ci: harden GitHub Actions workflows

The pinned codeql-action/upload-sarif v2 (v2.28.1) falls in the
vulnerable range of CVE-2025-24362 and the v2 line has no patched
release, so bump to v3.36.3. Scope the release job to tag refs so its
contents:write token is only minted when a release is actually
created. In merge.yml, drop a dead conditional (workflow only triggers
on push) and pass DOCKERDESKTOP_REPO to github-script via env rather
than inline interpolation, as recommended against script injection.

Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
This commit is contained in:
Guillaume Lours 2026-07-03 15:16:03 +02:00 committed by Guillaume Lours
parent b9d8a1a3e2
commit 336f21f846
3 changed files with 3 additions and 3 deletions

View file

@ -304,6 +304,7 @@ jobs:
files: ./coverage.txt
release:
if: startsWith(github.ref, 'refs/tags/v')
permissions:
contents: write # to create a release (ncipollo/release-action)
runs-on: ubuntu-latest
@ -329,7 +330,6 @@ jobs:
find bin/release -type f -exec file -e ascii -- {} +
-
name: GitHub Release
if: startsWith(github.ref, 'refs/tags/v')
uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
with:
artifacts: ./bin/release/*

View file

@ -39,7 +39,7 @@ jobs:
cache: true
cache-scope: bin-image
output: image
push: ${{ github.event_name != 'pull_request' }}
push: true # this workflow only triggers on push (main and tags)
sbom: true
set-meta-labels: true
meta-images: |

View file

@ -61,6 +61,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
uses: github/codeql-action/upload-sarif@411c4c9a36b3fca4d674f06b6396b2c6d23522c6 # v3.36.3
with:
sarif_file: results.sarif