security: fix audit findings (HIGH/MEDIUM)#29
Open
hinanohart wants to merge 1 commit into
Open
Conversation
… SHAs The sigstore-attest job in release.yml ran two actions pinned by mutable tag (sigstore/cosign-installer@v3, actions/upload-artifact@v7) while every other step in ci.yml/release.yml is commit-SHA pinned. That job runs with contents: write and id-token: write, so a retagged/compromised action could exfiltrate the OIDC token. Pin both to full commit SHAs with version comments, consistent with the repo's existing pinning policy. Dependabot will keep them fresh. - sigstore/cosign-installer -> 2e2f661cd4be3a4b891a882064e49d0fed4b7b88 # v3.9.0 - actions/upload-artifact -> 043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security audit fix: pin two GitHub Actions that were referenced by mutable tags to full commit SHAs, restoring consistency with the repo's existing SHA-pinning policy.
Fixes
[MEDIUM] Release workflow used mutable tag refs for two actions
File:
.github/workflows/release.ymlThe
sigstore-attestjob runs withpermissions: contents: write, id-token: write. Two of its steps referenced actions by mutable major tag while every other step inci.yml/release.ymlis commit-SHA pinned. A retagged or compromised action in that job could exfiltrate the OIDC token.sigstore/cosign-installer@v3->sigstore/cosign-installer@2e2f661cd4be3a4b891a882064e49d0fed4b7b88 # v3.9.0(line 104)actions/upload-artifact@v7->actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1(line 119)SHAs resolved via
git ls-remoteagainst the upstream tags. Dependabot (already configured) will keep these fresh.Verification:
zizmoron the original file reported 2unpinned-useserrors; after the change both are gone.npm testpasses (80/80).Deferred
The following pre-existing
zizmorfindings in the workflow files were left untouched as they are out of scope for this audit item and fixing them would require unrelated workflow refactors (permission scoping,persist-credentials: false, cache hardening):excessive-permissions(job-levelcontents: write/id-token: write)artipacked(credential persistence viaactions/checkoutdefaultpersist-credentials)cache-poisoning(runtime artifacts built after a cache-enabledsetup-node)These predate this PR and are not regressions introduced by this change.
Generated with Claude Code (https://claude.com/claude-code)