Skip to content

Backport workflow-hardening fix (excessive-permissions, unpinned-uses) to 3 release branches #45877

Description

@CharlieMCY

Summary

The default branch already hardened .github/workflows/envoy-sync.yml, .github/workflows/pr_notifier.yml against the issue(s) below, but 3 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.

What's flagged (by zizmor)

  • excessive-permissions — workflow/job granted broader permissions than needed
  • unpinned-uses — actions referenced by mutable tag/branch instead of a pinned commit SHA

Already resolved on the default branch in:

Affected release branches (3)

  • release/v1.28 (still present as of HEAD 1c16ef90)
  • release/v1.27 (still present as of HEAD f1565ad2)
  • release/v1.26 (still present as of HEAD 1257d4e8)

Suggested per-branch patches

Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)

release/v1.28 — excessive-permissions

File .github/workflows/envoy-sync.yml; suggested edits:

    • permissions.contents = 'read'
--- a/.github/workflows/envoy-sync.yml
+++ b/.github/workflows/envoy-sync.yml
@@ -35,3 +35,5 @@
           key: "${{ secrets.ENVOY_CI_SYNC_APP_KEY }}"
           workflow: envoy-sync.yaml
           app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }}
+permissions:
+  contents: read
release/v1.27 — excessive-permissions

File .github/workflows/envoy-sync.yml; suggested edits:

    • permissions.contents = 'read'
--- a/.github/workflows/envoy-sync.yml
+++ b/.github/workflows/envoy-sync.yml
@@ -34,3 +34,5 @@
           key: "${{ secrets.ENVOY_CI_SYNC_APP_KEY }}"
           workflow: envoy-sync.yaml
           app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }}
+permissions:
+  contents: read
release/v1.26 — unpinned-uses

File .github/workflows/pr_notifier.yml; suggested edits:

  • ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
--- a/.github/workflows/pr_notifier.yml
+++ b/.github/workflows/pr_notifier.yml
@@ -21,7 +21,7 @@
               || !contains(github.actor, '[bot]'))
       }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744  # v3
       - name: Set up Python 3.8
         uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
         with:

Happy to open pull requests instead if that's preferred.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions