Summary
The default branch already hardened .github/workflows/kind-e2e.yaml against the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
unpinned-uses — actions referenced by mutable tag/branch instead of a pinned commit SHA
Already resolved on the default branch in:
Affected release branches (5)
release-1.15 (still present as of HEAD 3870dcdc)
release-1.16 (still present as of HEAD e36d8fac)
release-1.14 (still present as of HEAD 3049d814)
release-1.13 (still present as of HEAD 59626f89)
release-1.12 (still present as of HEAD 9d21588e)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release-1.15 — unpinned-uses
File .github/workflows/kind-e2e.yaml; suggested edits:
- ~ jobs.$J.steps[uses=actions/cache].uses : pin(actions/cache -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/upload-artifact].uses : pin(actions/upload-artifact -> target_ref SHA)
- ~ jobs.$J.steps[uses=ko-build/setup-ko].uses : pin(ko-build/setup-ko -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/cache].uses : pin(actions/cache -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/download-artifact].uses : pin(actions/download-artifact -> target_ref SHA)
- ~ jobs.$J2.steps[uses=chainguard-dev/actions/kind-diag].uses : pin(chainguard-dev/actions/kind-diag -> target_ref SHA)
- ~ jobs.$J2.steps[uses=chainguard-dev/actions/setup-kind].uses : pin(chainguard-dev/actions/setup-kind -> target_ref SHA)
--- a/.github/workflows/kind-e2e.yaml
+++ b/.github/workflows/kind-e2e.yaml
@@ -25,8 +25,7 @@
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
-
+ - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: setup-go
uses: knative/actions/setup-go@main
@@ -35,7 +34,7 @@
mkdir -p ~/artifacts/build
mkdir -p ~/artifacts/registry
- - uses: actions/cache@v4
+ - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: |
~/.cache/go-build
@@ -46,8 +45,7 @@
# Install the latest release of ko
- name: Install ko
- uses: ko-build/setup-ko@v0.7
-
+ uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
- name: Setup Registry
run: |
docker run -d --restart=always \
@@ -68,7 +66,7 @@
run: |
./test/upload-test-images.sh
- - uses: actions/upload-artifact@v4
+ - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: artifacts
path: ~/artifacts
@@ -155,7 +153,7 @@
- name: setup-go
uses: knative/actions/setup-go@main
- - uses: actions/cache@v4
+ - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: |
~/.cache/go-build
@@ -164,7 +162,7 @@
restore-keys: |
${{ runner.os }}-go-
- - uses: actions/download-artifact@v4
+ - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: artifacts
path: ~/artifacts
@@ -186,7 +184,7 @@
sudo mv gotestsum /usr/local/bin
echo "::endgroup::"
- - uses: actions/checkout@v4
+ - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0
release-1.16 — unpinned-uses
File .github/workflows/kind-e2e.yaml; suggested edits:
- ~ jobs.$J.steps[uses=actions/cache].uses : pin(actions/cache -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/upload-artifact].uses : pin(actions/upload-artifact -> target_ref SHA)
- ~ jobs.$J.steps[uses=ko-build/setup-ko].uses : pin(ko-build/setup-ko -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/cache].uses : pin(actions/cache -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/download-artifact].uses : pin(actions/download-artifact -> target_ref SHA)
- ~ jobs.$J2.steps[uses=chainguard-dev/actions/kind-diag].uses : pin(chainguard-dev/actions/kind-diag -> target_ref SHA)
- ~ jobs.$J2.steps[uses=chainguard-dev/actions/setup-kind].uses : pin(chainguard-dev/actions/setup-kind -> target_ref SHA)
--- a/.github/workflows/kind-e2e.yaml
+++ b/.github/workflows/kind-e2e.yaml
@@ -25,8 +25,7 @@
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v4
-
+ - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: setup-go
uses: knative/actions/setup-go@main
@@ -35,7 +34,7 @@
mkdir -p ~/artifacts/build
mkdir -p ~/artifacts/registry
- - uses: actions/cache@v4
+ - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: |
~/.cache/go-build
@@ -46,8 +45,7 @@
# Install the latest release of ko
- name: Install ko
- uses: ko-build/setup-ko@v0.7
-
+ uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
- name: Setup Registry
run: |
docker run -d --restart=always \
@@ -68,7 +66,7 @@
run: |
./test/upload-test-images.sh
- - uses: actions/upload-artifact@v4
+ - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: artifacts
path: ~/artifacts
@@ -155,7 +153,7 @@
- name: setup-go
uses: knative/actions/setup-go@main
- - uses: actions/cache@v4
+ - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: |
~/.cache/go-build
@@ -164,7 +162,7 @@
restore-keys: |
${{ runner.os }}-go-
- - uses: actions/download-artifact@v4
+ - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: artifacts
path: ~/artifacts
@@ -186,7 +184,7 @@
sudo mv gotestsum /usr/local/bin
echo "::endgroup::"
- - uses: actions/checkout@v4
+ - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0
release-1.14 — unpinned-uses
File .github/workflows/kind-e2e.yaml; suggested edits:
- ~ jobs.$J.steps[uses=actions/cache].uses : pin(actions/cache -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/upload-artifact].uses : pin(actions/upload-artifact -> target_ref SHA)
- ~ jobs.$J.steps[uses=ko-build/setup-ko].uses : pin(ko-build/setup-ko -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/cache].uses : pin(actions/cache -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/download-artifact].uses : pin(actions/download-artifact -> target_ref SHA)
- ~ jobs.$J2.steps[uses=chainguard-dev/actions/kind-diag].uses : pin(chainguard-dev/actions/kind-diag -> target_ref SHA)
- ~ jobs.$J2.steps[uses=chainguard-dev/actions/setup-kind].uses : pin(chainguard-dev/actions/setup-kind -> target_ref SHA)
--- a/.github/workflows/kind-e2e.yaml
+++ b/.github/workflows/kind-e2e.yaml
@@ -25,8 +25,7 @@
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
-
+ - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
- name: setup-go
uses: knative/actions/setup-go@main
@@ -35,7 +34,7 @@
mkdir -p ~/artifacts/build
mkdir -p ~/artifacts/registry
- - uses: actions/cache@v3
+ - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
with:
path: |
~/.cache/go-build
@@ -46,8 +45,7 @@
# Install the latest release of ko
- name: Install ko
- uses: ko-build/setup-ko@v0.6
-
+ uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
- name: Setup Registry
run: |
docker run -d --restart=always \
@@ -68,7 +66,7 @@
run: |
./test/upload-test-images.sh
- - uses: actions/upload-artifact@v3
+ - uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3
with:
name: artifacts
path: ~/artifacts
@@ -156,7 +154,7 @@
- name: setup-go
uses: knative/actions/setup-go@main
- - uses: actions/cache@v3
+ - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
with:
path: |
~/.cache/go-build
@@ -165,7 +163,7 @@
restore-keys: |
${{ runner.os }}-go-
- - uses: actions/download-artifact@v3
+ - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
with:
name: artifacts
path: ~/artifacts
@@ -187,7 +185,7 @@
sudo mv gotestsum /usr/local/bin
echo "::endgroup::"
- - uses: actions/checkout@v3
+ - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
fetch-depth: 0
release-1.13 — unpinned-uses
File .github/workflows/kind-e2e.yaml; suggested edits:
- ~ jobs.$J.steps[uses=actions/cache].uses : pin(actions/cache -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/upload-artifact].uses : pin(actions/upload-artifact -> target_ref SHA)
- ~ jobs.$J.steps[uses=ko-build/setup-ko].uses : pin(ko-build/setup-ko -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/cache].uses : pin(actions/cache -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/download-artifact].uses : pin(actions/download-artifact -> target_ref SHA)
- ~ jobs.$J2.steps[uses=chainguard-dev/actions/kind-diag].uses : pin(chainguard-dev/actions/kind-diag -> target_ref SHA)
- ~ jobs.$J2.steps[uses=chainguard-dev/actions/setup-kind].uses : pin(chainguard-dev/actions/setup-kind -> target_ref SHA)
--- a/.github/workflows/kind-e2e.yaml
+++ b/.github/workflows/kind-e2e.yaml
@@ -28,8 +28,7 @@
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
-
+ - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
- name: Set up Go 1.21.x
uses: actions/setup-go@v3
with:
@@ -40,7 +39,7 @@
mkdir -p ~/artifacts/build
mkdir -p ~/artifacts/registry
- - uses: actions/cache@v3
+ - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
with:
path: |
~/.cache/go-build
@@ -51,8 +50,7 @@
# Install the latest release of ko
- name: Install ko
- uses: ko-build/setup-ko@v0.6
-
+ uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
- name: Setup Registry
run: |
docker run -d --restart=always \
@@ -73,7 +71,7 @@
run: |
./test/upload-test-images.sh
- - uses: actions/upload-artifact@v3
+ - uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3
with:
name: artifacts
path: ~/artifacts
@@ -156,7 +154,7 @@
with:
go-version: 1.21.x
- - uses: actions/cache@v3
+ - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
with:
path: |
~/.cache/go-build
@@ -165,7 +163,7 @@
restore-keys: |
${{ runner.os }}-go-
- - uses: actions/download-artifact@v3
+ - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
with:
name: artifacts
path: ~/artifacts
@@ -200,7 +198,7 @@
sudo mv ytt /usr/local/bin
echo "::endgroup::"
- - uses: actions/checkout@v3
+ - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
fetch-depth: 0
release-1.12 — unpinned-uses
File .github/workflows/kind-e2e.yaml; suggested edits:
- ~ jobs.$J.steps[uses=actions/cache].uses : pin(actions/cache -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/upload-artifact].uses : pin(actions/upload-artifact -> target_ref SHA)
- ~ jobs.$J.steps[uses=ko-build/setup-ko].uses : pin(ko-build/setup-ko -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/cache].uses : pin(actions/cache -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J2.steps[uses=actions/download-artifact].uses : pin(actions/download-artifact -> target_ref SHA)
- ~ jobs.$J2.steps[uses=chainguard-dev/actions/kind-diag].uses : pin(chainguard-dev/actions/kind-diag -> target_ref SHA)
- ~ jobs.$J2.steps[uses=chainguard-dev/actions/setup-kind].uses : pin(chainguard-dev/actions/setup-kind -> target_ref SHA)
--- a/.github/workflows/kind-e2e.yaml
+++ b/.github/workflows/kind-e2e.yaml
@@ -28,8 +28,7 @@
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
-
+ - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
- name: Set up Go 1.21.x
uses: actions/setup-go@v3
with:
@@ -40,7 +39,7 @@
mkdir -p ~/artifacts/build
mkdir -p ~/artifacts/registry
- - uses: actions/cache@v3
+ - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
with:
path: |
~/.cache/go-build
@@ -51,8 +50,7 @@
# Install the latest release of ko
- name: Install ko
- uses: ko-build/setup-ko@v0.6
-
+ uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
- name: Setup Registry
run: |
docker run -d --restart=always \
@@ -73,7 +71,7 @@
run: |
./test/upload-test-images.sh
- - uses: actions/upload-artifact@v3
+ - uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3
with:
name: artifacts
path: ~/artifacts
@@ -157,7 +155,7 @@
with:
go-version: 1.21.x
- - uses: actions/cache@v3
+ - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3
with:
path: |
~/.cache/go-build
@@ -166,7 +164,7 @@
restore-keys: |
${{ runner.os }}-go-
- - uses: actions/download-artifact@v3
+ - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3
with:
name: artifacts
path: ~/artifacts
@@ -201,7 +199,7 @@
sudo mv ytt /usr/local/bin
echo "::endgroup::"
- - uses: actions/checkout@v3
+ - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
fetch-depth: 0
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/kind-e2e.yamlagainst the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
unpinned-uses— actions referenced by mutable tag/branch instead of a pinned commit SHAAlready resolved on the default branch in:
Affected release branches (5)
release-1.15(still present as of HEAD3870dcdc)release-1.16(still present as of HEADe36d8fac)release-1.14(still present as of HEAD3049d814)release-1.13(still present as of HEAD59626f89)release-1.12(still present as of HEAD9d21588e)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release-1.15— unpinned-usesFile
.github/workflows/kind-e2e.yaml; suggested edits:release-1.16— unpinned-usesFile
.github/workflows/kind-e2e.yaml; suggested edits:release-1.14— unpinned-usesFile
.github/workflows/kind-e2e.yaml; suggested edits:release-1.13— unpinned-usesFile
.github/workflows/kind-e2e.yaml; suggested edits:release-1.12— unpinned-usesFile
.github/workflows/kind-e2e.yaml; suggested edits:Happy to open pull requests instead if that's preferred.