Skip to content

Add semver-checks.yml #569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
atuchin-m merged 2 commits into from
Jan 20, 2026
Merged

Add semver-checks.yml #569

atuchin-m merged 2 commits into from
Jan 20, 2026
+21 −0

Conversation

@atuchin-m
Copy link
Collaborator

@atuchin-m atuchin-m commented Nov 17, 2025

No description provided.

@atuchin-m atuchin-m self-assigned this Nov 17, 2025
github-actions[bot]
github-actions bot reviewed Nov 17, 2025
View reviewed changes
.github/workflows/semver-checks.yml Outdated
run: cargo install cargo-semver-checks

- name: Run semver checks
run: cargo semver-checks
Copy link

@github-actions github-actions bot Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[opengrep] GitHub Actions workflow is missing permissions declaration at the top-level or job-level.

Without explicit permissions, workflows may have excessive default permissions, violating the principle of least privilege.

According to GitHub's security best practices, you should explicitly define permissions to limit the scope of access tokens.

Valid permission scopes include: actions, attestations, checks, contents, deployments, discussions, id-token, issues, models, packages, pages, pull-requests, security-events, statuses

👍 Good examples:

Top-level: permissions: { contents: read, pull-requests: write }
Job-level: jobs: build: permissions: { contents: read }
Restrict all: permissions: {}

👎 Bad:

No permissions defined in the workflow

GitHub Security Hardening Guide


Source: https://github.com/brave/security-action/blob/main/assets/opengrep_rules/services/github-workflow-missing-permissions.yaml


Cc @thypon @kdenhartog

Copy link
Collaborator Author

@atuchin-m atuchin-m Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot address this issue

github-actions[bot]
github-actions bot reviewed Nov 17, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rust Benchmark

Details
Benchmark suite Current: 9ba405c Previous: c7c016b Ratio
rule-match-browserlike/brave-list 2047306802 ns/iter (± 7739172) 2059112104 ns/iter (± 14380306) 0.99
rule-match-first-request/brave-list 1126247 ns/iter (± 5895) 1128955 ns/iter (± 15454) 1.00
blocker_new/brave-list 133011887 ns/iter (± 523060) 133117055 ns/iter (± 864705) 1.00
blocker_new/brave-list-deserialize 24861846 ns/iter (± 160023) 24527922 ns/iter (± 1344591) 1.01
memory-usage/brave-list-initial 10213344 ns/iter (± 3) 10213344 ns/iter (± 3) 1
memory-usage/brave-list-initial/max 60612235 ns/iter (± 3) 60612235 ns/iter (± 3) 1
memory-usage/brave-list-initial/alloc-count 996170 ns/iter (± 3) 996170 ns/iter (± 3) 1
memory-usage/brave-list-1000-requests 2282164 ns/iter (± 3) 2282164 ns/iter (± 3) 1
memory-usage/brave-list-1000-requests/alloc-count 69311 ns/iter (± 3) 69311 ns/iter (± 3) 1
url_cosmetic_resources/brave-list 191205 ns/iter (± 1839) 192211 ns/iter (± 1001) 0.99
cosmetic-class-id-match/brave-list 3382533 ns/iter (± 911542) 3381021 ns/iter (± 948271) 1.00

This comment was automatically generated by workflow using github-action-benchmark.

Copilot AI mentioned this pull request Nov 17, 2025
Merged
Copy link

Copilot AI commented Nov 17, 2025

@atuchin-m I've opened a new pull request, #570, to work on those changes. Once the pull request is ready, I'll request review from you.

@atuchin-m atuchin-m marked this pull request as ready for review November 17, 2025 21:14
@atuchin-m atuchin-m requested a review from a team as a code owner November 17, 2025 21:14
antonok-edm
antonok-edm reviewed Nov 21, 2025
View reviewed changes
Copy link
Collaborator

@antonok-edm antonok-edm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the author of cargo-semver-checks is also the author of cargo-semver-checks-action, does it make more sense to use that directly?

@atuchin-m atuchin-m force-pushed the add-semver-checks-ci branch from 16f19ae to 9ba405c Compare January 16, 2026 16:58
github-actions[bot]
github-actions bot reviewed Jan 16, 2026
View reviewed changes
.github/workflows/semver-checks.yml
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Check semver
uses: obi1kenobi/cargo-semver-checks-action@5b298c9520f7096a4683c0bd981a7ac5a7e249ae # v2.8
Copy link

@github-actions github-actions bot Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[opengrep] An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA or is missing the semver reference comment

You can use pinact - https://github.com/suzuki-shunsuke/pinact - to pin them

👍

uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1

👎

uses: actions/cache@v3
uses: actions/[email protected]

GHA Policies


Source: https://github.com/brave/security-action/blob/main/assets/opengrep_rules/services/brave-third-party-action-not-pinned-to-commit-sha.yaml


Cc @thypon @kdenhartog

Copy link
Collaborator Author

@atuchin-m atuchin-m Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's pinned by fullhash. False positive?

Copy link
Collaborator Author

@atuchin-m atuchin-m Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kdenhartog @thypon
Could you take a look? Does using this action looks good in terms of security?

Copy link
Member

@kdenhartog kdenhartog Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Double checked this PR with pinact and not seeing any issues - LGTM

@atuchin-m atuchin-m requested a review from antonok-edm January 16, 2026 19:03
@antonok-edm antonok-edm changed the title Add sermver-checks.yml Add semver-checks.yml Jan 16, 2026
@atuchin-m atuchin-m merged commit e3ba37f into master Jan 20, 2026
10 checks passed
@atuchin-m atuchin-m deleted the add-semver-checks-ci branch January 20, 2026 20:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@antonok-edm antonok-edm antonok-edm approved these changes

+1 more reviewer

@kdenhartog kdenhartog kdenhartog approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@atuchin-m atuchin-m

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@atuchin-m @antonok-edm @kdenhartog @thypon