Skip to content

Backport workflow-hardening fix (unpinned-uses) to 4 release branches #4610

Description

@CharlieMCY

Summary

The default branch already hardened .github/workflows/e2e.yml against the issue(s) below, but 4 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.

What's flagged (by zizmor)

  • unpinned-uses — actions referenced by mutable tag/branch instead of a pinned commit SHA

Already resolved on the default branch in:

Affected release branches (4)

  • release/v28 (still present as of HEAD e30aff6b)
  • release/v26 (still present as of HEAD a463fd4a)
  • release/v27 (still present as of HEAD c6f75bb3)
  • release/v25 (still present as of HEAD 4a04d96a)

Suggested per-branch patches

Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)

release/v28 — unpinned-uses

File .github/workflows/e2e.yml; suggested edits:

  • ~ jobs.$J.steps[uses=reproducible-containers/buildkit-cache-dance].uses : pin(reproducible-containers/buildkit-cache-dance -> target_ref SHA)
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -67,7 +67,7 @@
           key: cache-${{ hashFiles('go.sum') }}
 
       - name: Inject go cache into docker
-        uses: reproducible-containers/buildkit-cache-dance@v3.1.2
+        uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de  # v3.1.2
         with:
           cache-map: |
             {
release/v26 — unpinned-uses

File .github/workflows/e2e.yml; suggested edits:

  • ~ jobs.$J.steps[uses=reproducible-containers/buildkit-cache-dance].uses : pin(reproducible-containers/buildkit-cache-dance -> target_ref SHA)
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -67,7 +67,7 @@
           key: cache-${{ hashFiles('go.sum') }}
 
       - name: Inject go cache into docker
-        uses: reproducible-containers/buildkit-cache-dance@v3.1.2
+        uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de  # v3.1.2
         with:
           cache-map: |
             {
release/v27 — unpinned-uses

File .github/workflows/e2e.yml; suggested edits:

  • ~ jobs.$J.steps[uses=reproducible-containers/buildkit-cache-dance].uses : pin(reproducible-containers/buildkit-cache-dance -> target_ref SHA)
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -67,7 +67,7 @@
           key: cache-${{ hashFiles('go.sum') }}
 
       - name: Inject go cache into docker
-        uses: reproducible-containers/buildkit-cache-dance@v3.1.2
+        uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de  # v3.1.2
         with:
           cache-map: |
             {
release/v25 — unpinned-uses

File .github/workflows/e2e.yml; suggested edits:

  • ~ jobs.$J.steps[uses=reproducible-containers/buildkit-cache-dance].uses : pin(reproducible-containers/buildkit-cache-dance -> target_ref SHA)
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -67,7 +67,7 @@
           key: cache-${{ hashFiles('go.sum') }}
 
       - name: Inject go cache into docker
-        uses: reproducible-containers/buildkit-cache-dance@v3.1.2
+        uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de  # v3.1.2
         with:
           cache-map: |
             {

Happy to open pull requests instead if that's preferred.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions