Actions maintenance

[jaybuidl]

PR-Codex overview

This PR focuses on updating various GitHub Actions and Docker configurations to enhance security and functionality by upgrading dependencies and versions.

Detailed summary

• Updated FROM image in services/bots/base/Dockerfile to node:20-alpine.
• Upgraded step-security/harden-runner to version v2.10.3 across multiple workflows.
• Updated actions/checkout to version v4.2.2 in several workflows.
• Changed getsentry/action-release to version v1.9.0.
• Updated actions/setup-node to version v4.2.0.
• Upgraded actions/dependency-review-action to version v4.5.0.
• Updated actions/upload-artifact to version v4.6.0.

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

Summary by CodeRabbit

• Chores

  • Updated GitHub Actions workflow configurations with latest action versions.
  • Updated base Docker image for Node.js to a specific digest for improved build reproducibility.

• Security

  • Added read permissions to various workflow configurations.
  • Updated dependency review and security scanning actions.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

This pull request focuses on updating GitHub Actions workflow configurations and a Dockerfile across multiple files. The primary changes involve upgrading action versions, particularly actions/checkout, to their latest iterations. Several workflows including CodeQL, Dependency Review, Deploy Bots, Deploy Subgraph, Scorecards, Sentry Release, and SonarCloud have been updated. Additionally, the base bot Dockerfile now specifies a specific image digest for the Node.js Alpine base image, enhancing build reproducibility. Permissions for read access to contents have also been added in some workflows.

Changes

File	Change Summary
.github/workflows/codeql.yml	Updated step-security/harden-runner and actions/checkout action versions
.github/workflows/dependency-review.yml	Updated step-security/harden-runner, actions/checkout, and actions/dependency-review-action versions
.github/workflows/deploy-bots.yml	Added contents: read permissions, updated step-security/harden-runner action version
.github/workflows/deploy-subgraph.yml	Updated step-security/harden-runner, actions/checkout, and actions/setup-node action versions
.github/workflows/scorecards.yml	Updated step-security/harden-runner, actions/checkout, and actions/upload-artifact action versions
.github/workflows/sentry-release.yml	Added contents: read permissions, updated getsentry/action-release and step-security/harden-runner versions
.github/workflows/sonarcloud.yml	Updated step-security/harden-runner and actions/checkout action versions
services/bots/base/Dockerfile	Specified exact digest for node:20-alpine base image
.github/workflows/contracts-testing.yml	Added contents: read permissions, updated step-security/harden-runner action version

Possibly related PRs

• feat(subgraph,web): fix coherent votes at vote level instead of dispute level #1702: The main PR updates action versions in the workflow, while this PR also updates the step-security/harden-runner and actions/checkout actions in multiple workflows, indicating a related focus on maintaining action versions.
• Patches and various version bumps #1728: This PR includes updates to action versions, specifically the step-security/harden-runner and actions/checkout, which aligns with the version updates in the main PR.
• [StepSecurity] ci: Harden GitHub Actions #1735: Similar to the main PR, this PR updates the step-security/harden-runner action version, indicating a shared focus on enhancing security practices in GitHub Actions workflows.

Suggested labels

Type: Maintenance :construction:

Poem

🐰 Workflows dancing, versions bright,
Actions updated with rabbit's might!
From CodeQL to Sentry's release,
Upgrades flowing with such ease,
Security's path, now clear and light! 🔒✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 075b0a0 and 5e207df.

📒 Files selected for processing (8)

• .github/workflows/codeql.yml (1 hunks)
• .github/workflows/contracts-testing.yml (1 hunks)
• .github/workflows/dependency-review.yml (2 hunks)
• .github/workflows/deploy-bots.yml (1 hunks)
• .github/workflows/deploy-subgraph.yml (2 hunks)
• .github/workflows/scorecards.yml (3 hunks)
• .github/workflows/sentry-release.yml (2 hunks)
• .github/workflows/sonarcloud.yml (1 hunks)

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @coderabbitai title anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codeclimate]

Code Climate has analyzed commit 075b0a0 and detected 0 issues on this pull request.

View more on Code Climate.

[coderabbitai]

Actionable comments posted: 0

🔭 Outside diff range comments (1)

.github/workflows/scorecards.yml (1)

Update harden-runner action to latest version v2.10.4

All commit hashes are verified correct for their respective versions. While actions/[email protected] and actions/[email protected] are at their latest versions, step-security/harden-runner is using v2.5.0 when v2.10.4 is available. Since this is a security-focused action, it's recommended to update to the latest version to ensure you have the most recent security improvements.

🔗 Analysis chain

Line range hint 35-81: Verify the integrity of action versions.

Let's ensure these are the latest secure versions and verify the commit hashes.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the action versions and their commit hashes

# Function to check GitHub release
check_release() {
    local repo=$1
    local version=$2
    local hash=$3
    
    echo "Checking $repo@$version..."
    
    # Get the latest release version
    latest=$(gh api repos/$repo/releases/latest --jq .tag_name)
    echo "Latest version: $latest"
    
    # Get the commit hash for the specified version
    commit=$(gh api repos/$repo/git/ref/tags/$version --jq .object.sha)
    echo "Commit hash for $version: $commit"
    
    # Compare with the hash in the workflow
    if [[ $commit == *"$hash"* ]]; then
        echo "✅ Hash matches"
    else
        echo "❌ Hash mismatch"
    fi
    echo "---"
}

# Check each action
check_release "step-security/harden-runner" "v2.5.0" "cba0d00b1fc9a034e1e642ea0f1103c282990604"
check_release "actions/checkout" "v4.2.2" "11bd71901bbe5b1630ceea73d27597364c9af683"
check_release "actions/upload-artifact" "v4.6.0" "65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08"

Length of output: 2666

---

Script:

#!/bin/bash
# Check the changelog between v2.5.0 and v2.10.4 of harden-runner

echo "Fetching releases between v2.5.0 and v2.10.4..."
gh api repos/step-security/harden-runner/releases --jq '.[] | select(.tag_name > "v2.5.0" and .tag_name <= "v2.10.4") | {version: .tag_name, body: .body}'

Length of output: 261

🧹 Nitpick comments (2)

.github/workflows/deploy-subgraph.yml (2)

38-41: Consider updating egress policy to block mode.

The egress policy is set to 'audit'. Consider analyzing the audit logs and switching to 'block' mode with explicit allowed endpoints, similar to the dependency-review workflow.

---

Line range hint 1-1: Overall Workflow Maintenance Review

The changes demonstrate good security practices with consistent version updates and commit hash pinning. However, there's an opportunity to standardize the egress policy configuration across workflows:

1. ✅ dependency-review.yml: block mode with explicit endpoints
2. ⚠️ deploy-bots.yml: audit mode (TODO)
3. ⚠️ deploy-subgraph.yml: audit mode

Consider:

1. Analyzing audit logs from deploy-bots and deploy-subgraph workflows
2. Standardizing on block mode with explicit allowed endpoints across all workflows

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f242326 and 075b0a0.

📒 Files selected for processing (8)

• .github/workflows/codeql.yml (1 hunks)
• .github/workflows/dependency-review.yml (1 hunks)
• .github/workflows/deploy-bots.yml (1 hunks)
• .github/workflows/deploy-subgraph.yml (2 hunks)
• .github/workflows/scorecards.yml (3 hunks)
• .github/workflows/sentry-release.yml (1 hunks)
• .github/workflows/sonarcloud.yml (1 hunks)
• services/bots/base/Dockerfile (1 hunks)

✅ Files skipped from review due to trivial changes (2)

• .github/workflows/codeql.yml
• services/bots/base/Dockerfile

🔇 Additional comments (8)

.github/workflows/sonarcloud.yml (1)

26-26: LGTM! Good security practices.

The update to actions/[email protected] with commit hash pinning enhances security and reproducibility. The permissions are properly configured following the principle of least privilege.

.github/workflows/deploy-bots.yml (1)

11-13: Address the TODO comment for egress policy.

The egress policy is currently set to 'audit'. As indicated by the TODO comment, it should be changed to 'block' after confirming the required endpoints through audit runs.

Could you share the audit logs from previous runs to help determine the required endpoints for the egress policy?

.github/workflows/dependency-review.yml (1)

33-39: LGTM! Well-configured security settings.

The workflow demonstrates excellent security practices:

1. Updated to latest stable versions with commit hash pinning
2. Proper egress policy in block mode
3. Explicitly defined allowed endpoints

.github/workflows/sentry-release.yml (1)

75-75: LGTM! Proper version pinning and endpoint configuration.

The Sentry release action is properly versioned with commit hash, and the workflow has a comprehensive list of allowed endpoints.

.github/workflows/deploy-subgraph.yml (1)

47-52: LGTM! Good version management.

The actions have been properly updated to their latest versions with commit hash pinning for improved security and reproducibility.

.github/workflows/scorecards.yml (3)

35-35: LGTM! Secure version pinning for harden-runner action.

The update to v2.5.0 using a commit hash follows security best practices for version pinning.

---

54-54: LGTM! Secure version pinning for checkout action.

The update to v4.2.2 using a commit hash follows security best practices for version pinning.

---

81-81: LGTM! Secure version pinning for upload-artifact action.

The update to v4.6.0 using a commit hash follows security best practices for version pinning.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[netlify]

✅ Deploy Preview for kleros-v2-testnet ready!

Name	Link
🔨 Latest commit	5e207df
🔍 Latest deploy log	https://app.netlify.com/sites/kleros-v2-testnet/deploys/67982187303eac0008a8ece3
😎 Deploy Preview	https://deploy-preview-1861--kleros-v2-testnet.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[netlify]

✅ Deploy Preview for kleros-v2-neo ready!

Name	Link
🔨 Latest commit	5e207df
🔍 Latest deploy log	https://app.netlify.com/sites/kleros-v2-neo/deploys/67982187c76117000827487a
😎 Deploy Preview	https://deploy-preview-1861--kleros-v2-neo.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[netlify]

✅ Deploy Preview for kleros-v2-testnet-devtools ready!

Name	Link
🔨 Latest commit	5e207df
🔍 Latest deploy log	https://app.netlify.com/sites/kleros-v2-testnet-devtools/deploys/67982187d4794e0008d0ac16
😎 Deploy Preview	https://deploy-preview-1861--kleros-v2-testnet-devtools.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[netlify]

✅ Deploy Preview for kleros-v2-university ready!

Name	Link
🔨 Latest commit	5e207df
🔍 Latest deploy log	https://app.netlify.com/sites/kleros-v2-university/deploys/679821872b55690008d04a39
😎 Deploy Preview	https://deploy-preview-1861--kleros-v2-university.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.