Add Codex plugin quality gate CI#307
Closed
internet-dot wants to merge 1 commit intogetsentry:mainfrom
Closed
Conversation
![sentry[bot]](https://avatars.gh.lumenfield.work/in/12637?s=60&v=4){kind=small}
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Codex plugin quality gate | ||
| uses: hashgraph-online/hol-codex-plugin-scanner-action@v1 |
There was a problem hiding this comment.
Bug: The workflow uses a mutable tag (@v1) for a third-party GitHub Action, creating a supply chain risk as the underlying code can be changed without notice.
Severity: CRITICAL
Suggested Fix
To mitigate the supply chain risk, replace the mutable tag @v1 with the full, immutable commit SHA of the specific version of the action you intend to use. This ensures the executed code never changes unexpectedly. Before pinning, verify the action's source code and the contributor's affiliation to ensure it is trustworthy. If the action is not necessary, remove the workflow entirely.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: .github/workflows/plugin-quality-gate.yml#L16
Potential issue: The workflow file `.github/workflows/plugin-quality-gate.yml`
introduces a dependency on a third-party GitHub Action using a mutable tag,
`hashgraph-online/hol-codex-plugin-scanner-action@v1`. This practice is insecure because
the owner of the action can update the code behind the `@v1` tag at any time without
notification. Since the workflow is triggered on changes to common files and has
repository access, a malicious update could inject arbitrary code into the CI/CD
pipeline, potentially leading to code or data exfiltration. The action is from an
unaffiliated organization, increasing the risk.
Did we get this right? 👍 / 👎 to inform future reviews.
commit: |
Author
|
Closing. My mistake, this was a duplicate. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a CI workflow to validate Codex plugin manifests using the HOL Codex Plugin Scanner.
This workflow runs automatically on any PR that modifies plugin files (.codex-plugin/, skills/, .mcp.json) and ensures:
Scanner: codex-plugin-scanner | awesome-codex-plugins