From 14882ab62a93df86cafc7647ce09737f4419a051 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Mon, 11 May 2026 23:14:17 +0600 Subject: [PATCH 1/5] Harden GitHub Actions workflows - Pin every action ref to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be re-pointed at malicious code. - Bump outdated actions/checkout@v1 to @v4.3.1 (where present). - Tag-triggered workflows now check out with fetch-depth: 1 and fetch-tags: true so the tag ref is available downstream. - release-tracker.yml grants contents: write at the job level so the default GITHUB_TOKEN can push commits/tags back to the repo. Signed-off-by: Tamal Saha --- .github/workflows/codeql.yml | 2 +- .github/workflows/docker-release.yml | 6 +++--- .github/workflows/go.yml | 2 +- .github/workflows/release.yml | 7 +++++-- .github/workflows/snap-release.yml | 2 +- .github/workflows/test-yq.yml | 2 +- 6 files changed, 12 insertions(+), 9 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 033fb53509..513083fd5a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml index 40a5b32b01..78085d3086 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release.yml @@ -14,16 +14,16 @@ jobs: IMAGE_NAME: mikefarah/yq runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: platforms: all - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 with: version: latest diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index ab4e62afdb..7f10f19562 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -17,7 +17,7 @@ jobs: id: go - name: Check out code into the Go module directory - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Get dependencies run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e1901562db..af53b00e1f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,7 +9,10 @@ jobs: publishGitRelease: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + fetch-depth: 1 + fetch-tags: true - uses: actions/setup-go@v4 with: go-version: '^1.20' @@ -46,7 +49,7 @@ jobs: ./scripts/xcompile.sh - name: Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@26994186c0ac3ef5cae75ac16aa32e8153525f77 # v1 with: files: build/* draft: true diff --git a/.github/workflows/snap-release.yml b/.github/workflows/snap-release.yml index bb5050f8a8..5cd119ab68 100644 --- a/.github/workflows/snap-release.yml +++ b/.github/workflows/snap-release.yml @@ -12,7 +12,7 @@ jobs: environment: snap runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - uses: snapcore/action-build@v1 id: build - uses: snapcore/action-publish@v1 diff --git a/.github/workflows/test-yq.yml b/.github/workflows/test-yq.yml index 921c3aa34f..b21d742d98 100644 --- a/.github/workflows/test-yq.yml +++ b/.github/workflows/test-yq.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Get test id: get_value uses: mikefarah/yq@master From fb86f0f247a8a1d7782122e4e40a597d0ed7a17b Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Wed, 13 May 2026 09:46:26 +0600 Subject: [PATCH 2/5] Add job permissions for workflow Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index af53b00e1f..47ffaf3b50 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,6 +8,8 @@ on: jobs: publishGitRelease: runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: From 60f58d33df28713ad43bb158dffdf3d3406252d2 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 10:31:29 +0600 Subject: [PATCH 3/5] Normalize Prepare git user, fetch-depth, drop permission-issues Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 47ffaf3b50..c12b730ee6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,8 +13,7 @@ jobs: steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: - fetch-depth: 1 - fetch-tags: true + fetch-depth: 0 - uses: actions/setup-go@v4 with: go-version: '^1.20' From aaba047afdd1f812f4a48059a136fcc35bd5bd44 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 17:38:59 +0600 Subject: [PATCH 4/5] Bump softprops/action-gh-release to v2.6.2; add permissions Signed-off-by: Tamal Saha --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c12b730ee6..67853fe2e8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -50,7 +50,7 @@ jobs: ./scripts/xcompile.sh - name: Release - uses: softprops/action-gh-release@26994186c0ac3ef5cae75ac16aa32e8153525f77 # v1 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 with: files: build/* draft: true From 6d5607e613ffeed8500b1eda57080ec8e06d4ac5 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Fri, 15 May 2026 14:26:52 +0600 Subject: [PATCH 5/5] Pin actions to commit SHAs Signed-off-by: Tamal Saha --- .github/workflows/go.yml | 2 +- .github/workflows/release.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 7f10f19562..1d82510655 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -11,7 +11,7 @@ jobs: steps: - name: Set up Go - uses: actions/setup-go@v4 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '^1.20' id: go diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 67853fe2e8..99e9e5ad76 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,7 +14,7 @@ jobs: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - - uses: actions/setup-go@v4 + - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0 with: go-version: '^1.20' check-latest: true @@ -50,7 +50,7 @@ jobs: ./scripts/xcompile.sh - name: Release - uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 + uses: softprops/action-gh-release@26994186c0ac3ef5cae75ac16aa32e8153525f77 # v1 with: files: build/* draft: true