You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Summary\n\nTrack the adjacent .github/workflows/build-baseline.yml artifact-download exposure that still uses actions/download-artifact in a path that can inherit the same transitive Buffer() deprecation warning class remediated for OSSF Scorecard in #199/#200.\n\n## Context\n\n- Parent stabilization program: #194\n- Related closed warning slice: #199\n- Remediation pattern: PR #200 kept the pinned action but used skip-decompress: true plus a repo-owned safe extractor for the expected artifact contents, with supply-chain guards and regression tests.\n- Adjacent exposure: .github/workflows/build-baseline.yml release artifact download around line 297.\n\n## Acceptance Criteria\n\n- Capture fresh default-branch/build-baseline warning evidence before changing the workflow.\n- Classify whether this path emits the same actions/download-artifact/Buffer() warning or remains latent exposure only.\n- If actionable, remove the root warning path without broad log filtering or weakening action pinning/digest validation.\n- Add or update repo-owned guard/test coverage so the warning-prone workflow pattern does not silently return.\n- Re-run the smallest local verification plus PR/default-branch build-baseline evidence after merge.\n\n## Security Notes\n\nArtifact downloads and archive extraction are untrusted supply-chain boundaries. Any remediation must preserve strict expected-file validation, path traversal protection, symlink rejection where archives are decompressed by repository code, immutable workflow action pinning, digest validation, and warning-free CI evidence.
Summary\n\nTrack the adjacent
.github/workflows/build-baseline.ymlartifact-download exposure that still usesactions/download-artifactin a path that can inherit the same transitiveBuffer()deprecation warning class remediated for OSSF Scorecard in #199/#200.\n\n## Context\n\n- Parent stabilization program: #194\n- Related closed warning slice: #199\n- Remediation pattern: PR #200 kept the pinned action but usedskip-decompress: trueplus a repo-owned safe extractor for the expected artifact contents, with supply-chain guards and regression tests.\n- Adjacent exposure:.github/workflows/build-baseline.ymlrelease artifact download around line 297.\n\n## Acceptance Criteria\n\n- Capture fresh default-branch/build-baseline warning evidence before changing the workflow.\n- Classify whether this path emits the sameactions/download-artifact/Buffer()warning or remains latent exposure only.\n- If actionable, remove the root warning path without broad log filtering or weakening action pinning/digest validation.\n- Add or update repo-owned guard/test coverage so the warning-prone workflow pattern does not silently return.\n- Re-run the smallest local verification plus PR/default-branch build-baseline evidence after merge.\n\n## Security Notes\n\nArtifact downloads and archive extraction are untrusted supply-chain boundaries. Any remediation must preserve strict expected-file validation, path traversal protection, symlink rejection where archives are decompressed by repository code, immutable workflow action pinning, digest validation, and warning-free CI evidence.