CharlieMCY opened a new issue, #8804:
URL: https://github.com/apache/camel-quarkus/issues/8804

   ### Summary
   The default branch already hardened 
`.github/workflows/generate-sbom-main.yml` against the issue(s) below, but 
**3** release branches still carry it. This proposes the same, minimal, 
scanner-verified fix for each.
   
   ### What's flagged (by [zizmor](https://github.com/woodruffw/zizmor))
   - `unpinned-uses` — actions referenced by mutable tag/branch instead of a 
pinned commit SHA
   
   Already resolved on the default branch in:
   - 
https://github.com/apache/camel-quarkus/commit/768e1f95fcaab51c0c3e142bf70da5fedd3f0871
   
   ### Affected release branches (3)
   - **`3.14.x`** (still present as of HEAD `8bf63729`)
   - **`3.13.x`** (still present as of HEAD `a89efdc4`)
   - **`3.8.x`** (still present as of HEAD `0e0b0780`)
   
   ### Suggested per-branch patches
   Each diff below was checked locally with **zizmor** and **actionlint**: the 
flagged finding(s) are cleared on the affected construct and no new lint or 
security findings are introduced. (Whitespace is normalized; only 
security-relevant lines change.)
   
   <details>
   <summary><code>3.14.x</code> &mdash; unpinned-uses</summary>
   
   File `.github/workflows/generate-sbom-main.yml`; suggested edits:
     - ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> 
target_ref SHA)
     - ~ jobs.$J.steps[uses=actions/setup-java].uses : pin(actions/setup-java 
-> target_ref SHA)
     - ~ jobs.$J.steps[uses=peter-evans/create-pull-request].uses : 
pin(peter-evans/create-pull-request -> target_ref SHA)
   
   ```diff
   --- a/.github/workflows/generate-sbom-main.yml
   +++ b/.github/workflows/generate-sbom-main.yml
   @@ -41,11 +41,11 @@
          matrix:
            java: ['17']
        steps:
   -      - uses: actions/checkout@v4
   +      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # 
v4
            with:
              persist-credentials: false
          - name: Set up JDK ${{ matrix.java }}
   -        uses: actions/setup-java@v4
   +        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9  
# v4
            with:
              distribution: 'temurin'
              java-version: ${{ matrix.java }}
   @@ -53,7 +53,7 @@
          - name: mvn build and sbom generation
            run: ./mvnw -V --no-transfer-progress -e -Psbom -Dquickly 
-DskipTests verify ${CQ_MAVEN_ARGS}
          - name: Create Pull Request
   -        uses: peter-evans/create-pull-request@v6
   +        uses: 
peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c  # v6
            with:
              base: main
              token: ${{ secrets.GITHUB_TOKEN }}
   ```
   </details>
   <details>
   <summary><code>3.13.x</code> &mdash; unpinned-uses</summary>
   
   File `.github/workflows/generate-sbom-main.yml`; suggested edits:
     - ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> 
target_ref SHA)
     - ~ jobs.$J.steps[uses=actions/setup-java].uses : pin(actions/setup-java 
-> target_ref SHA)
     - ~ jobs.$J.steps[uses=peter-evans/create-pull-request].uses : 
pin(peter-evans/create-pull-request -> target_ref SHA)
   
   ```diff
   --- a/.github/workflows/generate-sbom-main.yml
   +++ b/.github/workflows/generate-sbom-main.yml
   @@ -41,11 +41,11 @@
          matrix:
            java: ['17']
        steps:
   -      - uses: actions/checkout@v4
   +      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # 
v4
            with:
              persist-credentials: false
          - name: Set up JDK ${{ matrix.java }}
   -        uses: actions/setup-java@v4
   +        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9  
# v4
            with:
              distribution: 'temurin'
              java-version: ${{ matrix.java }}
   @@ -53,7 +53,7 @@
          - name: mvn build and sbom generation
            run: ./mvnw -V --no-transfer-progress -e -Psbom -Dquickly 
-DskipTests verify ${CQ_MAVEN_ARGS}
          - name: Create Pull Request
   -        uses: peter-evans/create-pull-request@v6
   +        uses: 
peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c  # v6
            with:
              base: main
              token: ${{ secrets.GITHUB_TOKEN }}
   ```
   </details>
   <details>
   <summary><code>3.8.x</code> &mdash; unpinned-uses</summary>
   
   File `.github/workflows/generate-sbom-main.yml`; suggested edits:
     - ~ jobs.$J.steps[uses=actions/checkout].uses : pin(actions/checkout -> 
target_ref SHA)
     - ~ jobs.$J.steps[uses=actions/setup-java].uses : pin(actions/setup-java 
-> target_ref SHA)
     - ~ jobs.$J.steps[uses=peter-evans/create-pull-request].uses : 
pin(peter-evans/create-pull-request -> target_ref SHA)
   
   ```diff
   --- a/.github/workflows/generate-sbom-main.yml
   +++ b/.github/workflows/generate-sbom-main.yml
   @@ -41,11 +41,11 @@
          matrix:
            java: ['17']
        steps:
   -      - uses: actions/checkout@v4
   +      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # 
v4
            with:
              persist-credentials: false
          - name: Set up JDK ${{ matrix.java }}
   -        uses: actions/setup-java@v4
   +        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9  
# v4
            with:
              distribution: 'temurin'
              java-version: ${{ matrix.java }}
   @@ -53,7 +53,7 @@
          - name: mvn build and sbom generation
            run: ./mvnw -V --no-transfer-progress -e -Psbom -Dquickly 
-DskipTests verify ${CQ_MAVEN_ARGS}
          - name: Create Pull Request
   -        uses: peter-evans/create-pull-request@v6
   +        uses: 
peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c  # v6
            with:
              base: main
              token: ${{ secrets.GITHUB_TOKEN }}
   ```
   </details>
   
   ---
   *Happy to open pull requests instead if that's preferred.*


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to