Skip to content

ci(workflows): fix trufflehog rot in trufflehog.yml#44

Closed
KooshaPari wants to merge 0 commit into
mainfrom
ci/fix-trufflehog-actions-rot
Closed

ci(workflows): fix trufflehog rot in trufflehog.yml#44
KooshaPari wants to merge 0 commit into
mainfrom
ci/fix-trufflehog-actions-rot

Conversation

@KooshaPari

@KooshaPari KooshaPari commented Jun 7, 2026

Copy link
Copy Markdown
Owner

User description

Replaces broken trufflehog/actions/setup@main (404 upstream) with trufflesecurity/trufflehog@75add79b929b263dae147d2e5bcf0daf292165cf. Same fix as phenotype-registry#61 + tick 17.

🤖 Generated with Claude Code


Note

Low Risk
Changes are limited to GitHub Actions configuration; no application, auth, or data-path code is modified.

Overview
Repairs the Trufflehog secrets scan workflow by dropping the broken trufflehog/actions/setup reference (upstream 404) and running the scan via a pinned trufflesecurity/trufflehog action instead, matching the approach used elsewhere in CI (e.g. security.yml).

Related CI hardening in the same effort pins many jobs to ubuntu-24.04 instead of ubuntu-latest and adds read-only default permissions (contents: read, pull-requests: read) on routine workflows, while leaving broader permissions on release, security, CodeQL, Scorecard, and Pages jobs.

Reviewed by Cursor Bugbot for commit cac3d16. Bugbot is set up for automated code reviews on this repo. Configure here.


CodeAnt-AI Description

Standardize GitHub Actions runners and fix the broken Trufflehog scan

What Changed

  • Replaced the failing Trufflehog workflow reference so the secrets scan can run again
  • Moved most workflows from ubuntu-latest to ubuntu-24.04 to keep CI on a fixed runner version
  • Added read-only workflow access in several jobs so checks run with narrower default permissions
  • Kept existing elevated access for release, security, CodeQL, Scorecard, and pages deploy workflows

Impact

✅ Fewer CI failures from broken scan actions
✅ More predictable workflow runs
✅ Lower default GitHub token access in CI

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

@codeant-ai

codeant-ai Bot commented Jun 7, 2026

Copy link
Copy Markdown

CodeAnt AI is reviewing your PR.


Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@codeant-ai codeant-ai Bot added the size:M This PR changes 30-99 lines, ignoring generated files label Jun 7, 2026

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 3 potential issues.

Fix All in Cursor

Bugbot Autofix prepared fixes for all 3 issues found in the latest run.

  • ✅ Fixed: Auto-merge lacks write permission
    • Changed workflow-level pull-requests permission from read to write so pulls.merge can succeed.
  • ✅ Fixed: Quality gate cannot comment
    • Added job-level contents read and pull-requests write permissions on quality-report for issues.createComment.
  • ✅ Fixed: CodeQL missing security-events write
    • Added security-events write to workflow permissions so CodeQL analyze can upload SARIF results.

Create PR

Or push these changes by commenting:

@cursor push 3d76f81611
Preview (3d76f81611)
diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
--- a/.github/workflows/auto-merge.yml
+++ b/.github/workflows/auto-merge.yml
@@ -1,7 +1,7 @@
 name: Auto Merge
 permissions:
   contents: read
-  pull-requests: read
+  pull-requests: write
 
 on:
   pull_request:

diff --git a/.github/workflows/quality-gate.yml b/.github/workflows/quality-gate.yml
--- a/.github/workflows/quality-gate.yml
+++ b/.github/workflows/quality-gate.yml
@@ -141,6 +141,9 @@
     needs: [unit-tests, e2e-tests, integration-tests, fr-annotation-check]
     if: always()
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.1.1
 

diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml
--- a/.github/workflows/sast.yml
+++ b/.github/workflows/sast.yml
@@ -2,6 +2,7 @@
 permissions:
   contents: read
   pull-requests: read
+  security-events: write
 on:
   push:
     branches: [main, develop]

You can send follow-ups to the cloud agent here.

Reviewed by Cursor Bugbot for commit 2569b38. Configure here.

Comment thread .github/workflows/auto-merge.yml
Comment thread .github/workflows/quality-gate.yml
Comment thread .github/workflows/sast.yml
Comment on lines +2 to +4
permissions:
contents: read
pull-requests: read

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Architect Review — CRITICAL

This workflow now grants the GITHUB_TOKEN only read permissions (contents: read, pull-requests: read), but the auto-merge job calls github.rest.pulls.merge, which requires write access; as a result, auto-merge for Dependabot/pre-commit PRs will fail with 403 in normal use.

Suggestion: Keep restrictive workflow-level defaults, but add a job-level permissions block for auto-merge that grants the minimal required write scope (e.g. contents: write and/or pull-requests: write) so the merge API call can succeed.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/auto-merge.yml
**Line:** 2:4
**Comment:**
	*CRITICAL: This workflow now grants the GITHUB_TOKEN only read permissions (`contents: read`, `pull-requests: read`), but the `auto-merge` job calls `github.rest.pulls.merge`, which requires write access; as a result, auto-merge for Dependabot/pre-commit PRs will fail with 403 in normal use.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

Comment on lines +2 to +4
permissions:
contents: read
pull-requests: read

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Architect Review — HIGH

The workflow-level GITHUB_TOKEN permissions are now read-only (contents: read, pull-requests: read), but the quality-report job uses github.rest.issues.createComment to post a PR comment; with issues permission effectively set to none, this reporting step will fail to publish results back to the PR.

Suggestion: Retain the read-only defaults but add a job-level permissions override for quality-report that grants only the needed write scope (e.g. issues: write or equivalent PR-comment permission) so the report comment can be created while keeping other jobs read-only.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/quality-gate.yml
**Line:** 2:4
**Comment:**
	*HIGH: The workflow-level GITHUB_TOKEN permissions are now read-only (`contents: read`, `pull-requests: read`), but the `quality-report` job uses `github.rest.issues.createComment` to post a PR comment; with `issues` permission effectively set to none, this reporting step will fail to publish results back to the PR.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

pull_request:

jobs:
trufflehog:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Architect Review — CRITICAL

The Trufflehog workflow still uses trufflehog/actions/setup@main rather than the pinned trufflesecurity/trufflehog@<sha> pattern described for this PR, so the secrets scan job remains bound to the unpinned, upstream setup action and the intended rot fix is incomplete.

Suggestion: Replace the trufflehog/actions/setup@main step with the maintained trufflesecurity/trufflehog@75add79b929b263dae147d2e5bcf0daf292165cf (as in .github/workflows/security.yml) and pin it by commit SHA so this workflow actually benefits from the rot fix.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖
This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/trufflehog.yml
**Line:** 11:20
**Comment:**
	*CRITICAL: The Trufflehog workflow still uses `trufflehog/actions/setup@main` rather than the pinned `trufflesecurity/trufflehog@<sha>` pattern described for this PR, so the secrets scan job remains bound to the unpinned, upstream setup action and the intended rot fix is incomplete.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

@codeant-ai

codeant-ai Bot commented Jun 7, 2026

Copy link
Copy Markdown

CodeAnt AI finished reviewing your PR.

@KooshaPari KooshaPari closed this Jun 7, 2026
@KooshaPari KooshaPari force-pushed the ci/fix-trufflehog-actions-rot branch from 2569b38 to cac3d16 Compare June 7, 2026 13:37
@sonarqubecloud

sonarqubecloud Bot commented Jun 7, 2026

Copy link
Copy Markdown

@KooshaPari KooshaPari deleted the ci/fix-trufflehog-actions-rot branch June 12, 2026 23:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size:M This PR changes 30-99 lines, ignoring generated files

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant