ops(security): demote security-events:write + fix downloadThenRun pattern#161
Merged
Merged
Conversation
…adThenRun Two Scorecard high-severity findings addressed: 1. pr-container-scan.yml: TokenPermissionsID HIGH -- 'topLevel security-events permission set to write'. Same fix pattern as cycles-server PR #144: top-level drops to read-all, security-events: write moves to the scan job (only step that needs it is the Trivy SARIF upload). 2. release.yml line 150: PinnedDependenciesID 'downloadThenRun not pinned by hash'. The pattern was 'curl ... | python -c ...' which Scorecard's heuristic flags as a supply-chain risk regardless of the source URL (here it's a localhost smoke probe, not external). Refactor to capture the body first, then pipe to python -- same behavior, no footgun pattern.
amavashev
added a commit
that referenced
this pull request
May 3, 2026
Same fix as runcycles/cycles-server#145 and runcycles/cycles-server-events#54. Trivy on cycles-server-admin's image flagged the same gnutls 3.8.12-r0 HIGH/MEDIUM/LOW CVEs that affect every consumer of the upstream eclipse-temurin:21-jre-alpine tag at this point in time. 'apk upgrade --no-cache' closes the patch-level gap on every build, so future Alpine CVE patches are picked up without manual intervention. Unblocks PR #161 (which has been failing the pr-container-scan step for the same root cause).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two Scorecard HIGH findings:
pr-container-scan.yml: TokenPermissionsID —topLevel 'security-events' permission set to 'write'. Same fix as cycles-server#144: top-level drops toread-all,security-events: writemoves to the scan job (only the Trivy SARIF upload needs it).release.yml:150: PinnedDependenciesID —downloadThenRun not pinned by hash. The patterncurl ... | python -c ...triggers Scorecard's heuristic regardless of source URL (here it's a localhost smoke probe — false positive in intent but still bad pattern). Refactor: capture body first, then pipe to python. Same behavior, no curl-pipe-interpreter shape.