Summary
The default branch already hardened .github/workflows/publish-release.yml against the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
unpinned-uses — actions referenced by mutable tag/branch instead of a pinned commit SHA
Already resolved on the default branch in:
Affected release branches (5)
release-acala-2.28.0 (still present as of HEAD adc45f50)release-karura-2.28.0 (still present as of HEAD adc45f50)release-karura-2.27.0 (still present as of HEAD 27673888)release-acala-2.27.0 (still present as of HEAD 27673888)release-acala-2.26.0 (still present as of HEAD 17461df5)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release-acala-2.28.0 — unpinned-uses
File .github/workflows/publish-release.yml; suggested edits:
- ~ jobs.$J.steps[id=srtool_build].uses : pin(chevdor/srtool-actions -> target_ref SHA)
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -58,7 +58,7 @@
# Build WASM with Substrate Runtime Tool
- name: Srtool build
id: srtool_build
- uses: chevdor/srtool-actions@v0.9.2
+ uses: chevdor/srtool-actions@48e9baed50ca414936dfac59d34d8b9bbe581abd # v0.9.2
env:
BUILD_OPTS: "--features on-chain-release-build,no-metadata-docs"
with:
release-karura-2.28.0 — unpinned-uses
File .github/workflows/publish-release.yml; suggested edits:
- ~ jobs.$J.steps[id=srtool_build].uses : pin(chevdor/srtool-actions -> target_ref SHA)
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -58,7 +58,7 @@
# Build WASM with Substrate Runtime Tool
- name: Srtool build
id: srtool_build
- uses: chevdor/srtool-actions@v0.9.2
+ uses: chevdor/srtool-actions@48e9baed50ca414936dfac59d34d8b9bbe581abd # v0.9.2
env:
BUILD_OPTS: "--features on-chain-release-build,no-metadata-docs"
with:
release-karura-2.27.0 — unpinned-uses
File .github/workflows/publish-release.yml; suggested edits:
- ~ jobs.$J.steps[id=srtool_build].uses : pin(chevdor/srtool-actions -> target_ref SHA)
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -58,7 +58,7 @@
# Build WASM with Substrate Runtime Tool
- name: Srtool build
id: srtool_build
- uses: chevdor/srtool-actions@v0.9.2
+ uses: chevdor/srtool-actions@48e9baed50ca414936dfac59d34d8b9bbe581abd # v0.9.2
env:
BUILD_OPTS: "--features on-chain-release-build,no-metadata-docs"
with:
release-acala-2.27.0 — unpinned-uses
File .github/workflows/publish-release.yml; suggested edits:
- ~ jobs.$J.steps[id=srtool_build].uses : pin(chevdor/srtool-actions -> target_ref SHA)
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -58,7 +58,7 @@
# Build WASM with Substrate Runtime Tool
- name: Srtool build
id: srtool_build
- uses: chevdor/srtool-actions@v0.9.2
+ uses: chevdor/srtool-actions@48e9baed50ca414936dfac59d34d8b9bbe581abd # v0.9.2
env:
BUILD_OPTS: "--features on-chain-release-build,no-metadata-docs"
with:
release-acala-2.26.0 — unpinned-uses
File .github/workflows/publish-release.yml; suggested edits:
- ~ jobs.$J.steps[id=srtool_build].uses : pin(chevdor/srtool-actions -> target_ref SHA)
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -69,7 +69,7 @@
# Build WASM with Substrate Runtime Tool
- name: Srtool build
id: srtool_build
- uses: chevdor/srtool-actions@v0.9.2
+ uses: chevdor/srtool-actions@48e9baed50ca414936dfac59d34d8b9bbe581abd # v0.9.2
env:
BUILD_OPTS: "--features on-chain-release-build,no-metadata-docs"
with:
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/publish-release.ymlagainst the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
unpinned-uses— actions referenced by mutable tag/branch instead of a pinned commit SHAAlready resolved on the default branch in:
Affected release branches (5)
release-acala-2.28.0(still present as of HEADadc45f50)release-karura-2.28.0(still present as of HEADadc45f50)release-karura-2.27.0(still present as of HEAD27673888)release-acala-2.27.0(still present as of HEAD27673888)release-acala-2.26.0(still present as of HEAD17461df5)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release-acala-2.28.0— unpinned-usesFile
.github/workflows/publish-release.yml; suggested edits:release-karura-2.28.0— unpinned-usesFile
.github/workflows/publish-release.yml; suggested edits:release-karura-2.27.0— unpinned-usesFile
.github/workflows/publish-release.yml; suggested edits:release-acala-2.27.0— unpinned-usesFile
.github/workflows/publish-release.yml; suggested edits:release-acala-2.26.0— unpinned-usesFile
.github/workflows/publish-release.yml; suggested edits:Happy to open pull requests instead if that's preferred.