Summary
The default branch already hardened .github/workflows/test-build-deploy.yml against the issue(s) below, but 3 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
excessive-permissions — workflow/job granted broader permissions than neededunpinned-uses — actions referenced by mutable tag/branch instead of a pinned commit SHA
Already resolved on the default branch in:
Affected release branches (3)
release-1.17 (still present as of HEAD 312b610d)release-1.16 (still present as of HEAD 155b2c62)release-2024-4-4-prepare-2 (still present as of HEAD 17675adf)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release-1.17 — excessive-permissions,unpinned-uses
File .github/workflows/test-build-deploy.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/upload-artifact].uses : pin(actions/upload-artifact -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/upload-artifact].uses : pin(actions/upload-artifact -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/download-artifact].uses : pin(actions/download-artifact -> target_ref SHA)
- ~ jobs.$J3.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J3.steps[uses=actions/download-artifact].uses : pin(actions/download-artifact -> target_ref SHA)
- ~ jobs.$J5.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J5.steps[uses=actions/download-artifact].uses : pin(actions/download-artifact -> target_ref SHA)
- ~ jobs.$J4.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J4.steps[uses=actions/download-artifact].uses : pin(actions/download-artifact -> target_ref SHA)
- ~ jobs.$J4.steps[uses=actions/setup-go].uses : pin(actions/setup-go -> target_ref SHA)
- ~ jobs.$J6.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J7.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J7.steps[uses=github/codeql-action/analyze].uses : pin(github/codeql-action/analyze -> target_ref SHA)
- ~ jobs.$J7.steps[uses=github/codeql-action/autobuild].uses : pin(github/codeql-action/autobuild -> target_ref SHA)
- ~ jobs.$J7.steps[uses=github/codeql-action/init].uses : pin(github/codeql-action/init -> target_ref SHA)
- ~ jobs.$J8.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
--- a/.github/workflows/test-build-deploy.yml
+++ b/.github/workflows/test-build-deploy.yml
@@ -14,7 +14,7 @@
image: quay.io/cortexproject/build-image:upgrade-go-to-1.21.9-b37062f16
steps:
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- name: Setup Git safe.directory
run: |
echo "this step is needed because when running in container, actions/checkout does not set safe.directory effectively."
@@ -43,7 +43,7 @@
image: quay.io/cortexproject/build-image:upgrade-go-to-1.21.9-b37062f16
steps:
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- name: Setup Git safe.directory
run: |
echo "this step is needed because when running in container, actions/checkout does not set safe.directory effectively."
@@ -65,9 +65,7 @@
security-events: write
steps:
- name: Checkout repository
- uses: actions/checkout@v4
-
- # Initializes the CodeQL tools for scanning.
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
@@ -86,7 +84,7 @@
image: quay.io/cortexproject/build-image:upgrade-go-to-1.21.9-b37062f16
steps:
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- name: Setup Git safe.directory
run: |
echo "this step is needed because when running in container, actions/checkout does not set safe.directory effectively."
@@ -107,7 +105,7 @@
touch build-image/.uptodate
make BUILD_IN_CONTAINER=false web-build
- name: Upload Website Artifact
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: website public
path: website/public/
@@ -119,7 +117,7 @@
- name: Create Docker Images Archive
run: tar -cvf images.tar /tmp/images
- name: Upload Docker Images Artifact
- uses: actions/upload-artifact@v4
+ uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: Docker Images
path: ./images.tar
@@ -140,11 +138,11 @@
- integration_query_fuzz
steps:
- name: Upgrade golang
- uses: actions/setup-go@v2
+ uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
with:
go-version: 1.21.9
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- name: Install Docker Client
run: sudo ./.github/workflows/scripts/install-docker.sh
- name: Sym Link Expected Path to Workspace
@@ -152,7 +150,7 @@
sudo mkdir -p /go/src/github.com/cortexproject/cortex
sudo ln -s $GITHUB_WORKSPACE/* /go/src/github.com/cortexproject/cortex
- name: Download Docker Images Artifacts
- uses: actions/download-artifact@v4
+ uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: Docker Images
- name: Extract Docker Images Archive
@@ -201,11 +199,11 @@
runs-on: ubuntu-20.04
steps:
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- name: Install Docker Client
run: sudo ./.github/workflows/scripts/install-docker.sh
- name: Download Docker Images Artifact
- uses: actions/download-artifact@v4
+ uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: Docker Images
- name: Extract Docker Images Archive
@@ -225,7 +223,7 @@
image: quay.io/cortexproject/build-image:upgrade-go-to-1.21.9-b37062f16
steps:
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
with:
# web-deploy script expects repo to be cloned with ssh for some commands to work
ssh-key: ${{ secrets.WEBSITE_DEPLOY_SSH_PRIVATE_KEY }}
@@ -239,7 +237,7 @@
mkdir -p /go/src/github.com/cortexproject/cortex
ln -s $GITHUB_WORKSPACE/* /go/src/github.com/cortexproject/cortex
- name: Download Website Artifact
- uses: actions/download-artifact@v4
+ uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: website public
path: website/public
@@ -267,7 +265,7 @@
image: quay.io/cortexproject/build-image:upgrade-go-to-1.21.9-b37062f16
steps:
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- name: Setup Git safe.directory
run: |
echo "this step is needed because when running in container, actions/checkout does not set safe.directory effectively."
@@ -280,7 +278,7 @@
mkdir -p /go/src/github.com/cortexproject/cortex
ln -s $GITHUB_WORKSPACE/* /go/src/github.com/cortexproject/cortex
- name: Download Docker Images Artifact
- uses: actions/download-artifact@v4
+ uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: Docker Images
- name: Extract Docker Images Archive
release-1.16 — excessive-permissions,unpinned-uses
File .github/workflows/test-build-deploy.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/upload-artifact].uses : pin(actions/upload-artifact -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/upload-artifact].uses : pin(actions/upload-artifact -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/download-artifact].uses : pin(actions/download-artifact -> target_ref SHA)
- ~ jobs.$J3.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J3.steps[uses=actions/download-artifact].uses : pin(actions/download-artifact -> target_ref SHA)
- ~ jobs.$J5.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J5.steps[uses=actions/download-artifact].uses : pin(actions/download-artifact -> target_ref SHA)
- ~ jobs.$J4.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J4.steps[uses=actions/download-artifact].uses : pin(actions/download-artifact -> target_ref SHA)
- ~ jobs.$J4.steps[uses=actions/setup-go].uses : pin(actions/setup-go -> target_ref SHA)
- ~ jobs.$J6.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J7.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J7.steps[uses=github/codeql-action/analyze].uses : pin(github/codeql-action/analyze -> target_ref SHA)
- ~ jobs.$J7.steps[uses=github/codeql-action/autobuild].uses : pin(github/codeql-action/autobuild -> target_ref SHA)
- ~ jobs.$J7.steps[uses=github/codeql-action/init].uses : pin(github/codeql-action/init -> target_ref SHA)
- ~ jobs.$J8.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
--- a/.github/workflows/test-build-deploy.yml
+++ b/.github/workflows/test-build-deploy.yml
@@ -14,7 +14,7 @@
image: quay.io/cortexproject/build-image:upgrade-go-to-1.21.9-b37062f16
steps:
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- name: Setup Git safe.directory
run: |
echo "this step is needed because when running in container, actions/checkout does not set safe.directory effectively."
@@ -43,7 +43,7 @@
image: quay.io/cortexproject/build-image:upgrade-go-to-1.21.9-b37062f16
steps:
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- name: Setup Git safe.directory
run: |
echo "this step is needed because when running in container, actions/checkout does not set safe.directory effectively."
@@ -62,7 +62,7 @@
image: quay.io/cortexproject/build-image:upgrade-go-to-1.21.9-b37062f16
steps:
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- name: Setup Git safe.directory
run: |
echo "this step is needed because when running in container, actions/checkout does not set safe.directory effectively."
@@ -83,7 +83,7 @@
touch build-image/.uptodate
make BUILD_IN_CONTAINER=false web-build
- name: Upload Website Artifact
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2
with:
name: website public
path: website/public/
@@ -95,7 +95,7 @@
- name: Create Docker Images Archive
run: tar -cvf images.tar /tmp/images
- name: Upload Docker Images Artifact
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2
with:
name: Docker Images
path: ./images.tar
@@ -116,11 +116,11 @@
- integration_query_fuzz
steps:
- name: Upgrade golang
- uses: actions/setup-go@v2
+ uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
with:
go-version: 1.21.9
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- name: Install Docker Client
run: sudo ./.github/workflows/scripts/install-docker.sh
- name: Sym Link Expected Path to Workspace
@@ -128,7 +128,7 @@
sudo mkdir -p /go/src/github.com/cortexproject/cortex
sudo ln -s $GITHUB_WORKSPACE/* /go/src/github.com/cortexproject/cortex
- name: Download Docker Images Artifacts
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2
with:
name: Docker Images
- name: Extract Docker Images Archive
@@ -179,11 +179,11 @@
runs-on: ubuntu-20.04
steps:
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- name: Install Docker Client
run: sudo ./.github/workflows/scripts/install-docker.sh
- name: Download Docker Images Artifact
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2
with:
name: Docker Images
- name: Extract Docker Images Archive
@@ -203,7 +203,7 @@
image: quay.io/cortexproject/build-image:upgrade-go-to-1.21.9-b37062f16
steps:
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
with:
# web-deploy script expects repo to be cloned with ssh for some commands to work
ssh-key: ${{ secrets.WEBSITE_DEPLOY_SSH_PRIVATE_KEY }}
@@ -217,7 +217,7 @@
mkdir -p /go/src/github.com/cortexproject/cortex
ln -s $GITHUB_WORKSPACE/* /go/src/github.com/cortexproject/cortex
- name: Download Website Artifact
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2
with:
name: website public
path: website/public
@@ -245,7 +245,7 @@
image: quay.io/cortexproject/build-image:upgrade-go-to-1.21.9-b37062f16
steps:
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- name: Setup Git safe.directory
run: |
echo "this step is needed because when running in container, actions/checkout does not set safe.directory effectively."
@@ -258,7 +258,7 @@
mkdir -p /go/src/github.com/cortexproject/cortex
ln -s $GITHUB_WORKSPACE/* /go/src/github.com/cortexproject/cortex
- name: Download Docker Images Artifact
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2
with:
name: Docker Images
- name: Extract Docker Images Archive
release-2024-4-4-prepare-2 — excessive-permissions,unpinned-uses
File .github/workflows/test-build-deploy.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/upload-artifact].uses : pin(actions/upload-artifact -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/upload-artifact].uses : pin(actions/upload-artifact -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/download-artifact].uses : pin(actions/download-artifact -> target_ref SHA)
- ~ jobs.$J3.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J3.steps[uses=actions/download-artifact].uses : pin(actions/download-artifact -> target_ref SHA)
- ~ jobs.$J5.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J5.steps[uses=actions/download-artifact].uses : pin(actions/download-artifact -> target_ref SHA)
- ~ jobs.$J4.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J4.steps[uses=actions/download-artifact].uses : pin(actions/download-artifact -> target_ref SHA)
- ~ jobs.$J4.steps[uses=actions/setup-go].uses : pin(actions/setup-go -> target_ref SHA)
- ~ jobs.$J6.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J7.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J7.steps[uses=github/codeql-action/analyze].uses : pin(github/codeql-action/analyze -> target_ref SHA)
- ~ jobs.$J7.steps[uses=github/codeql-action/autobuild].uses : pin(github/codeql-action/autobuild -> target_ref SHA)
- ~ jobs.$J7.steps[uses=github/codeql-action/init].uses : pin(github/codeql-action/init -> target_ref SHA)
- ~ jobs.$J8.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
--- a/.github/workflows/test-build-deploy.yml
+++ b/.github/workflows/test-build-deploy.yml
@@ -11,7 +11,7 @@
image: quay.io/cortexproject/build-image:PR5765-0ff811969
steps:
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- name: Setup Git safe.directory
run: |
echo "this step is needed because when running in container, actions/checkout does not set safe.directory effectively."
@@ -36,7 +36,7 @@
image: quay.io/cortexproject/build-image:PR5765-0ff811969
steps:
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- name: Setup Git safe.directory
run: |
echo "this step is needed because when running in container, actions/checkout does not set safe.directory effectively."
@@ -60,9 +60,7 @@
security-events: write
steps:
- name: Checkout repository
- uses: actions/checkout@v4
-
- # Initializes the CodeQL tools for scanning.
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
@@ -81,7 +79,7 @@
image: quay.io/cortexproject/build-image:PR5765-0ff811969
steps:
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- name: Setup Git safe.directory
run: |
echo "this step is needed because when running in container, actions/checkout does not set safe.directory effectively."
@@ -104,7 +102,7 @@
touch build-image/.uptodate
make BUILD_IN_CONTAINER=false web-build
- name: Upload Website Artifact
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2
with:
name: website public
path: website/public/
@@ -116,7 +114,7 @@
- name: Create Docker Images Archive
run: tar -cvf images.tar /tmp/images
- name: Upload Docker Images Artifact
- uses: actions/upload-artifact@v2
+ uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2
with:
name: Docker Images
path: ./images.tar
@@ -137,11 +135,11 @@
- integration_query_fuzz
steps:
- name: Upgrade golang
- uses: actions/setup-go@v2
+ uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2
with:
go-version: 1.21.3
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- name: Install Docker Client
run: sudo ./.github/workflows/scripts/install-docker.sh
- name: Sym Link Expected Path to Workspace
@@ -151,7 +149,7 @@
- name: cherry pick
run: git apply .github/workflows/thanos-engine.patch
- name: Download Docker Images Artifacts
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2
with:
name: Docker Images
- name: Extract Docker Images Archive
@@ -199,11 +197,11 @@
runs-on: ubuntu-20.04
steps:
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- name: Install Docker Client
run: sudo ./.github/workflows/scripts/install-docker.sh
- name: Download Docker Images Artifact
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2
with:
name: Docker Images
- name: Extract Docker Images Archive
@@ -224,7 +222,7 @@
image: quay.io/cortexproject/build-image:PR5765-0ff811969
steps:
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
with:
# web-deploy script expects repo to be cloned with ssh for some commands to work
ssh-key: ${{ secrets.WEBSITE_DEPLOY_SSH_PRIVATE_KEY }}
@@ -238,7 +236,7 @@
mkdir -p /go/src/github.com/cortexproject/cortex
ln -s $GITHUB_WORKSPACE/* /go/src/github.com/cortexproject/cortex
- name: Download Website Artifact
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2
with:
name: website public
path: website/public
@@ -266,7 +264,7 @@
image: quay.io/cortexproject/build-image:PR5765-0ff811969
steps:
- name: Checkout Repo
- uses: actions/checkout@v2
+ uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
- name: Setup Git safe.directory
run: |
echo "this step is needed because when running in container, actions/checkout does not set safe.directory effectively."
@@ -279,7 +277,7 @@
mkdir -p /go/src/github.com/cortexproject/cortex
ln -s $GITHUB_WORKSPACE/* /go/src/github.com/cortexproject/cortex
- name: Download Docker Images Artifact
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2
with:
name: Docker Images
- name: Extract Docker Images Archive
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/test-build-deploy.ymlagainst the issue(s) below, but 3 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
excessive-permissions— workflow/job granted broaderpermissionsthan neededunpinned-uses— actions referenced by mutable tag/branch instead of a pinned commit SHAAlready resolved on the default branch in:
Affected release branches (3)
release-1.17(still present as of HEAD312b610d)release-1.16(still present as of HEAD155b2c62)release-2024-4-4-prepare-2(still present as of HEAD17675adf)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release-1.17— excessive-permissions,unpinned-usesFile
.github/workflows/test-build-deploy.yml; suggested edits:release-1.16— excessive-permissions,unpinned-usesFile
.github/workflows/test-build-deploy.yml; suggested edits:release-2024-4-4-prepare-2— excessive-permissions,unpinned-usesFile
.github/workflows/test-build-deploy.yml; suggested edits:Happy to open pull requests instead if that's preferred.