ci(workflows): fix trufflehog rot in trufflehog.yml#44
Conversation
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix prepared fixes for all 3 issues found in the latest run.
- ✅ Fixed: Auto-merge lacks write permission
- Changed workflow-level pull-requests permission from read to write so pulls.merge can succeed.
- ✅ Fixed: Quality gate cannot comment
- Added job-level contents read and pull-requests write permissions on quality-report for issues.createComment.
- ✅ Fixed: CodeQL missing security-events write
- Added security-events write to workflow permissions so CodeQL analyze can upload SARIF results.
Or push these changes by commenting:
@cursor push 3d76f81611
Preview (3d76f81611)
diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
--- a/.github/workflows/auto-merge.yml
+++ b/.github/workflows/auto-merge.yml
@@ -1,7 +1,7 @@
name: Auto Merge
permissions:
contents: read
- pull-requests: read
+ pull-requests: write
on:
pull_request:
diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml
--- a/.github/workflows/quality-gate.yml
+++ b/.github/workflows/quality-gate.yml
@@ -141,6 +141,9 @@
needs: [unit-tests, e2e-tests, integration-tests, fr-annotation-check]
if: always()
runs-on: ubuntu-24.04
+ permissions:
+ contents: read
+ pull-requests: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml
--- a/.github/workflows/sast.yml
+++ b/.github/workflows/sast.yml
@@ -2,6 +2,7 @@
permissions:
contents: read
pull-requests: read
+ security-events: write
on:
push:
branches: [main, develop]You can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit 2569b38. Configure here.
| permissions: | ||
| contents: read | ||
| pull-requests: read |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
This workflow now grants the GITHUB_TOKEN only read permissions (contents: read, pull-requests: read), but the auto-merge job calls github.rest.pulls.merge, which requires write access; as a result, auto-merge for Dependabot/pre-commit PRs will fail with 403 in normal use.
Suggestion: Keep restrictive workflow-level defaults, but add a job-level permissions block for auto-merge that grants the minimal required write scope (e.g. contents: write and/or pull-requests: write) so the merge API call can succeed.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/auto-merge.yml
**Line:** 2:4
**Comment:**
*CRITICAL: This workflow now grants the GITHUB_TOKEN only read permissions (`contents: read`, `pull-requests: read`), but the `auto-merge` job calls `github.rest.pulls.merge`, which requires write access; as a result, auto-merge for Dependabot/pre-commit PRs will fail with 403 in normal use.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| permissions: | ||
| contents: read | ||
| pull-requests: read |
There was a problem hiding this comment.
🟠 Architect Review — HIGH
The workflow-level GITHUB_TOKEN permissions are now read-only (contents: read, pull-requests: read), but the quality-report job uses github.rest.issues.createComment to post a PR comment; with issues permission effectively set to none, this reporting step will fail to publish results back to the PR.
Suggestion: Retain the read-only defaults but add a job-level permissions override for quality-report that grants only the needed write scope (e.g. issues: write or equivalent PR-comment permission) so the report comment can be created while keeping other jobs read-only.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/quality-gate.yml
**Line:** 2:4
**Comment:**
*HIGH: The workflow-level GITHUB_TOKEN permissions are now read-only (`contents: read`, `pull-requests: read`), but the `quality-report` job uses `github.rest.issues.createComment` to post a PR comment; with `issues` permission effectively set to none, this reporting step will fail to publish results back to the PR.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix| pull_request: | ||
|
|
||
| jobs: | ||
| trufflehog: |
There was a problem hiding this comment.
🔴 Architect Review — CRITICAL
The Trufflehog workflow still uses trufflehog/actions/setup@main rather than the pinned trufflesecurity/trufflehog@<sha> pattern described for this PR, so the secrets scan job remains bound to the unpinned, upstream setup action and the intended rot fix is incomplete.
Suggestion: Replace the trufflehog/actions/setup@main step with the maintained trufflesecurity/trufflehog@75add79b929b263dae147d2e5bcf0daf292165cf (as in .github/workflows/security.yml) and pin it by commit SHA so this workflow actually benefits from the rot fix.
Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.
**Path:** .github/workflows/trufflehog.yml
**Line:** 11:20
**Comment:**
*CRITICAL: The Trufflehog workflow still uses `trufflehog/actions/setup@main` rather than the pinned `trufflesecurity/trufflehog@<sha>` pattern described for this PR, so the secrets scan job remains bound to the unpinned, upstream setup action and the intended rot fix is incomplete.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix|
CodeAnt AI finished reviewing your PR. |
2569b38 to
cac3d16
Compare
|





User description
Replaces broken
trufflehog/actions/setup@main(404 upstream) withtrufflesecurity/trufflehog@75add79b929b263dae147d2e5bcf0daf292165cf. Same fix as phenotype-registry#61 + tick 17.🤖 Generated with Claude Code
Note
Low Risk
Changes are limited to GitHub Actions configuration; no application, auth, or data-path code is modified.
Overview
Repairs the Trufflehog secrets scan workflow by dropping the broken
trufflehog/actions/setupreference (upstream 404) and running the scan via a pinnedtrufflesecurity/trufflehogaction instead, matching the approach used elsewhere in CI (e.g.security.yml).Related CI hardening in the same effort pins many jobs to
ubuntu-24.04instead ofubuntu-latestand adds read-only defaultpermissions(contents: read,pull-requests: read) on routine workflows, while leaving broader permissions on release, security, CodeQL, Scorecard, and Pages jobs.Reviewed by Cursor Bugbot for commit cac3d16. Bugbot is set up for automated code reviews on this repo. Configure here.
CodeAnt-AI Description
Standardize GitHub Actions runners and fix the broken Trufflehog scan
What Changed
ubuntu-latesttoubuntu-24.04to keep CI on a fixed runner versionImpact
✅ Fewer CI failures from broken scan actions✅ More predictable workflow runs✅ Lower default GitHub token access in CI💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.