mirror of
https://github.com/docker/compose.git
synced 2026-07-11 18:54:35 +00:00
ci: harden GitHub Actions workflows
The pinned codeql-action/upload-sarif v2 (v2.28.1) falls in the vulnerable range of CVE-2025-24362 and the v2 line has no patched release, so bump to v3.36.3. Scope the release job to tag refs so its contents:write token is only minted when a release is actually created. In merge.yml, drop a dead conditional (workflow only triggers on push) and pass DOCKERDESKTOP_REPO to github-script via env rather than inline interpolation, as recommended against script injection. Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
This commit is contained in:
parent
b9d8a1a3e2
commit
336f21f846
3 changed files with 3 additions and 3 deletions
2
.github/workflows/ci.yml
vendored
2
.github/workflows/ci.yml
vendored
|
|
@ -304,6 +304,7 @@ jobs:
|
|||
files: ./coverage.txt
|
||||
|
||||
release:
|
||||
if: startsWith(github.ref, 'refs/tags/v')
|
||||
permissions:
|
||||
contents: write # to create a release (ncipollo/release-action)
|
||||
runs-on: ubuntu-latest
|
||||
|
|
@ -329,7 +330,6 @@ jobs:
|
|||
find bin/release -type f -exec file -e ascii -- {} +
|
||||
-
|
||||
name: GitHub Release
|
||||
if: startsWith(github.ref, 'refs/tags/v')
|
||||
uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
|
||||
with:
|
||||
artifacts: ./bin/release/*
|
||||
|
|
|
|||
2
.github/workflows/merge.yml
vendored
2
.github/workflows/merge.yml
vendored
|
|
@ -39,7 +39,7 @@ jobs:
|
|||
cache: true
|
||||
cache-scope: bin-image
|
||||
output: image
|
||||
push: ${{ github.event_name != 'pull_request' }}
|
||||
push: true # this workflow only triggers on push (main and tags)
|
||||
sbom: true
|
||||
set-meta-labels: true
|
||||
meta-images: |
|
||||
|
|
|
|||
2
.github/workflows/scorecards.yml
vendored
2
.github/workflows/scorecards.yml
vendored
|
|
@ -61,6 +61,6 @@ jobs:
|
|||
|
||||
# Upload the results to GitHub's code scanning dashboard.
|
||||
- name: "Upload to code-scanning"
|
||||
uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
|
||||
uses: github/codeql-action/upload-sarif@411c4c9a36b3fca4d674f06b6396b2c6d23522c6 # v3.36.3
|
||||
with:
|
||||
sarif_file: results.sarif
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue