Skip to content

Backport workflow-hardening fix (unpinned-uses) to 5 release branches #3585

Description

@CharlieMCY

Summary

The default branch already hardened .github/workflows/codeql-analysis.yml against the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.

What's flagged (by zizmor)

  • unpinned-uses — actions referenced by mutable tag/branch instead of a pinned commit SHA

Already resolved on the default branch in:

Affected release branches (5)

  • release/2.17.0 (still present as of HEAD 39f41f19)
  • release/2.13.0 (still present as of HEAD 8c603470)
  • release/2.16.0 (still present as of HEAD 14b45a54)
  • release/2.12.0 (still present as of HEAD 94f4ba44)
  • release/2.14.0 (still present as of HEAD 1f5ab6c7)

Suggested per-branch patches

Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)

release/2.17.0 — unpinned-uses

File .github/workflows/codeql-analysis.yml; suggested edits:

  • ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
  • ~ jobs.$J.steps[uses=actions/setup-java].uses : pin(actions/setup-java -> target_ref SHA)
  • ~ jobs.$J.steps[uses=github/codeql-action/analyze].uses : pin(github/codeql-action/analyze -> target_ref SHA)
  • ~ jobs.$J.steps[uses=github/codeql-action/init].uses : pin(github/codeql-action/init -> target_ref SHA)
  • ~ jobs.$J.steps[uses=gradle/actions/setup-gradle].uses : pin(gradle/actions/setup-gradle -> target_ref SHA)
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -26,10 +26,9 @@
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
-
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
       - name: Setup Java 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9  # v4
         with:
           distribution: 'zulu'
           java-version: 17
release/2.13.0 — unpinned-uses

File .github/workflows/codeql-analysis.yml; suggested edits:

  • ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
  • ~ jobs.$J.steps[uses=actions/setup-java].uses : pin(actions/setup-java -> target_ref SHA)
  • ~ jobs.$J.steps[uses=github/codeql-action/analyze].uses : pin(github/codeql-action/analyze -> target_ref SHA)
  • ~ jobs.$J.steps[uses=github/codeql-action/init].uses : pin(github/codeql-action/init -> target_ref SHA)
  • ~ jobs.$J.steps[uses=gradle/actions/setup-gradle].uses : pin(gradle/actions/setup-gradle -> target_ref SHA)
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -26,10 +26,9 @@
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
-
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
       - name: Setup Java 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9  # v4
         with:
           distribution: 'zulu'
           java-version: 17
release/2.16.0 — unpinned-uses

File .github/workflows/codeql-analysis.yml; suggested edits:

  • ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
  • ~ jobs.$J.steps[uses=actions/setup-java].uses : pin(actions/setup-java -> target_ref SHA)
  • ~ jobs.$J.steps[uses=github/codeql-action/analyze].uses : pin(github/codeql-action/analyze -> target_ref SHA)
  • ~ jobs.$J.steps[uses=github/codeql-action/init].uses : pin(github/codeql-action/init -> target_ref SHA)
  • ~ jobs.$J.steps[uses=gradle/actions/setup-gradle].uses : pin(gradle/actions/setup-gradle -> target_ref SHA)
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -26,10 +26,9 @@
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
-
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
       - name: Setup Java 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9  # v4
         with:
           distribution: 'zulu'
           java-version: 17
release/2.12.0 — unpinned-uses

File .github/workflows/codeql-analysis.yml; suggested edits:

  • ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
  • ~ jobs.$J.steps[uses=actions/setup-java].uses : pin(actions/setup-java -> target_ref SHA)
  • ~ jobs.$J.steps[uses=github/codeql-action/analyze].uses : pin(github/codeql-action/analyze -> target_ref SHA)
  • ~ jobs.$J.steps[uses=github/codeql-action/init].uses : pin(github/codeql-action/init -> target_ref SHA)
  • ~ jobs.$J.steps[uses=gradle/actions/setup-gradle].uses : pin(gradle/actions/setup-gradle -> target_ref SHA)
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -26,10 +26,9 @@
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
-
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
       - name: Setup Java 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9  # v4
         with:
           distribution: 'zulu'
           java-version: 17
release/2.14.0 — unpinned-uses

File .github/workflows/codeql-analysis.yml; suggested edits:

  • ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
  • ~ jobs.$J.steps[uses=actions/setup-java].uses : pin(actions/setup-java -> target_ref SHA)
  • ~ jobs.$J.steps[uses=github/codeql-action/analyze].uses : pin(github/codeql-action/analyze -> target_ref SHA)
  • ~ jobs.$J.steps[uses=github/codeql-action/init].uses : pin(github/codeql-action/init -> target_ref SHA)
  • ~ jobs.$J.steps[uses=gradle/actions/setup-gradle].uses : pin(gradle/actions/setup-gradle -> target_ref SHA)
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -26,10 +26,9 @@
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
-
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
       - name: Setup Java 17
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9  # v4
         with:
           distribution: 'zulu'
           java-version: 17

Happy to open pull requests instead if that's preferred.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions