Skip to content

Pin unpinned-action references across 8 workflows#227

Open
CodeOpsAI wants to merge 8 commits into
l7mp:mainfrom
CodeOpsAI:codeopsai/unpinned-action-a27b28b
Open

Pin unpinned-action references across 8 workflows#227
CodeOpsAI wants to merge 8 commits into
l7mp:mainfrom
CodeOpsAI:codeopsai/unpinned-action-a27b28b

Conversation

@CodeOpsAI

Copy link
Copy Markdown

🤖 An AI-generated pull request from codeopsai. We open PRs only when we find a concrete, citable issue worth fixing. Not useful? Comment "no thanks" and we won't open more.

About codeopsai

codeopsai analyzes public GitHub Actions workflows for security and reliability issues and opens fixes for maintainer review. Every PR carries citations to the relevant standard (CWE, GitHub docs) and a structural verification trail; if our evidence bar isn't met, we don't open the PR.

Mistake, or unwelcome? Comment here or open an issue at github.com/codeopsai/feedback. We read every one and adjust.

Why these matter

Why pin to a SHA (unpinned-action)

Each unpinned action reference can be force-moved to attacker-controlled code by the action's owner or anyone who compromises their account — exactly what happened in the tj-actions/changed-files attack (CVE-2025-30066, Mar 2025). Pinning to a 40-character commit SHA freezes the exact reviewed code.

Reference: CWE-829 · GitHub/OWASP guidance · Real-world precedent: tj-actions/changed-files supply-chain attack (CVE-2025-30066, Mar 2025)

.github/workflows/e2e-test-dev.yaml

  • 🟠 MED medyagh/setup-minikube (job e2e_test)
  • 🟠 MED azure/setup-helm (job e2e_test)
  • ⚪ LOW actions/checkout (job e2e_test)
  • ⚪ LOW actions/setup-go (job e2e_test)
Diff
--- a/.github/workflows/e2e-test-dev.yaml
+++ b/.github/workflows/e2e-test-dev.yaml
@@ -9,10 +9,10 @@
   e2e_test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
 
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
         with:
           go-version: '1.26'
 
@@ -24,7 +24,7 @@
         run: CGO_ENABLED=0 go build -ldflags="-w -s" -o turncat cmd/turncat/main.go
 
       - name: Start minikube
-        uses: medyagh/setup-minikube@master
+        uses: medyagh/setup-minikube@e54c6bfce85fe75714fc113f1fa200c23338732b
         with:
           driver: docker
           container-runtime: containerd
@@ -36,7 +36,7 @@
         run: minikube tunnel &>mktunnel.log &
 
       - name: Set up Helm
-        uses: azure/setup-helm@v5
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2
         with:
           version: v3.16.2
 

.github/workflows/e2e-test-stable.yml

  • 🟠 MED medyagh/setup-minikube (job e2e_test)
  • 🟠 MED azure/setup-helm (job e2e_test)
  • ⚪ LOW actions/checkout (job e2e_test)
Diff
--- a/.github/workflows/e2e-test-stable.yml
+++ b/.github/workflows/e2e-test-stable.yml
@@ -9,7 +9,7 @@
   e2e_test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
 
       - name: Install turncat
         run: |
@@ -18,7 +18,7 @@
           chmod a+x turncat
 
       - name: Start minikube
-        uses: medyagh/setup-minikube@master
+        uses: medyagh/setup-minikube@e54c6bfce85fe75714fc113f1fa200c23338732b
         with:
           driver: docker
           container-runtime: containerd
@@ -29,7 +29,7 @@
         run: minikube tunnel &>mktunnel.log &
 
       - name: Set up Helm
-        uses: azure/setup-helm@v5
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2
         with:
           version: v3.16.2
 

.github/workflows/lint.yml

  • 🟠 MED golangci/golangci-lint-action (job lint)
  • ⚪ LOW actions/checkout (job lint)
  • ⚪ LOW actions/setup-go (job lint)
Diff
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -19,12 +19,12 @@
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
 
       - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
         with:
           go-version: '1.26'
 
       - name: Run linters
-        uses: golangci/golangci-lint-action@v9
+        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee

.github/workflows/publish--add-binaries.yml

  • 🟠 MED svenstaro/upload-release-action (job add_binaries)
  • 🟠 MED svenstaro/upload-release-action (job add_binaries)
  • ⚪ LOW actions/checkout (job add_binaries)
  • ⚪ LOW actions/setup-go (job add_binaries)
Diff
--- a/.github/workflows/publish--add-binaries.yml
+++ b/.github/workflows/publish--add-binaries.yml
@@ -33,14 +33,14 @@
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
 
       - name: Get version
         id: vars
         run: echo tag=$(echo ${GITHUB_REF:11}) >> $GITHUB_OUTPUT
 
       - name: Install Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
         with:
           go-version: '1.26'
 
@@ -52,7 +52,7 @@
           mv bin/stunnerctl stunnerctl-v${{ steps.vars.outputs.tag }}-${{ matrix.os }}-${{ matrix.arch }}${{ matrix.file_end }}
 
       - name: Release turncat binary
-        uses: svenstaro/upload-release-action@v2
+        uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           file: turncat-v${{ steps.vars.outputs.tag }}-${{ matrix.os }}-${{ matrix.arch }}${{ matrix.file_end }}
@@ -60,7 +60,7 @@
           asset_name: turncat-v${{ steps.vars.outputs.tag }}-${{ matrix.os }}-${{ matrix.arch }}${{ matrix.file_end }}
 
       - name: Release stunnerctl binary
-        uses: svenstaro/upload-release-action@v2
+        uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           file: stunnerctl-v${{ steps.vars.outputs.tag }}-${{ matrix.os }}-${{ matrix.arch }}${{ matrix.file_end }}

.github/workflows/publish--push-charts.yml

  • 🟠 MED benc-uk/workflow-dispatch (job push_charts)
  • 🟠 MED benc-uk/workflow-dispatch (job push_charts)
Diff
--- a/.github/workflows/publish--push-charts.yml
+++ b/.github/workflows/publish--push-charts.yml
@@ -20,7 +20,7 @@
 
       - name: Trigger release workflow in the stunner-helm repo
         if: ${{ inputs.dev == false || inputs.dev == 'false' }}
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26
         with:
           token: ${{ secrets.WEB_PAT_TOKEN }}
           repo: l7mp/stunner-helm
@@ -29,7 +29,7 @@
 
       - name: Trigger release workflow in the stunner-helm repo
         if: ${{ inputs.dev == true || inputs.dev == 'true' }}
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26
         with:
           token: ${{ secrets.WEB_PAT_TOKEN }}
           repo: l7mp/stunner-helm

.github/workflows/publish-dev.yaml

  • 🟠 MED docker/metadata-action (job push_stunner_to_registry)
  • 🟠 MED docker/setup-qemu-action (job push_stunner_to_registry)
  • 🟠 MED docker/setup-buildx-action (job push_stunner_to_registry)
  • 🟠 MED docker/login-action (job push_stunner_to_registry)
  • 🟠 MED docker/build-push-action (job push_stunner_to_registry)
  • 🟠 MED docker/metadata-action (job push_icetester_to_registry)
  • 🟠 MED docker/setup-qemu-action (job push_icetester_to_registry)
  • 🟠 MED docker/setup-buildx-action (job push_icetester_to_registry)
  • 🟠 MED docker/login-action (job push_icetester_to_registry)
  • 🟠 MED docker/build-push-action (job push_icetester_to_registry)
  • ⚪ LOW actions/checkout (job push_stunner_to_registry)
  • ⚪ LOW actions/checkout (job push_icetester_to_registry)
Diff
--- a/.github/workflows/publish-dev.yaml
+++ b/.github/workflows/publish-dev.yaml
@@ -23,30 +23,30 @@
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9
         with:
           images: l7mp/stunnerd
           tags: |
             type=raw,value=dev
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee
         with:
           username: ${{ secrets.DOCKER_USER }}
           password: ${{ secrets.DOCKER_TOKEN }}
 
       - name: Build and Push
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf
         with:
           context: .
           platforms: linux/amd64,linux/arm64
@@ -70,30 +70,30 @@
... (36 more diff lines — see Files changed)

.github/workflows/publish.yml

  • 🟠 MED docker/metadata-action (job push_stunner_to_registry)
  • 🟠 MED docker/setup-qemu-action (job push_stunner_to_registry)
  • 🟠 MED docker/setup-buildx-action (job push_stunner_to_registry)
  • 🟠 MED docker/login-action (job push_stunner_to_registry)
  • 🟠 MED docker/build-push-action (job push_stunner_to_registry)
  • 🟠 MED docker/metadata-action (job push_icetester_to_registry)
  • 🟠 MED docker/setup-qemu-action (job push_icetester_to_registry)
  • 🟠 MED docker/setup-buildx-action (job push_icetester_to_registry)
  • 🟠 MED docker/login-action (job push_icetester_to_registry)
  • 🟠 MED docker/build-push-action (job push_icetester_to_registry)
  • ⚪ LOW actions/checkout (job check_release_readme)
  • ⚪ LOW actions/checkout (job push_stunner_to_registry)
  • ⚪ LOW actions/checkout (job push_icetester_to_registry)
Diff
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -11,7 +11,7 @@
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
 
       - name: Verify README is release-ready
         run: |
@@ -35,11 +35,11 @@
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9
         with:
           images: l7mp/stunnerd
           tags: |
@@ -47,19 +47,19 @@
             type=raw,value=latest
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee
         with:
... (47 more diff lines — see Files changed)

.github/workflows/test.yml

  • 🟠 MED coverallsapp/github-action (job test)
  • 🟠 MED anchore/scan-action (job seccheck)
  • ⚪ LOW actions/checkout (job test)
  • ⚪ LOW actions/setup-go (job test)
  • ⚪ LOW actions/checkout (job seccheck)
Diff
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -19,9 +19,9 @@
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
         with:
           go-version: '1.26'
       - name: Download modules
@@ -31,7 +31,7 @@
       - name: Test
         run: go test -v -covermode=count -coverprofile=coverage.out
       - name: Coveralls
-        uses: coverallsapp/github-action@v2
+        uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e
         if: github.repository == 'l7mp/stunner'
         with:
           github-token: ${{ secrets.github_token }}
@@ -42,9 +42,9 @@
     runs-on: ubuntu-latest
     needs: [test]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
       - name: Check security vulnerabilites
-        uses: anchore/scan-action@v7
+        uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2
         with:
           path: "."
           fail-build: true

Have other repositories you'd like analysed? Request a scan at codeopsai.com.


AI-generated. Review the diff before merging.

This PR addresses 46 workflow findings:
- [low] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: medyagh/setup-minikube@master
- [medium] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: azure/setup-helm@v5
- [low] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: medyagh/setup-minikube@master
- [medium] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: azure/setup-helm@v5
- [low] unpinned-action in .github/workflows/lint.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/lint.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/lint.yml: Unpinned action version: golangci/golangci-lint-action@v9
- [low] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: svenstaro/upload-release-action@v2
- [medium] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: svenstaro/upload-release-action@v2
- [medium] unpinned-action in .github/workflows/publish--push-charts.yml: Unpinned action version: benc-uk/workflow-dispatch@v1
- [medium] unpinned-action in .github/workflows/publish--push-charts.yml: Unpinned action version: benc-uk/workflow-dispatch@v1
- [low] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/test.yml: Unpinned action version: coverallsapp/github-action@v2
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/test.yml: Unpinned action version: anchore/scan-action@v7

These workflows handle CI/CD with elevated privileges; the affected configurations expand attack surface or grant tokens broader access than needed. See the PR description for per-finding rationale and citations.
This PR addresses 46 workflow findings:
- [low] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: medyagh/setup-minikube@master
- [medium] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: azure/setup-helm@v5
- [low] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: medyagh/setup-minikube@master
- [medium] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: azure/setup-helm@v5
- [low] unpinned-action in .github/workflows/lint.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/lint.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/lint.yml: Unpinned action version: golangci/golangci-lint-action@v9
- [low] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: svenstaro/upload-release-action@v2
- [medium] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: svenstaro/upload-release-action@v2
- [medium] unpinned-action in .github/workflows/publish--push-charts.yml: Unpinned action version: benc-uk/workflow-dispatch@v1
- [medium] unpinned-action in .github/workflows/publish--push-charts.yml: Unpinned action version: benc-uk/workflow-dispatch@v1
- [low] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/test.yml: Unpinned action version: coverallsapp/github-action@v2
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/test.yml: Unpinned action version: anchore/scan-action@v7

These workflows handle CI/CD with elevated privileges; the affected configurations expand attack surface or grant tokens broader access than needed. See the PR description for per-finding rationale and citations.
This PR addresses 46 workflow findings:
- [low] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: medyagh/setup-minikube@master
- [medium] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: azure/setup-helm@v5
- [low] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: medyagh/setup-minikube@master
- [medium] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: azure/setup-helm@v5
- [low] unpinned-action in .github/workflows/lint.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/lint.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/lint.yml: Unpinned action version: golangci/golangci-lint-action@v9
- [low] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: svenstaro/upload-release-action@v2
- [medium] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: svenstaro/upload-release-action@v2
- [medium] unpinned-action in .github/workflows/publish--push-charts.yml: Unpinned action version: benc-uk/workflow-dispatch@v1
- [medium] unpinned-action in .github/workflows/publish--push-charts.yml: Unpinned action version: benc-uk/workflow-dispatch@v1
- [low] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/test.yml: Unpinned action version: coverallsapp/github-action@v2
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/test.yml: Unpinned action version: anchore/scan-action@v7

These workflows handle CI/CD with elevated privileges; the affected configurations expand attack surface or grant tokens broader access than needed. See the PR description for per-finding rationale and citations.
This PR addresses 46 workflow findings:
- [low] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: medyagh/setup-minikube@master
- [medium] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: azure/setup-helm@v5
- [low] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: medyagh/setup-minikube@master
- [medium] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: azure/setup-helm@v5
- [low] unpinned-action in .github/workflows/lint.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/lint.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/lint.yml: Unpinned action version: golangci/golangci-lint-action@v9
- [low] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: svenstaro/upload-release-action@v2
- [medium] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: svenstaro/upload-release-action@v2
- [medium] unpinned-action in .github/workflows/publish--push-charts.yml: Unpinned action version: benc-uk/workflow-dispatch@v1
- [medium] unpinned-action in .github/workflows/publish--push-charts.yml: Unpinned action version: benc-uk/workflow-dispatch@v1
- [low] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/test.yml: Unpinned action version: coverallsapp/github-action@v2
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/test.yml: Unpinned action version: anchore/scan-action@v7

These workflows handle CI/CD with elevated privileges; the affected configurations expand attack surface or grant tokens broader access than needed. See the PR description for per-finding rationale and citations.
This PR addresses 46 workflow findings:
- [low] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: medyagh/setup-minikube@master
- [medium] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: azure/setup-helm@v5
- [low] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: medyagh/setup-minikube@master
- [medium] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: azure/setup-helm@v5
- [low] unpinned-action in .github/workflows/lint.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/lint.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/lint.yml: Unpinned action version: golangci/golangci-lint-action@v9
- [low] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: svenstaro/upload-release-action@v2
- [medium] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: svenstaro/upload-release-action@v2
- [medium] unpinned-action in .github/workflows/publish--push-charts.yml: Unpinned action version: benc-uk/workflow-dispatch@v1
- [medium] unpinned-action in .github/workflows/publish--push-charts.yml: Unpinned action version: benc-uk/workflow-dispatch@v1
- [low] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/test.yml: Unpinned action version: coverallsapp/github-action@v2
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/test.yml: Unpinned action version: anchore/scan-action@v7

These workflows handle CI/CD with elevated privileges; the affected configurations expand attack surface or grant tokens broader access than needed. See the PR description for per-finding rationale and citations.
This PR addresses 46 workflow findings:
- [low] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: medyagh/setup-minikube@master
- [medium] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: azure/setup-helm@v5
- [low] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: medyagh/setup-minikube@master
- [medium] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: azure/setup-helm@v5
- [low] unpinned-action in .github/workflows/lint.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/lint.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/lint.yml: Unpinned action version: golangci/golangci-lint-action@v9
- [low] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: svenstaro/upload-release-action@v2
- [medium] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: svenstaro/upload-release-action@v2
- [medium] unpinned-action in .github/workflows/publish--push-charts.yml: Unpinned action version: benc-uk/workflow-dispatch@v1
- [medium] unpinned-action in .github/workflows/publish--push-charts.yml: Unpinned action version: benc-uk/workflow-dispatch@v1
- [low] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/test.yml: Unpinned action version: coverallsapp/github-action@v2
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/test.yml: Unpinned action version: anchore/scan-action@v7

These workflows handle CI/CD with elevated privileges; the affected configurations expand attack surface or grant tokens broader access than needed. See the PR description for per-finding rationale and citations.
This PR addresses 46 workflow findings:
- [low] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: medyagh/setup-minikube@master
- [medium] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: azure/setup-helm@v5
- [low] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: medyagh/setup-minikube@master
- [medium] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: azure/setup-helm@v5
- [low] unpinned-action in .github/workflows/lint.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/lint.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/lint.yml: Unpinned action version: golangci/golangci-lint-action@v9
- [low] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: svenstaro/upload-release-action@v2
- [medium] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: svenstaro/upload-release-action@v2
- [medium] unpinned-action in .github/workflows/publish--push-charts.yml: Unpinned action version: benc-uk/workflow-dispatch@v1
- [medium] unpinned-action in .github/workflows/publish--push-charts.yml: Unpinned action version: benc-uk/workflow-dispatch@v1
- [low] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/test.yml: Unpinned action version: coverallsapp/github-action@v2
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/test.yml: Unpinned action version: anchore/scan-action@v7

These workflows handle CI/CD with elevated privileges; the affected configurations expand attack surface or grant tokens broader access than needed. See the PR description for per-finding rationale and citations.
This PR addresses 46 workflow findings:
- [low] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: medyagh/setup-minikube@master
- [medium] unpinned-action in .github/workflows/e2e-test-dev.yaml: Unpinned action version: azure/setup-helm@v5
- [low] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: medyagh/setup-minikube@master
- [medium] unpinned-action in .github/workflows/e2e-test-stable.yml: Unpinned action version: azure/setup-helm@v5
- [low] unpinned-action in .github/workflows/lint.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/lint.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/lint.yml: Unpinned action version: golangci/golangci-lint-action@v9
- [low] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: svenstaro/upload-release-action@v2
- [medium] unpinned-action in .github/workflows/publish--add-binaries.yml: Unpinned action version: svenstaro/upload-release-action@v2
- [medium] unpinned-action in .github/workflows/publish--push-charts.yml: Unpinned action version: benc-uk/workflow-dispatch@v1
- [medium] unpinned-action in .github/workflows/publish--push-charts.yml: Unpinned action version: benc-uk/workflow-dispatch@v1
- [low] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish-dev.yaml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/publish.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/metadata-action@v6
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-qemu-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/publish.yml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/test.yml: Unpinned action version: coverallsapp/github-action@v2
- [low] unpinned-action in .github/workflows/test.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/test.yml: Unpinned action version: anchore/scan-action@v7

These workflows handle CI/CD with elevated privileges; the affected configurations expand attack surface or grant tokens broader access than needed. See the PR description for per-finding rationale and citations.
@levaitamas

Copy link
Copy Markdown
Member

Thanks for the PR! Using a git hash as the ID is a solid approach. It's the real source of truth in git and genuinely tamper-evident.

That said, I'm not convinced this warrants merging as-is. The security benefit feels limited given our current threat model, and the added complexity would make routine maintenance noticeably more painful down the line.

A few thoughts:

  • Script recommendation: Could you provide a helper script (or point to one) that automates this? Without tooling, the workflow becomes a manual friction point that's easy to get wrong.
  • LOW/MED severity levels: The labeling looks polished, but I don't have enough context to reason about it. What criteria distinguish LOW from MED here? What concrete risk does each level represent, and what's the expected action for each?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants