ci: harden GitHub Actions workflows#13896
Conversation
The pinned codeql-action/upload-sarif v2 (v2.28.1) falls in the vulnerable range of CVE-2025-24362 and the v2 line has no patched release, so bump to v3.36.3. Enable Dependabot for github-actions to keep action pins from going stale. Scope the release job to tag refs so its contents:write token is only minted when a release is actually created. In merge.yml, drop a dead conditional (workflow only triggers on push) and pass DOCKERDESKTOP_REPO to github-script via env rather than inline interpolation, as recommended against script injection. Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s GitHub Actions security posture by updating an affected SARIF upload action to a patched major version, reducing token exposure in the release workflow, and enabling automated updates for action pins.
Changes:
- Bump
github/codeql-action/upload-sariffrom v2 to v3.36.3 in the Scorecards workflow (avoids the vulnerable v2 line). - Tighten the CI release job so
contents:writepermissions are only granted when running onv*tag refs. - Add Dependabot updates for the
github-actionsecosystem and make a small hardening tweak inmerge.yml(remove dead conditional; avoid inline secret interpolation ingithub-script).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/scorecards.yml |
Updates SARIF upload action to the v3 line to avoid the vulnerable v2 range. |
.github/workflows/merge.yml |
Simplifies a dead push conditional and passes DOCKERDESKTOP_REPO via environment to reduce script-injection surface. |
.github/workflows/ci.yml |
Moves the tag ref guard to the release job level so elevated permissions are only minted when needed. |
.github/dependabot.yml |
Enables weekly Dependabot updates for GitHub Actions pins. |
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
This PR makes four focused hardening improvements to the GitHub Actions workflows and Dependabot configuration:
- CVE fix:
codeql-action/upload-sarifbumped from v2 (CVE-2025-24362 vulnerable, no patched v2 release) to v3.36.3 ✅ - Dependabot for Actions: New
github-actionsecosystem entry added to prevent action pins from going stale ✅ - Token scoping:
contents:writetoken for the release job now only minted on tag refs (job-levelif:guard) — previous step-level guard left the job running (and the token minted) on every push ✅ - Script injection hardening (
merge.yml):DOCKERDESKTOP_REPOpassed viaenv:rather than inline${{ }}interpolation in thegithub-scriptbody ✅
No high or medium severity issues found. Two minor observations (not blocking):
- The removed step-level
if: startsWith(github.ref, 'refs/tags/v')from thencipollo/release-actionstep is a clean refactor — identical behavior for tag refs, improved scoping for non-tag pushes. Confirm no other steps in the release job are expected to run outside tag refs. push: truehardcoded inmerge.yml(line 42) removes a prior${{ github.event_name != 'pull_request' }}guard. The comment documents the assumption correctly; just worth noting that if aworkflow_dispatchorpull_requesttrigger is ever added, this guard would need revisiting.
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
The CI hardening changes look correct and well-structured. All four targeted improvements are implemented properly:
- CVE-2025-24362 fix —
codeql-action/upload-sarifcorrectly bumped from v2 to v3.36.3 - Dependabot for github-actions — correctly configured to keep action pins fresh
contents:writetoken scoping — release jobif:condition correctly moved to job level so the token is only minted on tag pushes- Script injection prevention —
DOCKERDESKTOP_REPOsecret correctly moved from inline${{ secrets.* }}expression to an env var, referenced viaprocess.env.*in the script
No bugs or security issues introduced.
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
This PR correctly hardens the GitHub Actions workflows:
- dependabot.yml: Valid
github-actionsecosystem entry with weekly schedule — keeps action pins from going stale. - ci.yml: Moving
if: startsWith(github.ref, 'refs/tags/v')from the step to the job level is correct and more efficient — the entire release job (including build steps) is now skipped on non-tag pushes rather than wastefully running until the final step. - merge.yml:
push: trueis logically equivalent to the previous${{ github.event_name != 'pull_request' }}given the workflow'son: pushtriggers, and is well-documented with a comment. MovingDOCKERDESKTOP_REPOfrom inline interpolation to an env var is a correct script-injection mitigation. - scorecards.yml: Bump to
codeql-action/upload-sarif@v3.36.3(pinned SHA) addresses CVE-2025-24362 correctly.
No bugs introduced. All changes are well-reasoned security and CI hygiene improvements.
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟡 NEEDS ATTENTION
This PR correctly addresses CVE-2025-24362 (bumping codeql-action/upload-sarif from v2 to v3.36.3), fixes the script-injection risk in merge.yml by passing the secret via env, scopes the contents:write token to tag refs only, and adds Dependabot for github-actions. One behavioral change warrants a confirmation from the author.
| files: ./coverage.txt | ||
|
|
||
| release: | ||
| if: startsWith(github.ref, 'refs/tags/v') |
There was a problem hiding this comment.
[MEDIUM] Moving job-level if skips artifact verification steps on non-tag pushes
Previously the if: startsWith(github.ref, 'refs/tags/v') guard was only on the final ncipollo/release-action step. That meant on every push to main (non-tag), the job still ran:
actions/download-artifact— fetches the release artifacttree -nh ./bin/release— lists artifactsfind bin/release -type f -exec file …— checks binary types
…but skipped only the actual GitHub Release creation. These steps acted as a post-build artifact sanity check for every push.
After this PR, the entire release job is skipped on non-tag pushes, so those sanity checks no longer run on main branch pushes. If this is intentional (just avoiding unnecessary work), the PR description doesn't mention it and it's worth a comment to confirm. If the artifact verification was considered useful, consider keeping those steps outside the tag guard:
release:
runs-on: ubuntu-latest
needs:
- build
steps:
- name: Artifacts
uses: actions/download-artifact@...
- name: List artifacts
run: tree -nh ./bin/release
- name: Check artifacts
run: find bin/release -type f -exec file -e ascii -- {} +
- name: GitHub Release
if: startsWith(github.ref, 'refs/tags/v')
uses: ncipollo/release-action@...
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
What I did
The pinned codeql-action/upload-sarif v2 (v2.28.1) falls in the vulnerable range of CVE-2025-24362 and the v2 line has no patched release, so bump to v3.36.3. Enable Dependabot for github-actions to keep action pins from going stale. Scope the release job to tag refs so its contents:write token is only minted when a release is actually created. In merge.yml, drop a dead conditional (workflow only triggers on push) and pass DOCKERDESKTOP_REPO to github-script via env rather than inline interpolation, as recommended against script injection.
Related issue
N/A
(not mandatory) A picture of a cute animal, if possible in relation to what you did
