Summary
The default branch already hardened .github/workflows/cifuzz.yml, .github/workflows/main.yml, .github/workflows/trigger_dep_builds_v2.yml against the issue(s) below, but 3 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
excessive-permissions — workflow/job granted broader permissions than needed
unpinned-uses — actions referenced by mutable tag/branch instead of a pinned commit SHA
Already resolved on the default branch in:
Affected release branches (3)
2.19 (still present as of HEAD 883b6b83)
2.15 (still present as of HEAD 4824be2e)
2.13 (still present as of HEAD 72f1478a)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
2.19 — unpinned-uses
File .github/workflows/trigger_dep_builds_v2.yml; suggested edits:
- ~ jobs.$J.steps[uses=peter-evans/repository-dispatch].uses : pin(peter-evans/repository-dispatch -> target_ref SHA)
--- a/.github/workflows/trigger_dep_builds_v2.yml
+++ b/.github/workflows/trigger_dep_builds_v2.yml
@@ -34,7 +34,7 @@
steps:
- name: Repository dispatch
- uses: peter-evans/repository-dispatch@v3
+ uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
with:
token: ${{ secrets.token }}
repository: ${{ matrix.repo }}
2.15 — unpinned-uses
File .github/workflows/cifuzz.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/upload-artifact].uses : pin(actions/upload-artifact -> target_ref SHA)
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -30,7 +30,7 @@
dry-run: false
language: jvm
- name: Upload Crash
- uses: actions/upload-artifact@v3
+ uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3
if: failure() && steps.build.outcome == 'success'
with:
name: artifacts
2.13 — excessive-permissions
File .github/workflows/main.yml; suggested edits:
-
- permissions.contents = 'read'
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -68,3 +68,5 @@
token: ${{ secrets.CODECOV_TOKEN }}
file: ./target/site/jacoco/jacoco.xml
flags: unittests
+permissions:
+ contents: read
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/cifuzz.yml,.github/workflows/main.yml,.github/workflows/trigger_dep_builds_v2.ymlagainst the issue(s) below, but 3 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
excessive-permissions— workflow/job granted broaderpermissionsthan neededunpinned-uses— actions referenced by mutable tag/branch instead of a pinned commit SHAAlready resolved on the default branch in:
Affected release branches (3)
2.19(still present as of HEAD883b6b83)2.15(still present as of HEAD4824be2e)2.13(still present as of HEAD72f1478a)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
2.19— unpinned-usesFile
.github/workflows/trigger_dep_builds_v2.yml; suggested edits:2.15— unpinned-usesFile
.github/workflows/cifuzz.yml; suggested edits:2.13— excessive-permissionsFile
.github/workflows/main.yml; suggested edits:Happy to open pull requests instead if that's preferred.