Summary
The default branch already hardened .github/workflows/e2e.yml against the issue(s) below, but 4 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
unpinned-uses — actions referenced by mutable tag/branch instead of a pinned commit SHA
Already resolved on the default branch in:
Affected release branches (4)
release/v28 (still present as of HEAD e30aff6b)
release/v26 (still present as of HEAD a463fd4a)
release/v27 (still present as of HEAD c6f75bb3)
release/v25 (still present as of HEAD 4a04d96a)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release/v28 — unpinned-uses
File .github/workflows/e2e.yml; suggested edits:
- ~ jobs.$J.steps[uses=reproducible-containers/buildkit-cache-dance].uses : pin(reproducible-containers/buildkit-cache-dance -> target_ref SHA)
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -67,7 +67,7 @@
key: cache-${{ hashFiles('go.sum') }}
- name: Inject go cache into docker
- uses: reproducible-containers/buildkit-cache-dance@v3.1.2
+ uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de # v3.1.2
with:
cache-map: |
{
release/v26 — unpinned-uses
File .github/workflows/e2e.yml; suggested edits:
- ~ jobs.$J.steps[uses=reproducible-containers/buildkit-cache-dance].uses : pin(reproducible-containers/buildkit-cache-dance -> target_ref SHA)
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -67,7 +67,7 @@
key: cache-${{ hashFiles('go.sum') }}
- name: Inject go cache into docker
- uses: reproducible-containers/buildkit-cache-dance@v3.1.2
+ uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de # v3.1.2
with:
cache-map: |
{
release/v27 — unpinned-uses
File .github/workflows/e2e.yml; suggested edits:
- ~ jobs.$J.steps[uses=reproducible-containers/buildkit-cache-dance].uses : pin(reproducible-containers/buildkit-cache-dance -> target_ref SHA)
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -67,7 +67,7 @@
key: cache-${{ hashFiles('go.sum') }}
- name: Inject go cache into docker
- uses: reproducible-containers/buildkit-cache-dance@v3.1.2
+ uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de # v3.1.2
with:
cache-map: |
{
release/v25 — unpinned-uses
File .github/workflows/e2e.yml; suggested edits:
- ~ jobs.$J.steps[uses=reproducible-containers/buildkit-cache-dance].uses : pin(reproducible-containers/buildkit-cache-dance -> target_ref SHA)
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -67,7 +67,7 @@
key: cache-${{ hashFiles('go.sum') }}
- name: Inject go cache into docker
- uses: reproducible-containers/buildkit-cache-dance@v3.1.2
+ uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de # v3.1.2
with:
cache-map: |
{
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/e2e.ymlagainst the issue(s) below, but 4 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
unpinned-uses— actions referenced by mutable tag/branch instead of a pinned commit SHAAlready resolved on the default branch in:
Affected release branches (4)
release/v28(still present as of HEADe30aff6b)release/v26(still present as of HEADa463fd4a)release/v27(still present as of HEADc6f75bb3)release/v25(still present as of HEAD4a04d96a)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release/v28— unpinned-usesFile
.github/workflows/e2e.yml; suggested edits:release/v26— unpinned-usesFile
.github/workflows/e2e.yml; suggested edits:release/v27— unpinned-usesFile
.github/workflows/e2e.yml; suggested edits:release/v25— unpinned-usesFile
.github/workflows/e2e.yml; suggested edits:Happy to open pull requests instead if that's preferred.