From c31988ce1620fba4167b3fb890dd52994194f8e1 Mon Sep 17 00:00:00 2001 From: Guillaume Lours Date: Fri, 3 Jul 2026 15:16:03 +0200 Subject: [PATCH] ci: harden GitHub Actions workflows The pinned codeql-action/upload-sarif v2 (v2.28.1) falls in the vulnerable range of CVE-2025-24362 and the v2 line has no patched release, so bump to v3.36.3. Enable Dependabot for github-actions to keep action pins from going stale. Scope the release job to tag refs so its contents:write token is only minted when a release is actually created. In merge.yml, drop a dead conditional (workflow only triggers on push) and pass DOCKERDESKTOP_REPO to github-script via env rather than inline interpolation, as recommended against script injection. Signed-off-by: Guillaume Lours --- .github/dependabot.yml | 4 ++++ .github/workflows/ci.yml | 2 +- .github/workflows/merge.yml | 6 ++++-- .github/workflows/scorecards.yml | 2 +- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8810a070210..938362c9b3f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,10 @@ --- version: 2 updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly - package-ecosystem: gomod directory: / cooldown: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9c4c673f0b8..85fcf4b66ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -304,6 +304,7 @@ jobs: files: ./coverage.txt release: + if: startsWith(github.ref, 'refs/tags/v') permissions: contents: write # to create a release (ncipollo/release-action) runs-on: ubuntu-latest @@ -329,7 +330,6 @@ jobs: find bin/release -type f -exec file -e ascii -- {} + - name: GitHub Release - if: startsWith(github.ref, 'refs/tags/v') uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0 with: artifacts: ./bin/release/* diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index a78d0e016ff..a5ac6466f0c 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -39,7 +39,7 @@ jobs: cache: true cache-scope: bin-image output: image - push: ${{ github.event_name != 'pull_request' }} + push: true # this workflow only triggers on push (main and tags) sbom: true set-meta-labels: true meta-images: | @@ -97,12 +97,14 @@ jobs: - name: Trigger Docker Desktop e2e with edge version uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 + env: + DOCKERDESKTOP_REPO: ${{ secrets.DOCKERDESKTOP_REPO }} with: github-token: ${{ steps.generate_token.outputs.token }} script: | await github.rest.actions.createWorkflowDispatch({ owner: 'docker', - repo: '${{ secrets.DOCKERDESKTOP_REPO }}', + repo: process.env.DOCKERDESKTOP_REPO, workflow_id: 'compose-edge-integration.yml', ref: 'main', inputs: { diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index b9fc388f27a..edfffe02798 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -58,6 +58,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2 + uses: github/codeql-action/upload-sarif@411c4c9a36b3fca4d674f06b6396b2c6d23522c6 # v3.36.3 with: sarif_file: results.sarif