Summary
The default branch already hardened .github/workflows/pr_review_trigger.yml against the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.
What's flagged (by zizmor)
unpinned-uses — actions referenced by mutable tag/branch instead of a pinned commit SHA
Already resolved on the default branch in:
Affected release branches (5)
release-24.0.0-rc0 (still present as of HEAD 31b4b6c0)release-23.0.1-rc0 (still present as of HEAD 82a374e5)release-23.0.0-rc1 (still present as of HEAD e7843b80)release-23.0.0-rc2 (still present as of HEAD eafe3a9e)release-23.0.0-rc0 (still present as of HEAD d400b9c8)
Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release-24.0.0-rc0 — unpinned-uses
File .github/workflows/pr_review_trigger.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/upload-artifact].uses : pin(actions/upload-artifact -> target_ref SHA)
--- a/.github/workflows/pr_review_trigger.yml
+++ b/.github/workflows/pr_review_trigger.yml
@@ -29,7 +29,7 @@
runs-on: ubuntu-latest
steps:
- name: "Upload PR review Payload"
- uses: actions/upload-artifact@v7
+ uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
path: "${{ github.event_path }}"
name: "pr_review_payload"
release-23.0.1-rc0 — unpinned-uses
File .github/workflows/pr_review_trigger.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/upload-artifact].uses : pin(actions/upload-artifact -> target_ref SHA)
--- a/.github/workflows/pr_review_trigger.yml
+++ b/.github/workflows/pr_review_trigger.yml
@@ -29,7 +29,7 @@
runs-on: ubuntu-latest
steps:
- name: "Upload PR review Payload"
- uses: actions/upload-artifact@v6
+ uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
path: "${{ github.event_path }}"
name: "pr_review_payload"
release-23.0.0-rc1 — unpinned-uses
File .github/workflows/pr_review_trigger.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/upload-artifact].uses : pin(actions/upload-artifact -> target_ref SHA)
--- a/.github/workflows/pr_review_trigger.yml
+++ b/.github/workflows/pr_review_trigger.yml
@@ -29,7 +29,7 @@
runs-on: ubuntu-latest
steps:
- name: "Upload PR review Payload"
- uses: actions/upload-artifact@v6
+ uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
path: "${{ github.event_path }}"
name: "pr_review_payload"
release-23.0.0-rc2 — unpinned-uses
File .github/workflows/pr_review_trigger.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/upload-artifact].uses : pin(actions/upload-artifact -> target_ref SHA)
--- a/.github/workflows/pr_review_trigger.yml
+++ b/.github/workflows/pr_review_trigger.yml
@@ -29,7 +29,7 @@
runs-on: ubuntu-latest
steps:
- name: "Upload PR review Payload"
- uses: actions/upload-artifact@v6
+ uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
path: "${{ github.event_path }}"
name: "pr_review_payload"
release-23.0.0-rc0 — unpinned-uses
File .github/workflows/pr_review_trigger.yml; suggested edits:
- ~ jobs.$J.steps[uses=actions/upload-artifact].uses : pin(actions/upload-artifact -> target_ref SHA)
--- a/.github/workflows/pr_review_trigger.yml
+++ b/.github/workflows/pr_review_trigger.yml
@@ -29,7 +29,7 @@
runs-on: ubuntu-latest
steps:
- name: "Upload PR review Payload"
- uses: actions/upload-artifact@v6
+ uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
with:
path: "${{ github.event_path }}"
name: "pr_review_payload"
Happy to open pull requests instead if that's preferred.
Summary
The default branch already hardened
.github/workflows/pr_review_trigger.ymlagainst the issue(s) below, but 5 release branches still carry it. This proposes the same, minimal, scanner-verified fix for each.What's flagged (by zizmor)
unpinned-uses— actions referenced by mutable tag/branch instead of a pinned commit SHAAlready resolved on the default branch in:
Affected release branches (5)
release-24.0.0-rc0(still present as of HEAD31b4b6c0)release-23.0.1-rc0(still present as of HEAD82a374e5)release-23.0.0-rc1(still present as of HEADe7843b80)release-23.0.0-rc2(still present as of HEADeafe3a9e)release-23.0.0-rc0(still present as of HEADd400b9c8)Suggested per-branch patches
Each diff below was checked locally with zizmor and actionlint: the flagged finding(s) are cleared on the affected construct and no new lint or security findings are introduced. (Whitespace is normalized; only security-relevant lines change.)
release-24.0.0-rc0— unpinned-usesFile
.github/workflows/pr_review_trigger.yml; suggested edits:release-23.0.1-rc0— unpinned-usesFile
.github/workflows/pr_review_trigger.yml; suggested edits:release-23.0.0-rc1— unpinned-usesFile
.github/workflows/pr_review_trigger.yml; suggested edits:release-23.0.0-rc2— unpinned-usesFile
.github/workflows/pr_review_trigger.yml; suggested edits:release-23.0.0-rc0— unpinned-usesFile
.github/workflows/pr_review_trigger.yml; suggested edits:Happy to open pull requests instead if that's preferred.