fix: replace the version by hash value and add permissions #3223
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes the
token permissionsandunpinned dependencyaccording OpenSSF scorecard. The versionsv1tov3of the actionupload-artifactis depecated, which had been replaced in my PR. And scorecard reports many vulnerabilities such asGHSA-67hx-6x53-jw92. Does this project still be maintained? If so, please let me know and I would appreciately help fix these vulnerabilities.I'd like to suggest some improvements based on the OpenSSF Scorecard best practices:
Branch Protection & Code Review: Enabling branch protection rules and code reviews can minimize the risk of introducing vulnerabilities. Refer to your repository settings for configuration options.
Static Application Security Testing (SAST): Implementing SAST tools can help detect vulnerabilities early in the development lifecycle.
Dependency Update Tool: Utilizing a dependency update tool ensures your project uses the latest secure library versions.
Security Policy: Defining a comprehensive security policy (SECURITY.md) with vulnerability reporting guidelines, coding standards, and response procedures is recommended.
For more information on specific checks, see the OpenSSF Scorecard documentation: Link to Documentation
Explain the motivation for making this change. What existing problem does the pull request solve?
Test plan (required)
It's just a fix in workflow and some suggestions for security.