Summary
The default branch already hardened .github/workflows/envoy-sync.yml, .github/workflows/pr_notifier.yml against the issue(s) below, but 3 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
excessive-permissions — workflow/job granted broader permissions than needed
unpinned-uses — actions referenced by mutable tag/branch instead of a pinned commit SHA
Already resolved on the default branch in:
Affected release branches (3)
release/v1.28 (still present as of HEAD 1c16ef90)
release/v1.27 (still present as of HEAD f1565ad2)
release/v1.26 (still present as of HEAD 1257d4e8)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release/v1.28 — excessive-permissions
File .github/workflows/envoy-sync.yml; suggested edits:
-
- permissions.contents = 'read'
--- a/.github/workflows/envoy-sync.yml
+++ b/.github/workflows/envoy-sync.yml
@@ -35,3 +35,5 @@
key: "${{ secrets.ENVOY_CI_SYNC_APP_KEY }}"
workflow: envoy-sync.yaml
app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }}
+permissions:
+ contents: read
release/v1.27 — excessive-permissions
File .github/workflows/envoy-sync.yml; suggested edits:
-
- permissions.contents = 'read'
--- a/.github/workflows/envoy-sync.yml
+++ b/.github/workflows/envoy-sync.yml
@@ -34,3 +34,5 @@
key: "${{ secrets.ENVOY_CI_SYNC_APP_KEY }}"
workflow: envoy-sync.yaml
app_id: ${{ secrets.ENVOY_CI_SYNC_APP_ID }}
+permissions:
+ contents: read
release/v1.26 — unpinned-uses
File .github/workflows/pr_notifier.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
--- a/.github/workflows/pr_notifier.yml
+++ b/.github/workflows/pr_notifier.yml
@@ -21,7 +21,7 @@
|| !contains(github.actor, '[bot]'))
}}
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
- name: Set up Python 3.8
uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
with:
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/envoy-sync.yml,.github/workflows/pr_notifier.ymlagainst the issue(s) below, but 3 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
excessive-permissions— workflow/job granted broaderpermissionsthan neededunpinned-uses— actions referenced by mutable tag/branch instead of a pinned commit SHAAlready resolved on the default branch in:
Affected release branches (3)
release/v1.28(still present as of HEAD1c16ef90)release/v1.27(still present as of HEADf1565ad2)release/v1.26(still present as of HEAD1257d4e8)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release/v1.28— excessive-permissionsFile
.github/workflows/envoy-sync.yml; suggested edits:release/v1.27— excessive-permissionsFile
.github/workflows/envoy-sync.yml; suggested edits:release/v1.26— unpinned-usesFile
.github/workflows/pr_notifier.yml; suggested edits:Happy to open pull requests instead if that's preferred.