Skip to content

Harden GitHub Actions workflows based on zizmor audit - dev to main#2449

Closed
sankettangade wants to merge 1 commit into
masterfrom
cherry-pick/dev-to-main
Closed

Harden GitHub Actions workflows based on zizmor audit - dev to main#2449
sankettangade wants to merge 1 commit into
masterfrom
cherry-pick/dev-to-main

Conversation

@sankettangade

Copy link
Copy Markdown
Contributor

This PR adds changes for GitHub workflows added in dev branch into main branch by #2444

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

- Move untrusted ${{ }} into env vars to prevent script injection
- Pin all actions to commit SHAs (no version bumps)
- Set top-level permissions: {} with minimal job-level grants
- Add concurrency groups and job names
- Fix PowerShell/github-script injection in Dockerfile-update workflows
- Pin semgrep container image by digest
@sankettangade sankettangade requested review from a team as code owners June 26, 2026 16:20
@sankettangade sankettangade requested review from normj and philasmar June 26, 2026 16:20
@sankettangade sankettangade added the Release Not Needed Add this label if a PR does not need to be released. label Jun 26, 2026
@GarrettBeatty

Copy link
Copy Markdown
Contributor

you can just wait until #2448 is merged and then can do dev to main

@dscpinheiro dscpinheiro deleted the cherry-pick/dev-to-main branch July 2, 2026 14:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Release Not Needed Add this label if a PR does not need to be released.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants