Summary
The default branch already hardened .github/workflows/revised-its.yml against the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
unpinned-uses — actions referenced by mutable tag/branch instead of a pinned commit SHA
Already resolved on the default branch in:
Affected release branches (5)
33.0.0 (still present as of HEAD a3135039)
34.0.0 (still present as of HEAD caa27688)
32.0.1 (still present as of HEAD d40b81fe)
31.0.2 (still present as of HEAD bdd298e9)
32.0.0 (still present as of HEAD 10542a76)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
33.0.0 — unpinned-uses
File .github/workflows/revised-its.yml; suggested edits:
- ~ jobs.$J.steps[id=filter].uses : pin(dorny/paths-filter -> target_ref SHA)
--- a/.github/workflows/revised-its.yml
+++ b/.github/workflows/revised-its.yml
@@ -51,7 +51,7 @@
# the common extension in revised ITs is different from the one in standard ITs
common-extensions: ${{ steps.filter.outputs.common-extensions }}
steps:
- - uses: dorny/paths-filter@v3.0.0
+ - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0
if: github.event_name == 'pull_request'
id: filter
with:
34.0.0 — unpinned-uses
File .github/workflows/revised-its.yml; suggested edits:
- ~ jobs.$J.steps[id=filter].uses : pin(dorny/paths-filter -> target_ref SHA)
--- a/.github/workflows/revised-its.yml
+++ b/.github/workflows/revised-its.yml
@@ -51,7 +51,7 @@
# the common extension in revised ITs is different from the one in standard ITs
common-extensions: ${{ steps.filter.outputs.common-extensions }}
steps:
- - uses: dorny/paths-filter@v3.0.0
+ - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0
if: github.event_name == 'pull_request'
id: filter
with:
32.0.1 — unpinned-uses
File .github/workflows/revised-its.yml; suggested edits:
- ~ jobs.$J.steps[id=filter].uses : pin(dorny/paths-filter -> target_ref SHA)
--- a/.github/workflows/revised-its.yml
+++ b/.github/workflows/revised-its.yml
@@ -51,7 +51,7 @@
# the common extension in revised ITs is different from the one in standard ITs
common-extensions: ${{ steps.filter.outputs.common-extensions }}
steps:
- - uses: dorny/paths-filter@v3.0.0
+ - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0
if: github.event_name == 'pull_request'
id: filter
with:
31.0.2 — unpinned-uses
File .github/workflows/revised-its.yml; suggested edits:
- ~ jobs.$J.steps[id=filter].uses : pin(dorny/paths-filter -> target_ref SHA)
--- a/.github/workflows/revised-its.yml
+++ b/.github/workflows/revised-its.yml
@@ -51,7 +51,7 @@
# the common extension in revised ITs is different from the one in standard ITs
common-extensions: ${{ steps.filter.outputs.common-extensions }}
steps:
- - uses: dorny/paths-filter@v3.0.0
+ - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0
if: github.event_name == 'pull_request'
id: filter
with:
32.0.0 — unpinned-uses
File .github/workflows/revised-its.yml; suggested edits:
- ~ jobs.$J.steps[id=filter].uses : pin(dorny/paths-filter -> target_ref SHA)
--- a/.github/workflows/revised-its.yml
+++ b/.github/workflows/revised-its.yml
@@ -51,7 +51,7 @@
# the common extension in revised ITs is different from the one in standard ITs
common-extensions: ${{ steps.filter.outputs.common-extensions }}
steps:
- - uses: dorny/paths-filter@v3.0.0
+ - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0
if: github.event_name == 'pull_request'
id: filter
with:
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/revised-its.ymlagainst the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
unpinned-uses— actions referenced by mutable tag/branch instead of a pinned commit SHAAlready resolved on the default branch in:
Affected release branches (5)
33.0.0(still present as of HEADa3135039)34.0.0(still present as of HEADcaa27688)32.0.1(still present as of HEADd40b81fe)31.0.2(still present as of HEADbdd298e9)32.0.0(still present as of HEAD10542a76)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
33.0.0— unpinned-usesFile
.github/workflows/revised-its.yml; suggested edits:34.0.0— unpinned-usesFile
.github/workflows/revised-its.yml; suggested edits:32.0.1— unpinned-usesFile
.github/workflows/revised-its.yml; suggested edits:31.0.2— unpinned-usesFile
.github/workflows/revised-its.yml; suggested edits:32.0.0— unpinned-usesFile
.github/workflows/revised-its.yml; suggested edits:Happy to open pull requests instead if that's preferred.