Skip to content

ci: bump getplumber/plumber to v0.3.86 (security fix)#39

Merged
jeanjerome merged 1 commit into
getbrik:mainfrom
thomasboni:bump-plumber-0.3.86
Jul 3, 2026
Merged

ci: bump getplumber/plumber to v0.3.86 (security fix)#39
jeanjerome merged 1 commit into
getbrik:mainfrom
thomasboni:bump-plumber-0.3.86

Conversation

@thomasboni

Copy link
Copy Markdown
Contributor

Hi 👋

I'm from the Plumber team. This repo pins the getplumber/plumber action in CI, and the version here is affected by a security issue we've just fixed (everything <= 0.3.85).

This PR bumps the pinned action to v0.3.86 (SHA-pinned), which contains the fix.

We're not sharing the details publicly yet, a full advisory will be published soon. In the meantime we'd recommend updating promptly. Happy to answer anything.

Thanks! 🙏

@thomasboni thomasboni requested a review from jeanjerome as a code owner July 2, 2026 19:27
@jeanjerome

Copy link
Copy Markdown
Member

Thanks for the heads-up and the fix 🙏

Reviewed and verified before merging:

  • Pin integrity : confirmed a697e9c316b058d279861719c73b87093fb5a60f resolves exactly to tag v0.3.86
    via the GitHub API, and the previous pin matched v0.3.68. The action stays SHA-pinned as expected.
  • Source diff v0.3.68...v0.3.86 : went through the full 66-commit range. The security-relevant change is
    the hardening of the Rego detection policies (github_env_injection.rego, ref_confusion.rego) with the
    accompanying ISSUE-209 test corpus. The rest is legitimate feature/maintenance work.
  • Supply-chain vectors : all clean: base image digest unchanged, go.mod only minor dependency bumps (OPA
    1.17→1.18, golang.org/x/*), and the new cmd/score_push.go network path is opt-in (score-push: false by
    default), OIDC-authenticated, and only POSTs the same analysis JSON report Plumber already produces locally.

Merging. We'll keep an eye out for the advisory once it's public.

@jeanjerome jeanjerome self-assigned this Jul 3, 2026
@jeanjerome jeanjerome changed the title Update Plumber to v0.3.86 (security fix) ci: bump getplumber/plumber to v0.3.86 (security fix) Jul 3, 2026
@jeanjerome jeanjerome merged commit efd0fcf into getbrik:main Jul 3, 2026
7 checks passed
@codecov

codecov Bot commented Jul 3, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants