CharlieMCY opened a new issue, #8804: URL: https://github.com/apache/camel-quarkus/issues/8804
### Summary The default branch already hardened `.github/workflows/generate-sbom-main.yml` against the issue(s) below, but **3** release branches still carry it. This proposes the same, minimal, scanner-verified fix for each. ### What's flagged (by [zizmor](https://github.com/woodruffw/zizmor)) - `unpinned-uses` — actions referenced by mutable tag/branch instead of a pinned commit SHA Already resolved on the default branch in: - https://github.com/apache/camel-quarkus/commit/768e1f95fcaab51c0c3e142bf70da5fedd3f0871 ### Affected release branches (3) - **`3.14.x`** (still present as of HEAD `8bf63729`) - **`3.13.x`** (still present as of HEAD `a89efdc4`) - **`3.8.x`** (still present as of HEAD `0e0b0780`) ### Suggested per-branch patches Each diff below was checked locally with **zizmor** and **actionlint**: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.) <details> <summary><code>3.14.x</code> — unpinned-uses</summary> File `.github/workflows/generate-sbom-main.yml`; suggested edits: - ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA) - ~ jobs.$J.steps[uses=actions/setup-java].uses : pin(actions/setup-java -> target_ref SHA) - ~ jobs.$J.steps[uses=peter-evans/create-pull-request].uses : pin(peter-evans/create-pull-request -> target_ref SHA) ```diff --- a/.github/workflows/generate-sbom-main.yml +++ b/.github/workflows/generate-sbom-main.yml @@ -41,11 +41,11 @@ matrix: java: ['17'] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: false - name: Set up JDK ${{ matrix.java }} - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: 'temurin' java-version: ${{ matrix.java }} @@ -53,7 +53,7 @@ - name: mvn build and sbom generation run: ./mvnw -V --no-transfer-progress -e -Psbom -Dquickly -DskipTests verify ${CQ_MAVEN_ARGS} - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6 with: base: main token: ${{ secrets.GITHUB_TOKEN }} ``` </details> <details> <summary><code>3.13.x</code> — unpinned-uses</summary> File `.github/workflows/generate-sbom-main.yml`; suggested edits: - ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA) - ~ jobs.$J.steps[uses=actions/setup-java].uses : pin(actions/setup-java -> target_ref SHA) - ~ jobs.$J.steps[uses=peter-evans/create-pull-request].uses : pin(peter-evans/create-pull-request -> target_ref SHA) ```diff --- a/.github/workflows/generate-sbom-main.yml +++ b/.github/workflows/generate-sbom-main.yml @@ -41,11 +41,11 @@ matrix: java: ['17'] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: false - name: Set up JDK ${{ matrix.java }} - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: 'temurin' java-version: ${{ matrix.java }} @@ -53,7 +53,7 @@ - name: mvn build and sbom generation run: ./mvnw -V --no-transfer-progress -e -Psbom -Dquickly -DskipTests verify ${CQ_MAVEN_ARGS} - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6 with: base: main token: ${{ secrets.GITHUB_TOKEN }} ``` </details> <details> <summary><code>3.8.x</code> — unpinned-uses</summary> File `.github/workflows/generate-sbom-main.yml`; suggested edits: - ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> target_ref SHA) - ~ jobs.$J.steps[uses=actions/setup-java].uses : pin(actions/setup-java -> target_ref SHA) - ~ jobs.$J.steps[uses=peter-evans/create-pull-request].uses : pin(peter-evans/create-pull-request -> target_ref SHA) ```diff --- a/.github/workflows/generate-sbom-main.yml +++ b/.github/workflows/generate-sbom-main.yml @@ -41,11 +41,11 @@ matrix: java: ['17'] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: persist-credentials: false - name: Set up JDK ${{ matrix.java }} - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: 'temurin' java-version: ${{ matrix.java }} @@ -53,7 +53,7 @@ - name: mvn build and sbom generation run: ./mvnw -V --no-transfer-progress -e -Psbom -Dquickly -DskipTests verify ${CQ_MAVEN_ARGS} - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6 with: base: main token: ${{ secrets.GITHUB_TOKEN }} ``` </details> --- *Happy to open pull requests instead if that's preferred.* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
