Skip to content

ci: harden GitHub Actions workflows#13896

Open
glours wants to merge 1 commit into
docker:mainfrom
glours:ci/harden-workflows
Open

ci: harden GitHub Actions workflows#13896
glours wants to merge 1 commit into
docker:mainfrom
glours:ci/harden-workflows

Conversation

@glours

@glours glours commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

What I did
The pinned codeql-action/upload-sarif v2 (v2.28.1) falls in the vulnerable range of CVE-2025-24362 and the v2 line has no patched release, so bump to v3.36.3. Enable Dependabot for github-actions to keep action pins from going stale. Scope the release job to tag refs so its contents:write token is only minted when a release is actually created. In merge.yml, drop a dead conditional (workflow only triggers on push) and pass DOCKERDESKTOP_REPO to github-script via env rather than inline interpolation, as recommended against script injection.

Related issue
N/A

(not mandatory) A picture of a cute animal, if possible in relation to what you did
image

The pinned codeql-action/upload-sarif v2 (v2.28.1) falls in the
vulnerable range of CVE-2025-24362 and the v2 line has no patched
release, so bump to v3.36.3. Enable Dependabot for github-actions
to keep action pins from going stale. Scope the release job to tag
refs so its contents:write token is only minted when a release is
actually created. In merge.yml, drop a dead conditional (workflow
only triggers on push) and pass DOCKERDESKTOP_REPO to github-script
via env rather than inline interpolation, as recommended against
script injection.

Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 3, 2026 13:17
@glours glours requested a review from a team as a code owner July 3, 2026 13:17
@glours glours requested a review from ndeloof July 3, 2026 13:17
@glours glours self-assigned this Jul 3, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s GitHub Actions security posture by updating an affected SARIF upload action to a patched major version, reducing token exposure in the release workflow, and enabling automated updates for action pins.

Changes:

  • Bump github/codeql-action/upload-sarif from v2 to v3.36.3 in the Scorecards workflow (avoids the vulnerable v2 line).
  • Tighten the CI release job so contents:write permissions are only granted when running on v* tag refs.
  • Add Dependabot updates for the github-actions ecosystem and make a small hardening tweak in merge.yml (remove dead conditional; avoid inline secret interpolation in github-script).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
.github/workflows/scorecards.yml Updates SARIF upload action to the v3 line to avoid the vulnerable v2 range.
.github/workflows/merge.yml Simplifies a dead push conditional and passes DOCKERDESKTOP_REPO via environment to reduce script-injection surface.
.github/workflows/ci.yml Moves the tag ref guard to the release job level so elevated permissions are only minted when needed.
.github/dependabot.yml Enables weekly Dependabot updates for GitHub Actions pins.

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

This PR makes four focused hardening improvements to the GitHub Actions workflows and Dependabot configuration:

  1. CVE fix: codeql-action/upload-sarif bumped from v2 (CVE-2025-24362 vulnerable, no patched v2 release) to v3.36.3 ✅
  2. Dependabot for Actions: New github-actions ecosystem entry added to prevent action pins from going stale ✅
  3. Token scoping: contents:write token for the release job now only minted on tag refs (job-level if: guard) — previous step-level guard left the job running (and the token minted) on every push ✅
  4. Script injection hardening (merge.yml): DOCKERDESKTOP_REPO passed via env: rather than inline ${{ }} interpolation in the github-script body ✅

No high or medium severity issues found. Two minor observations (not blocking):

  • The removed step-level if: startsWith(github.ref, 'refs/tags/v') from the ncipollo/release-action step is a clean refactor — identical behavior for tag refs, improved scoping for non-tag pushes. Confirm no other steps in the release job are expected to run outside tag refs.
  • push: true hardcoded in merge.yml (line 42) removes a prior ${{ github.event_name != 'pull_request' }} guard. The comment documents the assumption correctly; just worth noting that if a workflow_dispatch or pull_request trigger is ever added, this guard would need revisiting.

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

The CI hardening changes look correct and well-structured. All four targeted improvements are implemented properly:

  1. CVE-2025-24362 fixcodeql-action/upload-sarif correctly bumped from v2 to v3.36.3
  2. Dependabot for github-actions — correctly configured to keep action pins fresh
  3. contents:write token scoping — release job if: condition correctly moved to job level so the token is only minted on tag pushes
  4. Script injection preventionDOCKERDESKTOP_REPO secret correctly moved from inline ${{ secrets.* }} expression to an env var, referenced via process.env.* in the script

No bugs or security issues introduced.

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

This PR correctly hardens the GitHub Actions workflows:

  • dependabot.yml: Valid github-actions ecosystem entry with weekly schedule — keeps action pins from going stale.
  • ci.yml: Moving if: startsWith(github.ref, 'refs/tags/v') from the step to the job level is correct and more efficient — the entire release job (including build steps) is now skipped on non-tag pushes rather than wastefully running until the final step.
  • merge.yml: push: true is logically equivalent to the previous ${{ github.event_name != 'pull_request' }} given the workflow's on: push triggers, and is well-documented with a comment. Moving DOCKERDESKTOP_REPO from inline interpolation to an env var is a correct script-injection mitigation.
  • scorecards.yml: Bump to codeql-action/upload-sarif@v3.36.3 (pinned SHA) addresses CVE-2025-24362 correctly.

No bugs introduced. All changes are well-reasoned security and CI hygiene improvements.

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟡 NEEDS ATTENTION

This PR correctly addresses CVE-2025-24362 (bumping codeql-action/upload-sarif from v2 to v3.36.3), fixes the script-injection risk in merge.yml by passing the secret via env, scopes the contents:write token to tag refs only, and adds Dependabot for github-actions. One behavioral change warrants a confirmation from the author.

Comment thread .github/workflows/ci.yml
files: ./coverage.txt

release:
if: startsWith(github.ref, 'refs/tags/v')

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] Moving job-level if skips artifact verification steps on non-tag pushes

Previously the if: startsWith(github.ref, 'refs/tags/v') guard was only on the final ncipollo/release-action step. That meant on every push to main (non-tag), the job still ran:

  1. actions/download-artifact — fetches the release artifact
  2. tree -nh ./bin/release — lists artifacts
  3. find bin/release -type f -exec file … — checks binary types

…but skipped only the actual GitHub Release creation. These steps acted as a post-build artifact sanity check for every push.

After this PR, the entire release job is skipped on non-tag pushes, so those sanity checks no longer run on main branch pushes. If this is intentional (just avoiding unnecessary work), the PR description doesn't mention it and it's worth a comment to confirm. If the artifact verification was considered useful, consider keeping those steps outside the tag guard:

  release:
    runs-on: ubuntu-latest
    needs:
      - build
    steps:
      - name: Artifacts
        uses: actions/download-artifact@...
      - name: List artifacts
        run: tree -nh ./bin/release
      - name: Check artifacts
        run: find bin/release -type f -exec file -e ascii -- {} +
      - name: GitHub Release
        if: startsWith(github.ref, 'refs/tags/v')
        uses: ncipollo/release-action@...

@codecov

codecov Bot commented Jul 3, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants