action version comment indicates v5.0.0, but the existing ci.yml uses the same commit hash (08c6903cd8c0fde910a37f88322edcfb5dd907a8) with version v4.5.4. There's a discrepancy in the version tag. Please verify the correct version for this commit hash and ensure consistency across all workflows.
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4.5.4 |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Harden the runner (Audit all outbound calls) | ||
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 |
There was a problem hiding this comment.
The harden-runner action version differs from the existing workflow. The ci.yml uses v2.10.1 (commit 91182cccc01eb5e619899d80e4e971d6181294a7), but this workflow uses v2.13.0 (commit ec9f2d5744a09debf3a187a3f4f675c53b671911). For consistency and to ensure all workflows use the same security baseline, consider standardizing on the same version across all workflows.
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 |
| egress-policy: audit | ||
|
|
||
| - name: 'Checkout code' | ||
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 |
There was a problem hiding this comment.
The checkout action version comment indicates v5.0.0, but the existing ci.yml uses the same commit hash (08c6903cd8c0fde910a37f88322edcfb5dd907a8) with version v4.5.4. There's a discrepancy in the version tag. Please verify the correct version for this commit hash and ensure consistency across all workflows.
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4.5.4 |
| egress-policy: audit | ||
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 |
There was a problem hiding this comment.
The checkout action version comment indicates v5.0.0, but the existing ci.yml uses the same commit hash (08c6903cd8c0fde910a37f88322edcfb5dd907a8) with version v4.5.4. There's a discrepancy in the version tag. Please verify the correct version for this commit hash and ensure consistency across all workflows.
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4.5.4 |
|
|
||
| steps: | ||
| - name: Harden the runner (Audit all outbound calls) | ||
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 |
There was a problem hiding this comment.
The harden-runner action version differs from the existing workflow. The ci.yml uses v2.10.1 (commit 91182cccc01eb5e619899d80e4e971d6181294a7), but this workflow uses v2.13.0 (commit ec9f2d5744a09debf3a187a3f4f675c53b671911). For consistency and to ensure all workflows use the same security baseline, consider standardizing on the same version across all workflows.
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 |
| egress-policy: audit | ||
|
|
||
| - name: Checkout Private Repo for Allowlist | ||
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 |
There was a problem hiding this comment.
The checkout action version comment indicates v5.0.0, but the existing ci.yml uses the same commit hash (08c6903cd8c0fde910a37f88322edcfb5dd907a8) with version v4.5.4. There's a discrepancy in the version tag. Please verify the correct version for this commit hash and ensure consistency across all workflows.
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4.5.4 |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
🧹 Nitpick comments (1)
.github/workflows/cla.yml (1)
5-14: Broad permissions withpull_request_target— ensure this is intentional.Using
pull_request_targetwith write permissions is a known security-sensitive pattern as it runs in the context of the base repository with elevated privileges, even for PRs from forks. This is typically necessary for CLA workflows that need to write statuses/comments.Ensure that:
- The workflow doesn't execute arbitrary code from the PR (e.g., no
actions/checkoutof PR head with script execution)- The current checkout of the private
cla-sigsrepo is safe since it's a controlled repositoryThe current implementation appears safe as it only checks out the controlled
cla-sigsrepo, not the untrusted PR code.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/cla.yml around lines 5 - 14, Confirm pull_request_target with broad write permissions is intentional and lock down the workflow: ensure the trigger remains pull_request_target (types: [opened, closed, synchronize]) only when necessary, remove or narrow any unnecessary permissions in the permissions block (limit actions/contents/pull-requests/statuses/checks/issues to the minimal required), verify no steps perform actions/checkout on the PR head or run untrusted code, and explicitly checkout only the controlled cla-sigs repository (use actions/checkout with repository: 'cla-sigs' and a pinned ref) and use the least-privileged token (GITHUB_TOKEN) for write operations.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/cla.yml:
- Around line 36-38: The current step reads allowlist.txt into ALLOWLIST and
writes it to GITHUB_OUTPUT with a single-line echo which breaks multi-line or
special-character content; change the write to use the GitHub Actions multi-line
output/heredoc pattern so the "allowlist" output receives the full ALLOWLIST
content (preserving newlines and special chars) instead of a single-line echo to
GITHUB_OUTPUT.
In @.github/workflows/codeql.yml:
- Around line 40-55: The version comment for the github/codeql-action SHA is
incorrect: the uses entries for github/codeql-action/init and
github/codeql-action/analyze reference SHA
64d10c13136e1c5bce3e5fbde8d4906eeaafc885 but are labeled v3.30.6; verify which
you intend and either (A) update the inline comment to the actual release that
corresponds to 64d10c13, or (B) replace the SHA with the canonical SHA for
v3.30.6 (e.g., 4110a988ca85d436f1ad69dd90aed6222a6ac39e) so the comment and SHA
match; apply the same fix to both github/codeql-action/init and
github/codeql-action/analyze entries.
In @.github/workflows/scorecard.yml:
- Line 26: Update the comment string in the GitHub Actions workflow where it
reads "Comment/renmove the permissions below if installing in a public
repository." to correct the typo by replacing "renmove" with "remove" so the
comment reads "Comment/remove the permissions below if installing in a public
repository."; locate and edit that exact comment line in scorecard.yml.
- Around line 42-55: Replace the incorrect commit SHA for the
ossf/scorecard-action usage: locate the uses entry that reads "uses:
ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde" (the one tied to
v2.4.2) and update the commit hash to the correct SHA
"f2ea147fec3c2f0d459703eba7405b5e9bcd8c8f"; do not modify the upload-artifact
uses entry.
- Around line 58-59: The version comment next to the GitHub Action step named
'Upload to code-scanning' is inconsistent with the SHA used; update the inline
comment after uses:
github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 to
match the actual action version (change `v2.3.5` to `v3.30.6`) so the label
accurately reflects the SHA referenced by the upload-sarif action.
---
Nitpick comments:
In @.github/workflows/cla.yml:
- Around line 5-14: Confirm pull_request_target with broad write permissions is
intentional and lock down the workflow: ensure the trigger remains
pull_request_target (types: [opened, closed, synchronize]) only when necessary,
remove or narrow any unnecessary permissions in the permissions block (limit
actions/contents/pull-requests/statuses/checks/issues to the minimal required),
verify no steps perform actions/checkout on the PR head or run untrusted code,
and explicitly checkout only the controlled cla-sigs repository (use
actions/checkout with repository: 'cla-sigs' and a pinned ref) and use the
least-privileged token (GITHUB_TOKEN) for write operations.
| run: | | ||
| ALLOWLIST=$(cat allowlist.txt) | ||
| echo "allowlist=$ALLOWLIST" >> $GITHUB_OUTPUT |
There was a problem hiding this comment.
Multi-line file content may break GITHUB_OUTPUT handling.
If allowlist.txt contains multiple lines or special characters, the current approach will only capture the first line or cause parsing issues. Multi-line values in GITHUB_OUTPUT require heredoc syntax.
🔧 Proposed fix for multi-line support
- name: Read Allowlist File
id: read_allowlist
run: |
- ALLOWLIST=$(cat allowlist.txt)
- echo "allowlist=$ALLOWLIST" >> $GITHUB_OUTPUT
+ {
+ echo 'allowlist<<EOF'
+ cat allowlist.txt
+ echo 'EOF'
+ } >> $GITHUB_OUTPUT🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/cla.yml around lines 36 - 38, The current step reads
allowlist.txt into ALLOWLIST and writes it to GITHUB_OUTPUT with a single-line
echo which breaks multi-line or special-character content; change the write to
use the GitHub Actions multi-line output/heredoc pattern so the "allowlist"
output receives the full ALLOWLIST content (preserving newlines and special
chars) instead of a single-line echo to GITHUB_OUTPUT.
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | ||
| with: | ||
| egress-policy: audit | ||
|
|
||
| - name: Checkout repository | ||
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | ||
|
|
||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 | ||
| with: | ||
| languages: ${{ matrix.language }} | ||
| build-mode: ${{ matrix.build-mode }} | ||
|
|
||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 | ||
| with: |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify that the SHA hashes match the claimed action versions
echo "=== Checking actions/checkout ==="
echo "Claimed: v5.0.0, SHA: 08c6903cd8c0fde910a37f88322edcfb5dd907a8"
# Get the actual SHA for v5.0.0 tag
curl -s "https://api.github.com/repos/actions/checkout/git/ref/tags/v5.0.0" | jq -r '.object.sha // "tag not found"'
echo ""
echo "=== Checking github/codeql-action ==="
echo "Claimed: v3.30.6, SHA: 64d10c13136e1c5bce3e5fbde8d4906eeaafc885"
curl -s "https://api.github.com/repos/github/codeql-action/git/ref/tags/v3.30.6" | jq -r '.object.sha // "tag not found"'
echo ""
echo "=== Checking step-security/harden-runner ==="
echo "Claimed: v2.13.0, SHA: ec9f2d5744a09debf3a187a3f4f675c53b671911"
curl -s "https://api.github.com/repos/step-security/harden-runner/git/ref/tags/v2.13.0" | jq -r '.object.sha // "tag not found"'Repository: OpenZeppelin/relayer-plugin-channels
Length of output: 512
Fix incorrect version comment for github/codeql-action SHA.
The pinned action SHA 64d10c13136e1c5bce3e5fbde8d4906eeaafc885 does not match v3.30.6 (which actually resolves to 4110a988ca85d436f1ad69dd90aed6222a6ac39e). Verify which version is intended and update the comment to reflect the actual version of the pinned SHA, or update the SHA if v3.30.6 is the intended version.
Actions/checkout v5.0.0 and step-security/harden-runner v2.13.0 have correct SHA/version pairs.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/codeql.yml around lines 40 - 55, The version comment for
the github/codeql-action SHA is incorrect: the uses entries for
github/codeql-action/init and github/codeql-action/analyze reference SHA
64d10c13136e1c5bce3e5fbde8d4906eeaafc885 but are labeled v3.30.6; verify which
you intend and either (A) update the inline comment to the actual release that
corresponds to 64d10c13, or (B) replace the SHA with the canonical SHA for
v3.30.6 (e.g., 4110a988ca85d436f1ad69dd90aed6222a6ac39e) so the comment and SHA
match; apply the same fix to both github/codeql-action/init and
github/codeql-action/analyze entries.
| security-events: write | ||
| # Needed to publish results and get a badge (see publish_results below). | ||
| id-token: write | ||
| # Comment/renmove the permissions below if installing in a public repository. |
There was a problem hiding this comment.
Fix typo: "renmove" → "remove".
✏️ Proposed fix
- # Comment/renmove the permissions below if installing in a public repository.
+ # Comment/remove the permissions below if installing in a public repository.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Comment/renmove the permissions below if installing in a public repository. | |
| # Comment/remove the permissions below if installing in a public repository. |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/scorecard.yml at line 26, Update the comment string in the
GitHub Actions workflow where it reads "Comment/renmove the permissions below if
installing in a public repository." to correct the typo by replacing "renmove"
with "remove" so the comment reads "Comment/remove the permissions below if
installing in a public repository."; locate and edit that exact comment line in
scorecard.yml.
| uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 | ||
| with: | ||
| results_file: results.sarif | ||
| results_format: sarif | ||
| publish_results: true | ||
|
|
||
| # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF | ||
| # format to the repository Actions tab. | ||
| - name: 'Upload artifact' | ||
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | ||
| with: | ||
| name: SARIF file | ||
| path: results.sarif | ||
| retention-days: 5 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
echo "=== Checking ossf/scorecard-action ==="
echo "Claimed: v2.4.2, SHA: 05b42c624433fc40578a4040d5cf5e36ddca8cde"
curl -s "https://api.github.com/repos/ossf/scorecard-action/git/ref/tags/v2.4.2" | jq -r '.object.sha // "tag not found"'
echo ""
echo "=== Checking actions/upload-artifact ==="
echo "Claimed: v4.6.2, SHA: ea165f8d65b6e75b540449e92b4886f43607fa02"
curl -s "https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4.6.2" | jq -r '.object.sha // "tag not found"'Repository: OpenZeppelin/relayer-plugin-channels
Length of output: 368
Update scorecard-action SHA to match v2.4.2.
The claimed SHA 05b42c624433fc40578a4040d5cf5e36ddca8cde for ossf/scorecard-action@v2.4.2 is incorrect. The actual SHA for v2.4.2 is f2ea147fec3c2f0d459703eba7405b5e9bcd8c8f. Update line 42 to use the correct commit hash.
The upload-artifact SHA is correct and requires no changes.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/scorecard.yml around lines 42 - 55, Replace the incorrect
commit SHA for the ossf/scorecard-action usage: locate the uses entry that reads
"uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde" (the one
tied to v2.4.2) and update the commit hash to the correct SHA
"f2ea147fec3c2f0d459703eba7405b5e9bcd8c8f"; do not modify the upload-artifact
uses entry.
| - name: 'Upload to code-scanning' | ||
| uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v2.3.5 |
There was a problem hiding this comment.
Version comment mismatch: says v2.3.5 but SHA is for v3.30.6.
The SHA 64d10c13136e1c5bce3e5fbde8d4906eeaafc885 is the same one used in codeql.yml where it's labeled as v3.30.6. The comment here says v2.3.5 which is inconsistent and misleading.
✏️ Proposed fix
- uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v2.3.5
+ uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: 'Upload to code-scanning' | |
| uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v2.3.5 | |
| - name: 'Upload to code-scanning' | |
| uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6 |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/scorecard.yml around lines 58 - 59, The version comment
next to the GitHub Action step named 'Upload to code-scanning' is inconsistent
with the SHA used; update the inline comment after uses:
github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 to
match the actual action version (change `v2.3.5` to `v3.30.6`) so the label
accurately reflects the SHA referenced by the upload-sarif action.
zeljkoX
left a comment
zeljkoX
left a comment
There was a problem hiding this comment.
LGTM
Let's review validity of coderabbit comments.
Summary by CodeRabbit