Summary
The default branch already hardened .github/workflows/golangci-lint.yml against the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
unpinned-uses — actions referenced by mutable tag/branch instead of a pinned commit SHA
Already resolved on the default branch in:
Affected release branches (5)
release-0.14 (still present as of HEAD 4cb6d7b1)
release-0.12 (still present as of HEAD 771e8a30)
release-0.13 (still present as of HEAD a08c9099)
release-0.11 (still present as of HEAD 4cebdaf1)
release-0.15 (still present as of HEAD cc6a168d)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release-0.14 — unpinned-uses
File .github/workflows/golangci-lint.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/setup-go].uses : pin(actions/setup-go -> target_ref SHA)
- ~ jobs.$J.steps[uses=golangci/golangci-lint-action].uses : pin(golangci/golangci-lint-action -> target_ref SHA)
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -11,12 +11,12 @@
working-directory:
- ""
steps:
- - uses: actions/checkout@v4
- - uses: actions/setup-go@v5
+ - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+ - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
go-version: '1.22'
- name: golangci-lint
- uses: golangci/golangci-lint-action@v6
+ uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6
with:
version: v1.57.2
args: --timeout 15m
release-0.12 — unpinned-uses
File .github/workflows/golangci-lint.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/setup-go].uses : pin(actions/setup-go -> target_ref SHA)
- ~ jobs.$J.steps[uses=golangci/golangci-lint-action].uses : pin(golangci/golangci-lint-action -> target_ref SHA)
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -11,12 +11,12 @@
working-directory:
- ""
steps:
- - uses: actions/checkout@v4
- - uses: actions/setup-go@v5
+ - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+ - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
go-version: '1.21'
- name: golangci-lint
- uses: golangci/golangci-lint-action@v6
+ uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6
with:
version: v1.57.2
args: --timeout 15m
release-0.13 — unpinned-uses
File .github/workflows/golangci-lint.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/setup-go].uses : pin(actions/setup-go -> target_ref SHA)
- ~ jobs.$J.steps[uses=golangci/golangci-lint-action].uses : pin(golangci/golangci-lint-action -> target_ref SHA)
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -11,12 +11,12 @@
working-directory:
- ""
steps:
- - uses: actions/checkout@v4
- - uses: actions/setup-go@v5
+ - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+ - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
go-version: '1.21'
- name: golangci-lint
- uses: golangci/golangci-lint-action@v6
+ uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6
with:
version: v1.57.2
args: --timeout 15m
release-0.11 — unpinned-uses
File .github/workflows/golangci-lint.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/setup-go].uses : pin(actions/setup-go -> target_ref SHA)
- ~ jobs.$J.steps[uses=golangci/golangci-lint-action].uses : pin(golangci/golangci-lint-action -> target_ref SHA)
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -11,12 +11,12 @@
working-directory:
- ""
steps:
- - uses: actions/checkout@v4
- - uses: actions/setup-go@v5
+ - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+ - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
go-version: '1.21'
- name: golangci-lint
- uses: golangci/golangci-lint-action@v6
+ uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6
with:
version: v1.57.2
args: --timeout 15m
release-0.15 — unpinned-uses
File .github/workflows/golangci-lint.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/setup-go].uses : pin(actions/setup-go -> target_ref SHA)
- ~ jobs.$J.steps[uses=golangci/golangci-lint-action].uses : pin(golangci/golangci-lint-action -> target_ref SHA)
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -11,12 +11,12 @@
working-directory:
- ""
steps:
- - uses: actions/checkout@v4
- - uses: actions/setup-go@v5
+ - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+ - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
with:
go-version: '1.22'
- name: golangci-lint
- uses: golangci/golangci-lint-action@v6
+ uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6
with:
version: v1.57.2
args: --timeout 15m
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/golangci-lint.ymlagainst the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
unpinned-uses— actions referenced by mutable tag/branch instead of a pinned commit SHAAlready resolved on the default branch in:
Affected release branches (5)
release-0.14(still present as of HEAD4cb6d7b1)release-0.12(still present as of HEAD771e8a30)release-0.13(still present as of HEADa08c9099)release-0.11(still present as of HEAD4cebdaf1)release-0.15(still present as of HEADcc6a168d)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release-0.14— unpinned-usesFile
.github/workflows/golangci-lint.yml; suggested edits:release-0.12— unpinned-usesFile
.github/workflows/golangci-lint.yml; suggested edits:release-0.13— unpinned-usesFile
.github/workflows/golangci-lint.yml; suggested edits:release-0.11— unpinned-usesFile
.github/workflows/golangci-lint.yml; suggested edits:release-0.15— unpinned-usesFile
.github/workflows/golangci-lint.yml; suggested edits:Happy to open pull requests instead if that's preferred.