Skip to content

fix(security-container-scan): pin anchore/sbom-action by SHA for GHE allowlist#52

Merged
nvjaxzin merged 1 commit into
mainfrom
fix/pin-sbom-action-sha
Jul 14, 2026
Merged

fix(security-container-scan): pin anchore/sbom-action by SHA for GHE allowlist#52
nvjaxzin merged 1 commit into
mainfrom
fix/pin-sbom-action-sha

Conversation

@nvjaxzin

@nvjaxzin nvjaxzin commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Pin anchore/sbom-action to e22c389904149dbc22b58101806040fa8d37a610 (v0.24.0) instead of floating @v0
  • NVIDIA GHE validates the literal uses: ref against the enterprise allowlist; @v0 fails instantly even when the resolved SHA is allowlisted (NVBug 6457170)
  • Unblocks downstream repos (e.g. NVIDIA/infra-controller) that consume security-container-scan@<sha>

Test plan

  • Merge and note the new commit SHA for consumer pin bumps
  • Bump NVIDIA/dsx-github-actions/.github/actions/security-container-scan@... in infra-controller
  • Confirm a container build job passes GHE workflow validation (no instant not allowed on sbom-action)

Follow-up (separate PRs)

  • docker-build/action.yml still uses @v3/@v5 docker actions (may be covered by allowlist wildcards)
  • helm-* actions use dcarbone/install-*@v1.x tags — audit if those hit the same issue

…allowlist

Replace floating @v0 tag with the enterprise-allowlisted commit
(e22c389, v0.24.0). Tag refs fail NVIDIA GHE workflow validation even
when the resolved SHA is allowlisted, which breaks downstream repos
such as infra-controller that consume this composite action.
@nvjaxzin nvjaxzin merged commit aa4e470 into main Jul 14, 2026
2 checks passed
@github-actions github-actions Bot locked and limited conversation to collaborators Jul 14, 2026
@nvjaxzin nvjaxzin deleted the fix/pin-sbom-action-sha branch July 14, 2026 23:32
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants