feat: prevent versioned 3P GitHub actions in PR builds (aws-observability#475)

thpierce · ezhang6811 · commit 2de80d4db27c · 2025-10-22T13:18:15.000-07:00
Add validation step to require commit SHAs instead of version tags for third-party GitHub actions in workflow files. Also fix the one we missed: `aquasecurity/trivy-action` - depending on `master` is pretty unusual and not trivial to catch, ultimately the Repo config `Require actions to be pinned to a full-length commit SHA` will protect against this if we missed any others. * `Python Instrumentation PR Build / static-code-checks (pull_request)` passes * `Check CHANGELOG` fails, causing PR-build to fail, but `Check for versioned GitHub action` passes: https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/17924516041/job/50967250100?pr=475 * Added various [`@v` in code](aws-observability@f2f0523), only finds uncommented ones: https://github.com/aws-observability/aws-otel-python-instrumentation/actions/runs/17925754982/job/50971348934?pr=475 ``` Found versioned GitHub actions. Use commit SHAs instead: .github/actions/lambda_artifacts_build/action.yml:30: - uses: actions/checkout@v4 .github/actions/lambda_artifacts_build/action.yml:42: - uses: actions/checkout@v4 #v4 .github/workflows/daily-scan.yml:54: - uses: actions/checkout@v4 #v4 .github/workflows/daily-scan.yml:106: - uses: actions/checkout@v4 ``` By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
diff --git a/.github/actions/image_scan/action.yml b/.github/actions/image_scan/action.yml
@@ -32,7 +32,7 @@ runs:
     run: docker logout public.ecr.aws
 
   - name: Run Trivy vulnerability scanner on image
-    uses: aquasecurity/trivy-action@master
+    uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
     with:
       image-ref: ${{ inputs.image-ref }}
       severity: ${{ inputs.severity }}
diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
@@ -10,6 +10,61 @@ permissions:
   contents: read
 
 jobs:
+  static-code-checks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
+        with:
+          fetch-depth: 0
+          
+      - name: Check CHANGELOG
+        if: always()
+        run: |
+          # Check if PR is from workflows bot or dependabot
+          if [[ "${{ github.event.pull_request.user.login }}" == "aws-application-signals-bot" ]]; then
+            echo "Skipping check: PR from aws-application-signals-bot"
+            exit 0
+          fi
+          
+          if [[ "${{ github.event.pull_request.user.login }}" == "dependabot[bot]" ]]; then
+            echo "Skipping check: PR from dependabot"
+            exit 0
+          fi
+          
+          # Check for skip changelog label
+          if echo '${{ toJSON(github.event.pull_request.labels.*.name) }}' | jq -r '.[]' | grep -q "skip changelog"; then
+            echo "Skipping check: skip changelog label found"
+            exit 0
+          fi
+          
+          # Fetch base branch and check for CHANGELOG modifications
+          git fetch origin ${{ github.base_ref }}
+          if git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -q "CHANGELOG.md"; then
+            echo "CHANGELOG.md entry found - check passed"
+            exit 0
+          fi
+          
+          echo "It looks like you didn't add an entry to CHANGELOG.md. If this change affects the SDK behavior, please update CHANGELOG.md and link this PR in your entry. If this PR does not need a CHANGELOG entry, you can add the 'Skip Changelog' label to this PR."
+          exit 1
+
+      - name: Check for versioned GitHub actions
+        if: always()
+        run: |
+          # Get changed GitHub workflow/action files
+          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true)
+          
+          if [ -n "$CHANGED_FILES" ]; then
+            # Check for any versioned actions, excluding comments and this validation script
+            VIOLATIONS=$(grep -Hn "uses:.*@v" $CHANGED_FILES | grep -v "grep.*uses:.*@v" | grep -v "#.*@v" || true)
+            if [ -n "$VIOLATIONS" ]; then
+              echo "Found versioned GitHub actions. Use commit SHAs instead:"
+              echo "$VIOLATIONS"
+              exit 1
+            fi
+          fi
+          
+          echo "No versioned actions found in changed files"
+
   build:
     runs-on: ubuntu-latest
     strategy:
