opentelemetry-collector
opentelemetry-collector copied to clipboard
open-telemetry
[ci] fix zizmor-reported gh workflow vulnerabilities
Description
Addressing all GH workflow vulnerabilities reported reported by zizmor.
Zizmor scan output
zizmor .github/workflows/ ⌥ fix/workflow-vulnerabilities
INFO zizmor: skipping impostor-commit: can't run without a GitHub API token
INFO zizmor: skipping ref-confusion: can't run without a GitHub API token
INFO zizmor: skipping known-vulnerable-actions: can't run without a GitHub API token
INFO zizmor: skipping forbidden-uses: audit not configured
INFO audit: zizmor: 🌈 completed .github/workflows/add-labels-and-owners.yml
INFO audit: zizmor: 🌈 completed .github/workflows/add-labels-command.yml
INFO audit: zizmor: 🌈 completed .github/workflows/api-compatibility.yml
INFO audit: zizmor: 🌈 completed .github/workflows/build-and-test-arm.yml
INFO audit: zizmor: 🌈 completed .github/workflows/build-and-test-windows.yaml
INFO audit: zizmor: 🌈 completed .github/workflows/build-and-test.yml
INFO audit: zizmor: 🌈 completed .github/workflows/builder-integration-test.yaml
INFO audit: zizmor: 🌈 completed .github/workflows/builder-snapshot.yaml
INFO audit: zizmor: 🌈 completed .github/workflows/changelog.yml
INFO audit: zizmor: 🌈 completed .github/workflows/check-links.yaml
INFO audit: zizmor: 🌈 completed .github/workflows/check-merge-freeze.yml
INFO audit: zizmor: 🌈 completed .github/workflows/codeql-analysis.yml
INFO audit: zizmor: 🌈 completed .github/workflows/contrib-tests.yml
INFO audit: zizmor: 🌈 completed .github/workflows/fossa.yml
INFO audit: zizmor: 🌈 completed .github/workflows/generate-semantic-conventions-pr.yaml
INFO audit: zizmor: 🌈 completed .github/workflows/lint-workflow-files.yml
INFO audit: zizmor: 🌈 completed .github/workflows/milestone-add-to-pr.yml
INFO audit: zizmor: 🌈 completed .github/workflows/perf.yml
INFO audit: zizmor: 🌈 completed .github/workflows/ping-codeowners-issues.yml
INFO audit: zizmor: 🌈 completed .github/workflows/ping-codeowners-on-new-issue.yml
INFO audit: zizmor: 🌈 completed .github/workflows/ping-codeowners-prs.yml
INFO audit: zizmor: 🌈 completed .github/workflows/prepare-release.yml
INFO audit: zizmor: 🌈 completed .github/workflows/scorecard.yml
INFO audit: zizmor: 🌈 completed .github/workflows/shellcheck.yml
INFO audit: zizmor: 🌈 completed .github/workflows/sourcecode-release.yaml
INFO audit: zizmor: 🌈 completed .github/workflows/spell-check.yaml
INFO audit: zizmor: 🌈 completed .github/workflows/stale-pr.yaml
INFO audit: zizmor: 🌈 completed .github/workflows/tidy-dependencies.yml
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/add-labels-and-owners.yml:17:9
|
17 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| ------------------------------------------------------------------------ does not set persist-credentials: false
|
= note: audit confidence → Low
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
--> .github/workflows/add-labels-and-owners.yml:2:1
|
2 | / on:
3 | | pull_request_target:
4 | | types:
5 | | - opened
6 | | - synchronize
| |___________________^ pull_request_target is almost always used insecurely
|
= note: audit confidence → Medium
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/add-labels-command.yml:16:9
|
16 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| ------------------------------------------------------------------------ does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/api-compatibility.yml:22:9
|
22 | - name: Checkout-Main
| -
23 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
24 | | with:
25 | | ref: ${{ github.base_ref }}
26 | | path: ${{ github.base_ref }}
| |_____________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/api-compatibility.yml:28:9
|
28 | - name: Checkout-HEAD
| -
29 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
30 | | with:
31 | | path: ${{ github.head_ref }}
| |_____________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/build-and-test-arm.yml:31:9
|
31 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| ------------------------------------------------------------------------ does not set persist-credentials: false
|
= note: audit confidence → Low
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/build-and-test-arm.yml:16:1
|
16 | permissions: read-all
| --------------------- uses read-all permissions
|
= note: audit confidence → High
info[template-injection]: code injection via template expansion
--> .github/workflows/build-and-test-arm.yml:58:9
|
58 | - name: Print result
| ------------------ info: this step
59 | run: echo ${{ needs.arm-unittest-matrix.result }}
| ------------------------------------------------- info: needs.arm-unittest-matrix.result may expand into attacker-controllable code
|
= note: audit confidence → Low
info[template-injection]: code injection via template expansion
--> .github/workflows/build-and-test-arm.yml:60:9
|
60 | - name: Interpret result
| ---------------------- info: this step
61 | / run: |
62 | | if [[ success == ${{ needs.arm-unittest-matrix.result }} ]]
... |
67 | | false
68 | | fi
| |_____________- info: needs.arm-unittest-matrix.result may expand into attacker-controllable code
|
= note: audit confidence → Low
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
--> .github/workflows/build-and-test-arm.yml:2:1
|
2 | / on:
3 | | push:
... |
8 | | types: [checks_requested]
9 | | pull_request:
| |_______________^ generally used when publishing artifacts generated at runtime
10 | env:
...
38 | timeout-minutes: 5
39 | uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/build-and-test-windows.yaml:25:9
|
25 | - name: Checkout Repo
| -
26 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| |_______________________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/build-and-test-windows.yaml:54:9
|
54 | - name: Checkout Repo
| -
55 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| |_______________________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/build-and-test-windows.yaml:15:1
|
15 | permissions: read-all
| --------------------- uses read-all permissions
|
= note: audit confidence → High
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
--> .github/workflows/build-and-test-windows.yaml:2:1
|
2 | / on:
3 | | push:
... |
8 | | types: [checks_requested]
9 | | pull_request:
| |_______________^ generally used when publishing artifacts generated at runtime
10 |
...
32 | - name: Cache Go
33 | uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
|
= note: audit confidence → Low
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
--> .github/workflows/build-and-test-windows.yaml:2:1
|
2 | / on:
3 | | push:
... |
8 | | types: [checks_requested]
9 | | pull_request:
| |_______________^ generally used when publishing artifacts generated at runtime
10 |
...
61 | - name: Cache Go
62 | uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/build-and-test.yml:21:9
|
21 | - name: Checkout Repo
| -
22 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| |_______________________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/build-and-test.yml:44:9
|
44 | - name: Checkout Repo
| -
45 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| |_______________________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/build-and-test.yml:68:9
|
68 | - name: Checkout Repo
| -
69 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| |_______________________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/build-and-test.yml:93:9
|
93 | - name: Checkout Repo
| -
94 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| |_______________________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/build-and-test.yml:151:9
|
151 | - name: Checkout Repo
| -
152 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| |_______________________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/build-and-test.yml:200:9
|
200 | - name: Checkout Repo
| -
201 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| |_______________________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/build-and-test.yml:264:9
|
264 | - name: Checkout Repo
| -
265 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| |_______________________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/build-and-test.yml:11:1
|
11 | permissions: read-all
| --------------------- uses read-all permissions
|
= note: audit confidence → High
info[template-injection]: code injection via template expansion
--> .github/workflows/build-and-test.yml:184:9
|
184 | - name: Print result
| ------------------ info: this step
185 | run: echo ${{ needs.unittest-matrix.result }}
| --------------------------------------------- info: needs.unittest-matrix.result may expand into attacker-controllable code
|
= note: audit confidence → Low
info[template-injection]: code injection via template expansion
--> .github/workflows/build-and-test.yml:186:9
|
186 | - name: Interpret result
| ---------------------- info: this step
187 | / run: |
188 | | if [[ success == ${{ needs.unittest-matrix.result }} ]]
... |
193 | | false
194 | | fi
| |____________- info: needs.unittest-matrix.result may expand into attacker-controllable code
|
= note: audit confidence → Low
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
--> .github/workflows/build-and-test.yml:2:1
|
2 | / on:
3 | | push:
... |
8 | | types: [checks_requested]
9 | | pull_request:
| |_______________^ generally used when publishing artifacts generated at runtime
10 |
...
29 | id: go-cache
30 | uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
|
= note: audit confidence → Low
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
--> .github/workflows/build-and-test.yml:2:1
|
2 | / on:
3 | | push:
... |
8 | | types: [checks_requested]
9 | | pull_request:
| |_______________^ generally used when publishing artifacts generated at runtime
10 |
...
52 | id: go-cache
53 | uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
|
= note: audit confidence → Low
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
--> .github/workflows/build-and-test.yml:2:1
|
2 | / on:
3 | | push:
... |
8 | | types: [checks_requested]
9 | | pull_request:
| |_______________^ generally used when publishing artifacts generated at runtime
10 |
...
76 | id: go-cache
77 | uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
|
= note: audit confidence → Low
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
--> .github/workflows/build-and-test.yml:2:1
|
2 | / on:
3 | | push:
... |
8 | | types: [checks_requested]
9 | | pull_request:
| |_______________^ generally used when publishing artifacts generated at runtime
10 |
...
101 | id: go-cache
102 | uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
|
= note: audit confidence → Low
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
--> .github/workflows/build-and-test.yml:2:1
|
2 | / on:
3 | | push:
... |
8 | | types: [checks_requested]
9 | | pull_request:
| |_______________^ generally used when publishing artifacts generated at runtime
10 |
...
159 | id: go-cache
160 | uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
|
= note: audit confidence → Low
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
--> .github/workflows/build-and-test.yml:2:1
|
2 | / on:
3 | | push:
... |
8 | | types: [checks_requested]
9 | | pull_request:
| |_______________^ generally used when publishing artifacts generated at runtime
10 |
...
166 | - name: Cache Build
167 | uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
|
= note: audit confidence → Low
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
--> .github/workflows/build-and-test.yml:2:1
|
2 | / on:
3 | | push:
... |
8 | | types: [checks_requested]
9 | | pull_request:
| |_______________^ generally used when publishing artifacts generated at runtime
10 |
...
208 | id: go-cache
209 | uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
|
= note: audit confidence → Low
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
--> .github/workflows/build-and-test.yml:2:1
|
2 | / on:
3 | | push:
... |
8 | | types: [checks_requested]
9 | | pull_request:
| |_______________^ generally used when publishing artifacts generated at runtime
10 |
...
215 | - name: Cache Build
216 | uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
|
= note: audit confidence → Low
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
--> .github/workflows/build-and-test.yml:2:1
|
2 | / on:
3 | | push:
... |
8 | | types: [checks_requested]
9 | | pull_request:
| |_______________^ generally used when publishing artifacts generated at runtime
10 |
...
272 | id: go-cache
273 | uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/builder-integration-test.yaml:33:9
|
33 | - name: Checkout Repo
| -
34 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| |_______________________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/builder-snapshot.yaml:21:9
|
21 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| -
22 | | with:
23 | | path: .core
| |____________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/builder-snapshot.yaml:25:9
|
25 | - name: Pull the latest releases repo
| -
26 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
27 | | with:
28 | | path: opentelemetry-collector-releases
29 | | repository: open-telemetry/opentelemetry-collector-releases
| |____________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/builder-snapshot.yaml:17:3
|
17 | / snapshot:
18 | | runs-on: ubuntu-24.04
... |
82 | | env:
83 | | GH_TOKEN: ${{ github.token }}
| | -
| |________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
--> .github/workflows/builder-snapshot.yaml:50:9
|
45 | uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
46 | with:
...
49 | - name: Check GoReleaser
50 | uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ runtime artifacts usually published here
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/changelog.yml:29:9
|
29 | - name: Checkout Repo
| -
30 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
31 | | with:
32 | | fetch-depth: 0
| |_______________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/check-links.yaml:24:9
|
24 | - name: Checkout Repo
| -
25 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
26 | | with:
27 | | fetch-depth: 0
| |_______________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/check-links.yaml:43:9
|
43 | - name: Checkout Repo
| -
44 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
45 | | with:
46 | | fetch-depth: 0
| |_______________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/check-links.yaml:13:1
|
13 | permissions: read-all
| --------------------- uses read-all permissions
|
= note: audit confidence → High
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/check-merge-freeze.yml:30:9
|
30 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| -
31 | | with:
32 | | sparse-checkout: .github/workflows/scripts
| |___________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/codeql-analysis.yml:22:9
|
22 | - name: Checkout repository
| -
23 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| |_______________________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/contrib-tests.yml:24:9
|
24 | - name: Checkout Repo
| -
25 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| |_______________________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/contrib-tests.yml:59:9
|
59 | - name: Checkout Repo
| -
60 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| |_______________________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/contrib-tests.yml:17:1
|
17 | permissions: read-all
| --------------------- uses read-all permissions
|
= note: audit confidence → High
info[template-injection]: code injection via template expansion
--> .github/workflows/contrib-tests.yml:81:9
|
81 | - name: Print result
| ------------------ info: this step
82 | run: echo ${{ needs.contrib-tests-matrix.result }}
| -------------------------------------------------- info: needs.contrib-tests-matrix.result may expand into attacker-controllable code
|
= note: audit confidence → Low
info[template-injection]: code injection via template expansion
--> .github/workflows/contrib-tests.yml:83:9
|
83 | - name: Interpret result
| ---------------------- info: this step
84 | / run: |
85 | | if [[ success == ${{ needs.contrib-tests-matrix.result }} ]]
... |
90 | | false
91 | | fi
| |_____________- info: needs.contrib-tests-matrix.result may expand into attacker-controllable code
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/fossa.yml:15:9
|
15 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| ------------------------------------------------------------------------ does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/generate-semantic-conventions-pr.yaml:19:9
|
19 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| ------------------------------------------------------------------------ does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/generate-semantic-conventions-pr.yaml:60:9
|
60 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| ------------------------------------------------------------------------ does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/generate-semantic-conventions-pr.yaml:61:9
|
61 | - name: Checkout semantic-convention
| -
62 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
... |
65 | | path: tmp-semantic-conventions
66 | | fetch-depth: 0
| |_______________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/generate-semantic-conventions-pr.yaml:9:1
|
9 | permissions: read-all
| --------------------- uses read-all permissions
|
= note: audit confidence → High
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/lint-workflow-files.yml:14:9
|
14 | - name: Checkout code
| -
15 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| |_______________________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/lint-workflow-files.yml:10:3
|
10 | / lint:
11 | | runs-on: ubuntu-latest
... |
38 | | if: success()
39 | | run: echo "✅ All linting checks passed."
| | -
| |__________________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
--> .github/workflows/milestone-add-to-pr.yml:5:1
|
5 | / on:
6 | | pull_request_target:
7 | | types:
8 | | - closed
| |______________^ pull_request_target is almost always used insecurely
|
= note: audit confidence → Medium
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/perf.yml:13:9
|
13 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| ------------------------------------------------------------------------ does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/ping-codeowners-issues.yml:15:9
|
15 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| ------------------------------------------------------------------------ does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/ping-codeowners-on-new-issue.yml:15:9
|
15 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| ------------------------------------------------------------------------ does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/ping-codeowners-prs.yml:15:9
|
15 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| ------------------------------------------------------------------------ does not set persist-credentials: false
|
= note: audit confidence → Low
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
--> .github/workflows/ping-codeowners-prs.yml:2:1
|
2 | / on:
3 | | pull_request_target:
4 | | types: [labeled]
| |____________________^ pull_request_target is almost always used insecurely
|
= note: audit confidence → Medium
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/prepare-release.yml:68:9
|
68 | ... - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| -
69 | | ... with:
70 | | ... fetch-depth: 0
71 | | ... # Make sure that there are no open issues with release:blocker label in Core. The release has to be delayed until they are resolved.
| |_________________________________________________________________________________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/prepare-release.yml:103:9
|
103 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| -
104 | | with:
... |
107 | | # for all of the steps under the "Performed by collector release manager" heading. Once the issue is created, you can
108 | | # create the individual ones by hovering them and clicking the "Convert to issue" button on the right hand side.
| |_____________________________________________________________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/prepare-release.yml:127:9
|
127 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| -
128 | | with:
129 | | fetch-depth: 0
| |_______________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/prepare-release.yml:22:1
|
22 | permissions: read-all
| --------------------- uses read-all permissions
|
= note: audit confidence → High
error[template-injection]: code injection via template expansion
--> .github/workflows/prepare-release.yml:29:9
|
29 | - name: Validate version format
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
30 | shell: bash
31 | / run: |
32 | | validate_beta_version() {
... |
60 | | exit 1
61 | | fi
| |____________^ inputs.candidate-beta may expand into attacker-controllable code
|
= note: audit confidence → Low
error[template-injection]: code injection via template expansion
--> .github/workflows/prepare-release.yml:29:9
|
29 | - name: Validate version format
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
30 | shell: bash
31 | / run: |
32 | | validate_beta_version() {
... |
60 | | exit 1
61 | | fi
| |____________^ inputs.candidate-beta may expand into attacker-controllable code
|
= note: audit confidence → Low
error[template-injection]: code injection via template expansion
--> .github/workflows/prepare-release.yml:29:9
|
29 | - name: Validate version format
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
30 | shell: bash
31 | / run: |
32 | | validate_beta_version() {
... |
60 | | exit 1
61 | | fi
| |____________^ inputs.current-beta may expand into attacker-controllable code
|
= note: audit confidence → Low
error[template-injection]: code injection via template expansion
--> .github/workflows/prepare-release.yml:29:9
|
29 | - name: Validate version format
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
30 | shell: bash
31 | / run: |
32 | | validate_beta_version() {
... |
60 | | exit 1
61 | | fi
| |____________^ inputs.candidate-stable may expand into attacker-controllable code
|
= note: audit confidence → Low
error[template-injection]: code injection via template expansion
--> .github/workflows/prepare-release.yml:29:9
|
29 | - name: Validate version format
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
30 | shell: bash
31 | / run: |
32 | | validate_beta_version() {
... |
60 | | exit 1
61 | | fi
| |____________^ inputs.candidate-stable may expand into attacker-controllable code
|
= note: audit confidence → Low
error[template-injection]: code injection via template expansion
--> .github/workflows/prepare-release.yml:29:9
|
29 | - name: Validate version format
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
30 | shell: bash
31 | / run: |
32 | | validate_beta_version() {
... |
60 | | exit 1
61 | | fi
| |____________^ inputs.current-stable may expand into attacker-controllable code
|
= note: audit confidence → Low
error[template-injection]: code injection via template expansion
--> .github/workflows/prepare-release.yml:29:9
|
29 | - name: Validate version format
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
30 | shell: bash
31 | / run: |
32 | | validate_beta_version() {
... |
60 | | exit 1
61 | | fi
| |____________^ inputs.candidate-beta may expand into attacker-controllable code
|
= note: audit confidence → Low
error[template-injection]: code injection via template expansion
--> .github/workflows/prepare-release.yml:29:9
|
29 | - name: Validate version format
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
30 | shell: bash
31 | / run: |
32 | | validate_beta_version() {
... |
60 | | exit 1
61 | | fi
| |____________^ inputs.candidate-stable may expand into attacker-controllable code
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/shellcheck.yml:17:9
|
17 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| ------------------------------------------------------------------------ does not set persist-credentials: false
|
= note: audit confidence → Low
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/sourcecode-release.yaml:12:9
|
12 | - name: Checkout Repo
| -
13 | | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
... |
16 | |
17 | | # Extract title from latest version title in CHANGELOG.md
| |________________________________________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/sourcecode-release.yaml:9:3
|
9 | / goreleaser:
10 | | runs-on: ubuntu-latest
... |
66 | | }
67 | | }
| | -
| |______________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
error[template-injection]: code injection via template expansion
--> .github/workflows/sourcecode-release.yaml:23:9
|
23 | - name: Prepare release notes
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
24 | / run: |
25 | | touch release-notes.md
... |
36 | | awk '//,//' CHANGELOG-API.md > tmp-chlog-api.md # select changelog of latest...
37 | | sed '1,3d' tmp-chlog-api.md >> release-notes.md # delete first 3 lines of file
| |________________________________________________________________________________________^ github.ref_name may expand into attacker-controllable code
|
= note: audit confidence → High
error[template-injection]: code injection via template expansion
--> .github/workflows/sourcecode-release.yaml:39:9
|
39 | - name: Create Github Release
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
40 | / run: |
41 | | gh release create ${{ github.ref_name }} -t ${{ steps.release-title.outputs.title }} -F release-notes.md
| |__________________________________________________________________________________________________________________^ github.ref_name may expand into attacker-controllable code
|
= note: audit confidence → High
info[template-injection]: code injection via template expansion
--> .github/workflows/sourcecode-release.yaml:39:9
|
39 | - name: Create Github Release
| --------------------------- info: this step
40 | / run: |
41 | | gh release create ${{ github.ref_name }} -t ${{ steps.release-title.outputs.title }} -F release-notes.md
| |__________________________________________________________________________________________________________________- info: steps.release-title.outputs.title may expand into attacker-controllable code
|
= note: audit confidence → Low
error[template-injection]: code injection via template expansion
--> .github/workflows/sourcecode-release.yaml:44:9
|
44 | - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
| __________^
45 | | with:
46 | | script: |
| | ^
47 | || const milestones = await github.rest.issues.listMilestones({
... ||
66 | || }
67 | || }
| || ^
| ||___|
| |______________this step
| github.ref_name may expand into attacker-controllable code
|
= note: audit confidence → High
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/spell-check.yaml:10:9
|
10 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| ------------------------------------------------------------------------ does not set persist-credentials: false
|
= note: audit confidence → Low
warning[excessive-permissions]: overly broad permissions
--> .github/workflows/spell-check.yaml:6:3
|
6 | / spell-check:
7 | | runs-on: ubuntu-latest
... |
16 | | **/*.{md,yaml,yml}
17 | | config: '.github/workflows/utils/cspell.json'
| | -
| |________________________________________________________|
| this job
| default permissions used due to no permissions: block
|
= note: audit confidence → Medium
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> .github/workflows/tidy-dependencies.yml:18:9
|
18 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| -
19 | | with:
20 | | ref: ${{ github.head_ref }}
| |____________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
--> .github/workflows/tidy-dependencies.yml:2:1
|
2 | / on:
3 | | pull_request_target:
4 | | types: [opened, ready_for_review, synchronize, reopened, labeled, unlabeled]
5 | | branches:
6 | | - main
| |____________^ pull_request_target is almost always used insecurely
|
= note: audit confidence → Medium
error[bot-conditions]: spoofable bot actor check
--> .github/workflows/tidy-dependencies.yml:16:5
|
16 | if: ${{ !contains(github.event.pull_request.labels..name, 'dependency-major-update') && (github.actor == 'renovate[bot]' || contains(github.event.pull_request.labels..name, 'renovatebot')) }}
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ actor context may be spoofable
|
= note: audit confidence → Medium
107 findings (20 suppressed): 0 unknown, 7 informational, 0 low, 51 medium, 29 high
