Summary
The default branch already hardened .github/workflows/codeql-analysis.yml against the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
unpinned-uses — actions referenced by mutable tag/branch instead of a pinned commit SHA
Already resolved on the default branch in:
Affected release branches (5)
release/2.17.0 (still present as of HEAD 39f41f19)
release/2.13.0 (still present as of HEAD 8c603470)
release/2.16.0 (still present as of HEAD 14b45a54)
release/2.12.0 (still present as of HEAD 94f4ba44)
release/2.14.0 (still present as of HEAD 1f5ab6c7)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release/2.17.0 — unpinned-uses
File .github/workflows/codeql-analysis.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/setup-java].uses : pin(actions/setup-java -> target_ref SHA)
- ~ jobs.$J.steps[uses=github/codeql-action/analyze].uses : pin(github/codeql-action/analyze -> target_ref SHA)
- ~ jobs.$J.steps[uses=github/codeql-action/init].uses : pin(github/codeql-action/init -> target_ref SHA)
- ~ jobs.$J.steps[uses=gradle/actions/setup-gradle].uses : pin(gradle/actions/setup-gradle -> target_ref SHA)
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -26,10 +26,9 @@
steps:
- name: Checkout repository
- uses: actions/checkout@v4
-
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Setup Java 17
- uses: actions/setup-java@v4
+ uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
with:
distribution: 'zulu'
java-version: 17
release/2.13.0 — unpinned-uses
File .github/workflows/codeql-analysis.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/setup-java].uses : pin(actions/setup-java -> target_ref SHA)
- ~ jobs.$J.steps[uses=github/codeql-action/analyze].uses : pin(github/codeql-action/analyze -> target_ref SHA)
- ~ jobs.$J.steps[uses=github/codeql-action/init].uses : pin(github/codeql-action/init -> target_ref SHA)
- ~ jobs.$J.steps[uses=gradle/actions/setup-gradle].uses : pin(gradle/actions/setup-gradle -> target_ref SHA)
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -26,10 +26,9 @@
steps:
- name: Checkout repository
- uses: actions/checkout@v4
-
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Setup Java 17
- uses: actions/setup-java@v4
+ uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
with:
distribution: 'zulu'
java-version: 17
release/2.16.0 — unpinned-uses
File .github/workflows/codeql-analysis.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/setup-java].uses : pin(actions/setup-java -> target_ref SHA)
- ~ jobs.$J.steps[uses=github/codeql-action/analyze].uses : pin(github/codeql-action/analyze -> target_ref SHA)
- ~ jobs.$J.steps[uses=github/codeql-action/init].uses : pin(github/codeql-action/init -> target_ref SHA)
- ~ jobs.$J.steps[uses=gradle/actions/setup-gradle].uses : pin(gradle/actions/setup-gradle -> target_ref SHA)
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -26,10 +26,9 @@
steps:
- name: Checkout repository
- uses: actions/checkout@v4
-
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Setup Java 17
- uses: actions/setup-java@v4
+ uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
with:
distribution: 'zulu'
java-version: 17
release/2.12.0 — unpinned-uses
File .github/workflows/codeql-analysis.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/setup-java].uses : pin(actions/setup-java -> target_ref SHA)
- ~ jobs.$J.steps[uses=github/codeql-action/analyze].uses : pin(github/codeql-action/analyze -> target_ref SHA)
- ~ jobs.$J.steps[uses=github/codeql-action/init].uses : pin(github/codeql-action/init -> target_ref SHA)
- ~ jobs.$J.steps[uses=gradle/actions/setup-gradle].uses : pin(gradle/actions/setup-gradle -> target_ref SHA)
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -26,10 +26,9 @@
steps:
- name: Checkout repository
- uses: actions/checkout@v4
-
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Setup Java 17
- uses: actions/setup-java@v4
+ uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
with:
distribution: 'zulu'
java-version: 17
release/2.14.0 — unpinned-uses
File .github/workflows/codeql-analysis.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA)
- ~ jobs.$J.steps[uses=actions/setup-java].uses : pin(actions/setup-java -> target_ref SHA)
- ~ jobs.$J.steps[uses=github/codeql-action/analyze].uses : pin(github/codeql-action/analyze -> target_ref SHA)
- ~ jobs.$J.steps[uses=github/codeql-action/init].uses : pin(github/codeql-action/init -> target_ref SHA)
- ~ jobs.$J.steps[uses=gradle/actions/setup-gradle].uses : pin(gradle/actions/setup-gradle -> target_ref SHA)
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -26,10 +26,9 @@
steps:
- name: Checkout repository
- uses: actions/checkout@v4
-
+ uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Setup Java 17
- uses: actions/setup-java@v4
+ uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
with:
distribution: 'zulu'
java-version: 17
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/codeql-analysis.ymlagainst the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
unpinned-uses— actions referenced by mutable tag/branch instead of a pinned commit SHAAlready resolved on the default branch in:
Affected release branches (5)
release/2.17.0(still present as of HEAD39f41f19)release/2.13.0(still present as of HEAD8c603470)release/2.16.0(still present as of HEAD14b45a54)release/2.12.0(still present as of HEAD94f4ba44)release/2.14.0(still present as of HEAD1f5ab6c7)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release/2.17.0— unpinned-usesFile
.github/workflows/codeql-analysis.yml; suggested edits:release/2.13.0— unpinned-usesFile
.github/workflows/codeql-analysis.yml; suggested edits:release/2.16.0— unpinned-usesFile
.github/workflows/codeql-analysis.yml; suggested edits:release/2.12.0— unpinned-usesFile
.github/workflows/codeql-analysis.yml; suggested edits:release/2.14.0— unpinned-usesFile
.github/workflows/codeql-analysis.yml; suggested edits:Happy to open pull requests instead if that's preferred.