Skip to content

ci: harden GitHub Actions workflows#13896

Open
glours wants to merge 2 commits into
docker:mainfrom
glours:ci/harden-workflows
Open

ci: harden GitHub Actions workflows#13896
glours wants to merge 2 commits into
docker:mainfrom
glours:ci/harden-workflows

Conversation

@glours

@glours glours commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

What I did
The pinned codeql-action/upload-sarif v2 (v2.28.1) falls in the vulnerable range of CVE-2025-24362 and the v2 line has no patched release, so bump to v3.36.3. Enable Dependabot for github-actions to keep action pins from going stale. Scope the release job to tag refs so its contents:write token is only minted when a release is actually created. In merge.yml, drop a dead conditional (workflow only triggers on push) and pass DOCKERDESKTOP_REPO to github-script via env rather than inline interpolation, as recommended against script injection.

Related issue
N/A

(not mandatory) A picture of a cute animal, if possible in relation to what you did
image

Copilot AI review requested due to automatic review settings July 3, 2026 13:17
@glours glours requested a review from a team as a code owner July 3, 2026 13:17
@glours glours requested a review from ndeloof July 3, 2026 13:17
@glours glours self-assigned this Jul 3, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s GitHub Actions security posture by updating an affected SARIF upload action to a patched major version, reducing token exposure in the release workflow, and enabling automated updates for action pins.

Changes:

  • Bump github/codeql-action/upload-sarif from v2 to v3.36.3 in the Scorecards workflow (avoids the vulnerable v2 line).
  • Tighten the CI release job so contents:write permissions are only granted when running on v* tag refs.
  • Add Dependabot updates for the github-actions ecosystem and make a small hardening tweak in merge.yml (remove dead conditional; avoid inline secret interpolation in github-script).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
.github/workflows/scorecards.yml Updates SARIF upload action to the v3 line to avoid the vulnerable v2 range.
.github/workflows/merge.yml Simplifies a dead push conditional and passes DOCKERDESKTOP_REPO via environment to reduce script-injection surface.
.github/workflows/ci.yml Moves the tag ref guard to the release job level so elevated permissions are only minted when needed.
.github/dependabot.yml Enables weekly Dependabot updates for GitHub Actions pins.

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

This PR makes four focused hardening improvements to the GitHub Actions workflows and Dependabot configuration:

  1. CVE fix: codeql-action/upload-sarif bumped from v2 (CVE-2025-24362 vulnerable, no patched v2 release) to v3.36.3 ✅
  2. Dependabot for Actions: New github-actions ecosystem entry added to prevent action pins from going stale ✅
  3. Token scoping: contents:write token for the release job now only minted on tag refs (job-level if: guard) — previous step-level guard left the job running (and the token minted) on every push ✅
  4. Script injection hardening (merge.yml): DOCKERDESKTOP_REPO passed via env: rather than inline ${{ }} interpolation in the github-script body ✅

No high or medium severity issues found. Two minor observations (not blocking):

  • The removed step-level if: startsWith(github.ref, 'refs/tags/v') from the ncipollo/release-action step is a clean refactor — identical behavior for tag refs, improved scoping for non-tag pushes. Confirm no other steps in the release job are expected to run outside tag refs.
  • push: true hardcoded in merge.yml (line 42) removes a prior ${{ github.event_name != 'pull_request' }} guard. The comment documents the assumption correctly; just worth noting that if a workflow_dispatch or pull_request trigger is ever added, this guard would need revisiting.

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

The CI hardening changes look correct and well-structured. All four targeted improvements are implemented properly:

  1. CVE-2025-24362 fixcodeql-action/upload-sarif correctly bumped from v2 to v3.36.3
  2. Dependabot for github-actions — correctly configured to keep action pins fresh
  3. contents:write token scoping — release job if: condition correctly moved to job level so the token is only minted on tag pushes
  4. Script injection preventionDOCKERDESKTOP_REPO secret correctly moved from inline ${{ secrets.* }} expression to an env var, referenced via process.env.* in the script

No bugs or security issues introduced.

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

This PR correctly hardens the GitHub Actions workflows:

  • dependabot.yml: Valid github-actions ecosystem entry with weekly schedule — keeps action pins from going stale.
  • ci.yml: Moving if: startsWith(github.ref, 'refs/tags/v') from the step to the job level is correct and more efficient — the entire release job (including build steps) is now skipped on non-tag pushes rather than wastefully running until the final step.
  • merge.yml: push: true is logically equivalent to the previous ${{ github.event_name != 'pull_request' }} given the workflow's on: push triggers, and is well-documented with a comment. Moving DOCKERDESKTOP_REPO from inline interpolation to an env var is a correct script-injection mitigation.
  • scorecards.yml: Bump to codeql-action/upload-sarif@v3.36.3 (pinned SHA) addresses CVE-2025-24362 correctly.

No bugs introduced. All changes are well-reasoned security and CI hygiene improvements.

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟡 NEEDS ATTENTION

This PR correctly addresses CVE-2025-24362 (bumping codeql-action/upload-sarif from v2 to v3.36.3), fixes the script-injection risk in merge.yml by passing the secret via env, scopes the contents:write token to tag refs only, and adds Dependabot for github-actions. One behavioral change warrants a confirmation from the author.

Comment thread .github/workflows/ci.yml
files: ./coverage.txt

release:
if: startsWith(github.ref, 'refs/tags/v')

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] Moving job-level if skips artifact verification steps on non-tag pushes

Previously the if: startsWith(github.ref, 'refs/tags/v') guard was only on the final ncipollo/release-action step. That meant on every push to main (non-tag), the job still ran:

  1. actions/download-artifact — fetches the release artifact
  2. tree -nh ./bin/release — lists artifacts
  3. find bin/release -type f -exec file … — checks binary types

…but skipped only the actual GitHub Release creation. These steps acted as a post-build artifact sanity check for every push.

After this PR, the entire release job is skipped on non-tag pushes, so those sanity checks no longer run on main branch pushes. If this is intentional (just avoiding unnecessary work), the PR description doesn't mention it and it's worth a comment to confirm. If the artifact verification was considered useful, consider keeping those steps outside the tag guard:

  release:
    runs-on: ubuntu-latest
    needs:
      - build
    steps:
      - name: Artifacts
        uses: actions/download-artifact@...
      - name: List artifacts
        run: tree -nh ./bin/release
      - name: Check artifacts
        run: find bin/release -type f -exec file -e ascii -- {} +
      - name: GitHub Release
        if: startsWith(github.ref, 'refs/tags/v')
        uses: ncipollo/release-action@...

@codecov

codecov Bot commented Jul 3, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Comment thread .github/workflows/ci.yml Outdated
@glours glours force-pushed the ci/harden-workflows branch from c31988c to 7816384 Compare July 6, 2026 12:36
@glours glours requested a review from docker-agent July 6, 2026 12:43

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟡 NEEDS ATTENTION

This PR makes meaningful CI security improvements — bumping the vulnerable v2 to v3, enabling Dependabot for GitHub Actions, scoping the release job's contents:write token to tag refs only, and eliminating a script-injection vector in merge.yml by moving DOCKERDESKTOP_REPO to env. One medium finding in the new release guard is worth addressing before merging.

Comment thread .github/workflows/ci.yml Outdated
Comment thread .github/workflows/ci.yml Outdated
@glours glours requested a review from docker-agent July 6, 2026 13:00

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

This PR correctly hardens the GitHub Actions workflows. All changes are well-implemented and introduce no bugs:

  • CVE-2025-24362 fix: Bumping codeql-action/upload-sarif from the vulnerable v2 pin to v3.36.3 is correct.
  • Release job scoping: Moving if: startsWith(github.ref, 'refs/tags/v') to the job level (was a step-level condition) is a clean improvement — the contents:write token is now only minted for tag pushes.
  • Release guard correctness: The GET /releases/tags/{tag} curl check returning 404 for drafts is intentional and accurate. The softprops/action-gh-release action deduplicates drafts via its own listReleases pagination (scanning by tag_name across all releases including drafts), so the comment "drafts are still deduplicated by the action" is correct.
  • merge.yml push: true: Hardcoding is safe — the workflow has no workflow_dispatch trigger and only fires on push events (branches: main, tags: v*).
  • Dependabot config: github-actions is a valid ecosystem, directory: / is correct for Actions workflows, and interval: weekly is appropriate.
  • generate_release_notes: true: Correct input name for softprops/action-gh-release (ncipollo used generateReleaseNotes; softprops uses snake_case).
  • tree/find diagnostic steps: tree is pre-installed on GitHub-hosted ubuntu-latest runners.

@glours glours force-pushed the ci/harden-workflows branch from 7816384 to d86417e Compare July 6, 2026 13:23
Comment thread .github/workflows/ci.yml
Comment on lines -323 to -330
-
name: List artifacts
run: |
tree -nh ./bin/release
-
name: Check artifacts
run: |
find bin/release -type f -exec file -e ascii -- {} +

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a feeling this would still be needed if the things listed here were those coming from "Download artifacts" ?

It described the change as;

Move the artifact listing/type checks into binary-finalize where
./bin/release is assembled, so they run again on every push and PR
(lost when the tag guard moved to job level).

But looking at the steps, I think those steps being here was with the intent to verify / debug what's downloaded (and to be uploaded as release binaries)?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, the intent of those steps was to inspect what the release job actually downloaded (i.e. what gets attached to the release), which the move lost. Restored them after "Download artifacts", and kept the copies in binary-finalize so the assembled artifact is also visible on every push/PR: each copy inspects a different state of the same artifact (before upload vs. after download).

@glours glours force-pushed the ci/harden-workflows branch from d86417e to e366984 Compare July 6, 2026 14:09
crazy-max
crazy-max previously approved these changes Jul 6, 2026
@crazy-max

Copy link
Copy Markdown
Member

Maybe it would be worth adding zizmor to this repo similar to https://github.com/docker/buildx/blob/master/.github/workflows/zizmor.yml

@glours

glours commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

@crazy-max Let's do it

Comment thread .github/dependabot.yml Fixed
@glours glours requested a review from crazy-max July 6, 2026 14:25

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

This PR makes several correct and meaningful security hardening improvements to the GitHub Actions workflows:

  • CVE-2025-24362 fix: Bumps codeql-action/upload-sarif from the vulnerable v2 (v2.28.1) to v3.36.3 ✅
  • Token scoping: The release job is now gated at the job level (if: startsWith(github.ref, 'refs/tags/v')), so the contents: write token is only minted when an actual release tag is pushed — this is a clear security improvement ✅
  • Script injection fix: DOCKERDESKTOP_REPO in merge.yml is now passed via env rather than inline ${{ }} interpolation in the script body, eliminating a potential injection vector ✅
  • Dead conditional removed: The github.event_name != 'pull_request' guard in merge.yml was unreachable (workflow only triggers on push) and has been correctly removed ✅
  • Dependabot for github-actions: Enables automated updates for action pins with a weekly schedule and sensible grouping — keeps the supply chain healthy going forward ✅

No bugs or regressions were found in the introduced changes. The migration from ncipollo/release-action to softprops/action-gh-release (pinned to commit SHA 718ea10b) is correct and uses sensible defaults including overwrite_files: false.

@glours glours force-pushed the ci/harden-workflows branch from 98eb7be to affdaf1 Compare July 6, 2026 14:33
@crazy-max crazy-max mentioned this pull request Jul 6, 2026
glours added 2 commits July 6, 2026 17:14
The pinned codeql-action/upload-sarif v2 (v2.28.1) falls in the
vulnerable range of CVE-2025-24362 and the v2 line has no patched
release, so bump to v3.36.3. Scope the release job to tag refs so its
contents:write token is only minted when a release is actually
created. In merge.yml, drop a dead conditional (workflow only triggers
on push) and pass DOCKERDESKTOP_REPO to github-script via env rather
than inline interpolation, as recommended against script injection.

Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
- Replace ncipollo/release-action with softprops/action-gh-release
  (v3.0.1, SHA-pinned), the action used across Docker repositories;
  input mapping is one-to-one.
- Duplicate the artifact listing/type checks into binary-finalize:
  one copy inspects the artifact as assembled, on every push/PR (lost
  when the tag guard moved to job level); the release-job copy still
  inspects what was downloaded and gets attached to the release.
- Set overwrite_files: false so a job re-run never replaces assets
  already uploaded to an existing release: unlike ncipollo, softprops
  updates an existing release instead of failing. A re-run may still
  refresh the release name/notes.

Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
@glours glours force-pushed the ci/harden-workflows branch from affdaf1 to ad5f6a8 Compare July 6, 2026 15:16
@glours glours requested a review from docker-agent July 6, 2026 15:16

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

The hardening changes are correct and well-targeted: hoisting the release job's tag-guard to the job level (so the contents:write token is only minted on tag pushes), bumping codeql-action/upload-sarif from the vulnerable v2 line to v3.36.3 (CVE-2025-24362), simplifying the always-true push condition in merge.yml, and adding a new softprops/action-gh-release step pinned to a commit SHA. No bugs were found in the changed code.

@thaJeztah thaJeztah left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants