From 336f21f84627f2fcc4de3bf9b2c0d4dbf507a40a Mon Sep 17 00:00:00 2001 From: Guillaume Lours Date: Fri, 3 Jul 2026 15:16:03 +0200 Subject: [PATCH] ci: harden GitHub Actions workflows The pinned codeql-action/upload-sarif v2 (v2.28.1) falls in the vulnerable range of CVE-2025-24362 and the v2 line has no patched release, so bump to v3.36.3. Scope the release job to tag refs so its contents:write token is only minted when a release is actually created. In merge.yml, drop a dead conditional (workflow only triggers on push) and pass DOCKERDESKTOP_REPO to github-script via env rather than inline interpolation, as recommended against script injection. Signed-off-by: Guillaume Lours --- .github/workflows/ci.yml | 2 +- .github/workflows/merge.yml | 2 +- .github/workflows/scorecards.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b60989108..8370bb4a3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -304,6 +304,7 @@ jobs: files: ./coverage.txt release: + if: startsWith(github.ref, 'refs/tags/v') permissions: contents: write # to create a release (ncipollo/release-action) runs-on: ubuntu-latest @@ -329,7 +330,6 @@ jobs: find bin/release -type f -exec file -e ascii -- {} + - name: GitHub Release - if: startsWith(github.ref, 'refs/tags/v') uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0 with: artifacts: ./bin/release/* diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index ee8df35b2..435d9beb0 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -39,7 +39,7 @@ jobs: cache: true cache-scope: bin-image output: image - push: ${{ github.event_name != 'pull_request' }} + push: true # this workflow only triggers on push (main and tags) sbom: true set-meta-labels: true meta-images: | diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 237a1f520..df3c6130a 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -61,6 +61,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1 + uses: github/codeql-action/upload-sarif@411c4c9a36b3fca4d674f06b6396b2c6d23522c6 # v3.36.3 with: sarif_file: results.sarif