Summary
The default branch already hardened .github/workflows/main.yml against the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
unpinned-uses — actions referenced by mutable tag/branch instead of a pinned commit SHA
Already resolved on the default branch in:
Affected release branches (5)
release/864.0.0-1 (still present as of HEAD 8190e4d3)release/753.0.0 (still present as of HEAD d5220d9f)release/843.0.0 (still present as of HEAD d42b2df8)release/1058.0.0 (still present as of HEAD 11fadce9)release/939.0.0 (still present as of HEAD 4d77bfb4)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release/864.0.0-1 — unpinned-uses
File .github/workflows/main.yml; suggested edits:
- ~ jobs.$J.steps[id=is-release].uses : pin(MetaMask/action-is-release -> target_ref SHA)
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -100,7 +100,7 @@
IS_RELEASE: ${{ steps.is-release.outputs.IS_RELEASE }}
steps:
- id: is-release
- uses: MetaMask/action-is-release@v2
+ uses: MetaMask/action-is-release@61ff8882da996cb68cdbc8583dc53956a1ffdd8b # v2
with:
commit-starts-with: 'Release [version],Release v[version],Release/[version],Release/v[version],Release `[version]`'
release/753.0.0 — unpinned-uses
File .github/workflows/main.yml; suggested edits:
- ~ jobs.$J.steps[id=is-release].uses : pin(MetaMask/action-is-release -> target_ref SHA)
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -100,7 +100,7 @@
IS_RELEASE: ${{ steps.is-release.outputs.IS_RELEASE }}
steps:
- id: is-release
- uses: MetaMask/action-is-release@v2
+ uses: MetaMask/action-is-release@61ff8882da996cb68cdbc8583dc53956a1ffdd8b # v2
with:
commit-starts-with: 'Release [version],Release v[version],Release/[version],Release/v[version],Release `[version]`'
release/843.0.0 — unpinned-uses
File .github/workflows/main.yml; suggested edits:
- ~ jobs.$J.steps[id=is-release].uses : pin(MetaMask/action-is-release -> target_ref SHA)
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -100,7 +100,7 @@
IS_RELEASE: ${{ steps.is-release.outputs.IS_RELEASE }}
steps:
- id: is-release
- uses: MetaMask/action-is-release@v2
+ uses: MetaMask/action-is-release@61ff8882da996cb68cdbc8583dc53956a1ffdd8b # v2
with:
commit-starts-with: 'Release [version],Release v[version],Release/[version],Release/v[version],Release `[version]`'
release/1058.0.0 — unpinned-uses
File .github/workflows/main.yml; suggested edits:
- ~ jobs.$J.steps[id=is-release].uses : pin(MetaMask/action-is-release -> target_ref SHA)
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -104,7 +104,7 @@
IS_RELEASE: ${{ steps.is-release.outputs.IS_RELEASE }}
steps:
- id: is-release
- uses: MetaMask/action-is-release@v2
+ uses: MetaMask/action-is-release@61ff8882da996cb68cdbc8583dc53956a1ffdd8b # v2
with:
commit-starts-with: ${{ vars.RELEASE_COMMIT_PREFIX }}
release/939.0.0 — unpinned-uses
File .github/workflows/main.yml; suggested edits:
- ~ jobs.$J.steps[id=is-release].uses : pin(MetaMask/action-is-release -> target_ref SHA)
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -102,7 +102,7 @@
IS_RELEASE: ${{ steps.is-release.outputs.IS_RELEASE }}
steps:
- id: is-release
- uses: MetaMask/action-is-release@v2
+ uses: MetaMask/action-is-release@61ff8882da996cb68cdbc8583dc53956a1ffdd8b # v2
with:
commit-starts-with: ${{ vars.RELEASE_COMMIT_PREFIX }}
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/main.ymlagainst the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
unpinned-uses— actions referenced by mutable tag/branch instead of a pinned commit SHAAlready resolved on the default branch in:
Affected release branches (5)
release/864.0.0-1(still present as of HEAD8190e4d3)release/753.0.0(still present as of HEADd5220d9f)release/843.0.0(still present as of HEADd42b2df8)release/1058.0.0(still present as of HEAD11fadce9)release/939.0.0(still present as of HEAD4d77bfb4)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release/864.0.0-1— unpinned-usesFile
.github/workflows/main.yml; suggested edits:release/753.0.0— unpinned-usesFile
.github/workflows/main.yml; suggested edits:release/843.0.0— unpinned-usesFile
.github/workflows/main.yml; suggested edits:release/1058.0.0— unpinned-usesFile
.github/workflows/main.yml; suggested edits:release/939.0.0— unpinned-usesFile
.github/workflows/main.yml; suggested edits:Happy to open pull requests instead if that's preferred.