Summary
The default branch already hardened .github/workflows/cifuzz.yml, .github/workflows/main.yml, .github/workflows/trigger_dep_builds_v2.yml against the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
excessive-permissions — workflow/job granted broader permissions than needed
unpinned-uses — actions referenced by mutable tag/branch instead of a pinned commit SHA
Already resolved on the default branch in:
Affected release branches (5)
2.19 (still present as of HEAD 6dea8a80)
2.18 (still present as of HEAD ada244d0)
2.15 (still present as of HEAD b2480fa6)
2.14 (still present as of HEAD b4b8a438)
2.13 (still present as of HEAD c8784bf3)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
2.19 — unpinned-uses
File .github/workflows/trigger_dep_builds_v2.yml; suggested edits:
- ~ jobs.$J.steps[uses=peter-evans/repository-dispatch].uses : pin(peter-evans/repository-dispatch -> target_ref SHA)
--- a/.github/workflows/trigger_dep_builds_v2.yml
+++ b/.github/workflows/trigger_dep_builds_v2.yml
@@ -21,7 +21,7 @@
steps:
- name: Repository dispatch
- uses: peter-evans/repository-dispatch@v3
+ uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
with:
token: ${{ secrets.token }}
repository: ${{ matrix.repo }}
2.18 — unpinned-uses
File .github/workflows/trigger_dep_builds_v2.yml; suggested edits:
- ~ jobs.$J.steps[uses=peter-evans/repository-dispatch].uses : pin(peter-evans/repository-dispatch -> target_ref SHA)
--- a/.github/workflows/trigger_dep_builds_v2.yml
+++ b/.github/workflows/trigger_dep_builds_v2.yml
@@ -21,7 +21,7 @@
steps:
- name: Repository dispatch
- uses: peter-evans/repository-dispatch@v3
+ uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
with:
token: ${{ secrets.token }}
repository: ${{ matrix.repo }}
2.15 — unpinned-uses
File .github/workflows/cifuzz.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/upload-artifact].uses : pin(actions/upload-artifact -> target_ref SHA)
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -27,7 +27,7 @@
dry-run: false
language: jvm
- name: Upload Crash
- uses: actions/upload-artifact@v3
+ uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3
if: failure() && steps.build.outcome == 'success'
with:
name: artifacts
2.14 — excessive-permissions
File .github/workflows/cifuzz.yml; suggested edits:
-
- permissions.contents = 'read'
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -24,3 +24,5 @@
with:
name: artifacts
path: ./out/artifacts
+permissions:
+ contents: read
2.13 — unpinned-uses
File .github/workflows/main.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/setup-java].uses : pin(actions/setup-java -> target_ref SHA)
- ~ jobs.$J.steps[uses=codecov/codecov-action].uses : pin(codecov/codecov-action -> target_ref SHA)
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -33,9 +33,9 @@
env:
JAVA_OPTS: "-XX:+TieredCompilation -XX:TieredStopAtLevel=1"
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
- name: Set up JDK
- uses: actions/setup-java@v3
+ uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3
with:
distribution: 'temurin'
java-version: ${{ matrix.java_version }}
@@ -66,7 +66,7 @@
run: ./mvnw -B -q -ff -ntp test
- name: Publish code coverage
if: github.event_name != 'pull_request' && matrix.java_version == '8'
- uses: codecov/codecov-action@v2
+ uses: codecov/codecov-action@f32b3a3741e1053eb607407145bc9619351dc93b # v2
with:
token: ${{ secrets.CODECOV_TOKEN }}
file: ./target/site/jacoco/jacoco.xml
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/cifuzz.yml,.github/workflows/main.yml,.github/workflows/trigger_dep_builds_v2.ymlagainst the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
excessive-permissions— workflow/job granted broaderpermissionsthan neededunpinned-uses— actions referenced by mutable tag/branch instead of a pinned commit SHAAlready resolved on the default branch in:
Affected release branches (5)
2.19(still present as of HEAD6dea8a80)2.18(still present as of HEADada244d0)2.15(still present as of HEADb2480fa6)2.14(still present as of HEADb4b8a438)2.13(still present as of HEADc8784bf3)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
2.19— unpinned-usesFile
.github/workflows/trigger_dep_builds_v2.yml; suggested edits:2.18— unpinned-usesFile
.github/workflows/trigger_dep_builds_v2.yml; suggested edits:2.15— unpinned-usesFile
.github/workflows/cifuzz.yml; suggested edits:2.14— excessive-permissionsFile
.github/workflows/cifuzz.yml; suggested edits:2.13— unpinned-usesFile
.github/workflows/main.yml; suggested edits:Happy to open pull requests instead if that's preferred.