Skip to content

Comments

chore(deps): pin dependencies#95

Open
renovate-sh-app[bot] wants to merge 1 commit intomainfrom
renovate/pin-dependencies
Open

chore(deps): pin dependencies#95
renovate-sh-app[bot] wants to merge 1 commit intomainfrom
renovate/pin-dependencies

Conversation

@renovate-sh-app
Copy link

@renovate-sh-app renovate-sh-app bot commented Dec 2, 2025

This PR contains the following updates:

Package Type Update Change
actions/checkout action pinDigest 34e1148
actions/setup-go action pinDigest 40f1582
alpine final pinDigest 2510918
anchore/sbom-action action pinDigest ab5d7b5
docker/login-action action pinDigest c94ce9f
docker/setup-buildx-action action pinDigest 8d2750c
docker/setup-qemu-action action pinDigest c7c5346
goreleaser/goreleaser-action action pinDigest 5742e2a

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@github-actions

This comment has been minimized.

@renovate-sh-app renovate-sh-app bot force-pushed the renovate/pin-dependencies branch from 67b8354 to c2fb195 Compare December 3, 2025 20:10
@github-actions

This comment has been minimized.

@renovate-sh-app renovate-sh-app bot force-pushed the renovate/pin-dependencies branch from c2fb195 to 8229c4b Compare December 16, 2025 05:10

- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5

Check failure

Code scanning / zizmor

runtime artifacts potentially vulnerable to a cache poisoning attack Error

runtime artifacts potentially vulnerable to a cache poisoning attack

- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5

Check failure

Code scanning / zizmor

runtime artifacts potentially vulnerable to a cache poisoning attack Error

runtime artifacts potentially vulnerable to a cache poisoning attack
@github-actions

This comment has been minimized.

@renovate-sh-app renovate-sh-app bot force-pushed the renovate/pin-dependencies branch from 8229c4b to 74d4da4 Compare December 18, 2025 02:08
@github-actions

This comment has been minimized.

@renovate-sh-app renovate-sh-app bot force-pushed the renovate/pin-dependencies branch from 74d4da4 to 95df45e Compare December 18, 2025 05:05
@github-actions

This comment has been minimized.

@renovate-sh-app renovate-sh-app bot force-pushed the renovate/pin-dependencies branch from 95df45e to 4bad7ff Compare December 19, 2025 11:07
@github-actions

This comment has been minimized.

@renovate-sh-app renovate-sh-app bot force-pushed the renovate/pin-dependencies branch from 4bad7ff to 119608e Compare January 28, 2026 05:04
@github-actions

This comment has been minimized.

Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/pin-dependencies branch from 119608e to 9b6639a Compare January 28, 2026 14:04
@github-actions
Copy link
Contributor

😢 zizmor failed with exit code 14.

Expand for full output
error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/base-goreleaser-ci.yaml:29:9
   |
29 |         uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
39 |         uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5
   |         --------------------------------------------------------------------------- runtime artifacts usually published here
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/base-release.yaml:31:9
   |
31 |         uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
...
48 |         uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5
   |         --------------------------------------------------------------------------- runtime artifacts usually published here
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
 --> ./.github/workflows/ci-delta-to-cumulative.yaml:3:1
  |
3 | / on:
4 | |   workflow_run:
5 | |     workflows: [Continuous Integration]
6 | |     types:
7 | |       - completed
  | |_________________^ workflow_run is almost always used insecurely
  |
  = note: audit confidence → Medium

error[excessive-permissions]: overly broad permissions
  --> ./.github/workflows/release-delta-to-cumulative.yaml:14:5
   |
 8 | /   release:
 9 | |     name: Release delta-to-cumulative
10 | |     uses: ./.github/workflows/base-release.yaml
11 | |     with:
12 | |       distribution: delta-to-cumulative
13 | |     secrets: inherit
14 | |     permissions: write-all
   | |_____^^^^^^^^^^^^^^^^^^^^^^- this job
   |       |
   |       uses write-all permissions
   |
   = note: audit confidence → High

18 findings (7 ignored, 7 suppressed, 2 fixable): 0 informational, 0 low, 0 medium, 4 high

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants