[release-1.0] Github action fixes#729
Merged
mandre merged 9 commits intok-orc:release-1.0from Mar 31, 2026
Merged
Conversation
Pin all GitHub Actions references to specific commit SHAs to prevent supply chain attacks via tag mutation. This ensures workflows always use the exact verified version of each action. Actions pinned: - actions/checkout v6 -> v6.0.2 (de0fac2) - actions/setup-go v6.2.0 -> v6.4.0 (4a36011) - actions/upload-artifact v6 -> v7 (bbbca2d) - actions/labeler v6 (634933e) - helm/kind-action (ef37e7f) - joelanford/go-apidiff (tag comment added)
Prevent the GITHUB_TOKEN from being persisted in the local git config after checkout. This reduces the risk of token exposure in subsequent steps that may execute untrusted code.
Set workflow-level permissions to empty ({}) for check-pr-labels and
label-pr workflows, and grant only the minimum required permissions
at the job level. This follows the principle of least privilege and
reduces the blast radius if a workflow is compromised.
Replace direct use of ${{ github.base_ref }} in a run: block with an
environment variable. Attacker-controlled GitHub context values used
directly in shell scripts can lead to script injection attacks.
…curity issue The previous label-pr workflow used pull_request_target to check out and execute code from the PR head with elevated privileges. This is a security risk as pull_request_target has write access to the base repo. Split into two workflows: - semver.yaml: runs the actual analysis under the safe pull_request trigger with read-only permissions - label-pr.yaml: consumes the results via workflow_run trigger to apply labels with write permissions, without ever checking out or executing untrusted code
This workflow has no permissions, checks out no code, and accesses no secrets. It only reads the event payload to check for the hold label. pull_request is sufficient and avoids the security concerns of pull_request_target.
Add inline suppression comments for zizmor (GitHub Actions security scanner) findings that are intentional: - label-pr.yaml: pull_request_target and workflow_run triggers are safe because the jobs never check out or execute untrusted code - container_image.yaml, release_image.yaml: secrets used in docker login command line are acceptable here
- Update devstack-action URL from EmilienM to gophercloud (new home) - Deploy ORC with LOGLEVEL=5 for better debugging on CI failures
Disable the default caching behavior of actions/setup-go in workflows that use both pull_request and push triggers. This prevents a potential cache poisoning attack where a malicious PR could inject a compromised cache that is then used by trusted push runs on protected branches.
mandre
force-pushed
the
gha-fixes-release-1.0
branch
from
b6feed8 to
7dc6dc2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport relevant changes from #719 and #721 to
release-1.0branch.