From e82da228c7e1a93ddb29ca25cc25024583a2f71c Mon Sep 17 00:00:00 2001 From: Patrick Kaeding Date: Mon, 30 Mar 2026 13:26:52 -0400 Subject: [PATCH 1/3] [SEC-7924] chore: pin third-party GitHub Actions to commit SHAs Pin all third-party GitHub Actions to full-length commit SHAs to prevent supply chain attacks. Addresses findings from the third-party-action-not-pinned-to-commit-sha Semgrep rule. --- .github/workflows/check-alpine-version.yml | 2 +- .github/workflows/check-go-versions.yml | 4 ++-- .github/workflows/ci.yml | 10 +++++----- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/check-alpine-version.yml b/.github/workflows/check-alpine-version.yml index 59eaa80d..6e66a3a7 100644 --- a/.github/workflows/check-alpine-version.yml +++ b/.github/workflows/check-alpine-version.yml @@ -33,7 +33,7 @@ jobs: - name: Create pull request if: steps.update-alpine.outcome == 'success' - uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e + uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # 6d6857d36972b65feb161a90e484f2984215f83e with: token: ${{ secrets.GITHUB_TOKEN }} add-paths: | diff --git a/.github/workflows/check-go-versions.yml b/.github/workflows/check-go-versions.yml index efa08a8e..66d4dd6b 100644 --- a/.github/workflows/check-go-versions.yml +++ b/.github/workflows/check-go-versions.yml @@ -16,7 +16,7 @@ jobs: # Perform a GET request to endoflife.date for the Go language. The response # contains all Go releases; we're interested in the 0'th and 1'th (latest and penultimate.) - name: Fetch officially supported Go versions - uses: JamesIves/fetch-api-data-action@396ebea7d13904824f85b892b1616985f847301c + uses: JamesIves/fetch-api-data-action@396ebea7d13904824f85b892b1616985f847301c # 396ebea7d13904824f85b892b1616985f847301c with: endpoint: https://endoflife.date/api/go.json configuration: '{ "method": "GET" }' @@ -54,7 +54,7 @@ jobs: - name: Create pull request if: steps.update.outcome == 'success' - uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e + uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # 6d6857d36972b65feb161a90e484f2984215f83e with: token: ${{ secrets.GITHUB_TOKEN }} add-paths: | diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f4391f2b..41166e24 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -72,9 +72,9 @@ jobs: with: go-version: ${{ needs.go-versions.outputs.latest }} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 - name: Setup Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 with: platforms: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/386 - name: Build Docker Images @@ -83,7 +83,7 @@ jobs: id: image-tag run: echo "value=$(jq -r '.version' < dist/metadata.json)" >> $GITHUB_OUTPUT - - uses: aquasecurity/trivy-action@master + - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # master id: scan-alpine continue-on-error: true with: @@ -94,7 +94,7 @@ jobs: format: 'table' exit-code: '1' ignore-unfixed: true - - uses: aquasecurity/trivy-action@master + - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # master id: scan-distroless continue-on-error: true with: @@ -102,7 +102,7 @@ jobs: format: 'table' exit-code: '1' ignore-unfixed: true - - uses: aquasecurity/trivy-action@master + - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # master continue-on-error: true id: scan-debug-distroless with: From 6720a02d5e814d37661670d794b7ccaccf2bcb2f Mon Sep 17 00:00:00 2001 From: Cursor Agent Date: Mon, 30 Mar 2026 18:12:13 +0000 Subject: [PATCH 2/3] chore: update trivy-action comment to reference v0.35.0 Update the version comment from '# master' to '# v0.35.0' to properly document that the SHA is pinned to the verified safe v0.35.0 release. The SHA 57a97c7e7821a5776cebc9bb87c984fa69cba8f1 is confirmed to be the correct commit for v0.35.0, which was not affected by CVE-2026-336. Co-authored-by: Patrick Kaeding --- .github/workflows/ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 41166e24..485d25cb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -83,7 +83,7 @@ jobs: id: image-tag run: echo "value=$(jq -r '.version' < dist/metadata.json)" >> $GITHUB_OUTPUT - - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # master + - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 id: scan-alpine continue-on-error: true with: @@ -94,7 +94,7 @@ jobs: format: 'table' exit-code: '1' ignore-unfixed: true - - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # master + - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 id: scan-distroless continue-on-error: true with: @@ -102,7 +102,7 @@ jobs: format: 'table' exit-code: '1' ignore-unfixed: true - - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # master + - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 continue-on-error: true id: scan-debug-distroless with: From 320bd0eacd3a110f2a88e24cabcf98603cee1dea Mon Sep 17 00:00:00 2001 From: "Matthew M. Keeler" Date: Thu, 9 Apr 2026 11:36:36 -0400 Subject: [PATCH 3/3] Apply suggestions from code review Co-authored-by: Matthew M. Keeler --- .github/workflows/check-alpine-version.yml | 2 +- .github/workflows/check-go-versions.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/check-alpine-version.yml b/.github/workflows/check-alpine-version.yml index 6e66a3a7..b3317377 100644 --- a/.github/workflows/check-alpine-version.yml +++ b/.github/workflows/check-alpine-version.yml @@ -33,7 +33,7 @@ jobs: - name: Create pull request if: steps.update-alpine.outcome == 'success' - uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # 6d6857d36972b65feb161a90e484f2984215f83e + uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 with: token: ${{ secrets.GITHUB_TOKEN }} add-paths: | diff --git a/.github/workflows/check-go-versions.yml b/.github/workflows/check-go-versions.yml index 66d4dd6b..99f3e1a5 100644 --- a/.github/workflows/check-go-versions.yml +++ b/.github/workflows/check-go-versions.yml @@ -16,7 +16,7 @@ jobs: # Perform a GET request to endoflife.date for the Go language. The response # contains all Go releases; we're interested in the 0'th and 1'th (latest and penultimate.) - name: Fetch officially supported Go versions - uses: JamesIves/fetch-api-data-action@396ebea7d13904824f85b892b1616985f847301c # 396ebea7d13904824f85b892b1616985f847301c + uses: JamesIves/fetch-api-data-action@396ebea7d13904824f85b892b1616985f847301c # v2.2.4 with: endpoint: https://endoflife.date/api/go.json configuration: '{ "method": "GET" }' @@ -54,7 +54,7 @@ jobs: - name: Create pull request if: steps.update.outcome == 'success' - uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # 6d6857d36972b65feb161a90e484f2984215f83e + uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 with: token: ${{ secrets.GITHUB_TOKEN }} add-paths: |