Skip to content

Backport workflow-hardening fix (unpinned-uses) to 5 release branches #19634

Description

@CharlieMCY

Summary

The default branch already hardened .github/workflows/revised-its.yml against the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.

What's flagged (by zizmor)

  • unpinned-uses — actions referenced by mutable tag/branch instead of a pinned commit SHA

Already resolved on the default branch in:

Affected release branches (5)

  • 33.0.0 (still present as of HEAD a3135039)
  • 34.0.0 (still present as of HEAD caa27688)
  • 32.0.1 (still present as of HEAD d40b81fe)
  • 31.0.2 (still present as of HEAD bdd298e9)
  • 32.0.0 (still present as of HEAD 10542a76)

Suggested per-branch patches

Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)

33.0.0 — unpinned-uses

File .github/workflows/revised-its.yml; suggested edits:

  • ~ jobs.$J.steps[id=filter].uses : pin(dorny/paths-filter -> target_ref SHA)
--- a/.github/workflows/revised-its.yml
+++ b/.github/workflows/revised-its.yml
@@ -51,7 +51,7 @@
       # the common extension in revised ITs is different from the one in standard ITs
       common-extensions: ${{ steps.filter.outputs.common-extensions }}
     steps:
-      - uses: dorny/paths-filter@v3.0.0
+      - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd  # v3.0.0
         if: github.event_name == 'pull_request'
         id: filter
         with:
34.0.0 — unpinned-uses

File .github/workflows/revised-its.yml; suggested edits:

  • ~ jobs.$J.steps[id=filter].uses : pin(dorny/paths-filter -> target_ref SHA)
--- a/.github/workflows/revised-its.yml
+++ b/.github/workflows/revised-its.yml
@@ -51,7 +51,7 @@
       # the common extension in revised ITs is different from the one in standard ITs
       common-extensions: ${{ steps.filter.outputs.common-extensions }}
     steps:
-      - uses: dorny/paths-filter@v3.0.0
+      - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd  # v3.0.0
         if: github.event_name == 'pull_request'
         id: filter
         with:
32.0.1 — unpinned-uses

File .github/workflows/revised-its.yml; suggested edits:

  • ~ jobs.$J.steps[id=filter].uses : pin(dorny/paths-filter -> target_ref SHA)
--- a/.github/workflows/revised-its.yml
+++ b/.github/workflows/revised-its.yml
@@ -51,7 +51,7 @@
       # the common extension in revised ITs is different from the one in standard ITs
       common-extensions: ${{ steps.filter.outputs.common-extensions }}
     steps:
-      - uses: dorny/paths-filter@v3.0.0
+      - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd  # v3.0.0
         if: github.event_name == 'pull_request'
         id: filter
         with:
31.0.2 — unpinned-uses

File .github/workflows/revised-its.yml; suggested edits:

  • ~ jobs.$J.steps[id=filter].uses : pin(dorny/paths-filter -> target_ref SHA)
--- a/.github/workflows/revised-its.yml
+++ b/.github/workflows/revised-its.yml
@@ -51,7 +51,7 @@
       # the common extension in revised ITs is different from the one in standard ITs
       common-extensions: ${{ steps.filter.outputs.common-extensions }}
     steps:
-      - uses: dorny/paths-filter@v3.0.0
+      - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd  # v3.0.0
         if: github.event_name == 'pull_request'
         id: filter
         with:
32.0.0 — unpinned-uses

File .github/workflows/revised-its.yml; suggested edits:

  • ~ jobs.$J.steps[id=filter].uses : pin(dorny/paths-filter -> target_ref SHA)
--- a/.github/workflows/revised-its.yml
+++ b/.github/workflows/revised-its.yml
@@ -51,7 +51,7 @@
       # the common extension in revised ITs is different from the one in standard ITs
       common-extensions: ${{ steps.filter.outputs.common-extensions }}
     steps:
-      - uses: dorny/paths-filter@v3.0.0
+      - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd  # v3.0.0
         if: github.event_name == 'pull_request'
         id: filter
         with:

Happy to open pull requests instead if that's preferred.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions