Fix some security warnings (#539)

ianks · github-advanced-security[bot] · web-flow · commit e5ac0fcff212 · 2025-05-09T19:02:30.000-04:00
* Potential fix for code scanning alert no. 4338: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;

* Potential fix for code scanning alert no. 4334: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;

* Pin gh actions

* Add more permissions

* Fix cache delete action

* Remove flagged files

* Remove more flagged files

---------

Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/.github/workflows/cache-clean.yml b/.github/workflows/cache-clean.yml
@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Delete caches
-        uses: actions/github-script@v7
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
         with:
           script: |
             let totalDeleted = 0;
@@ -71,13 +71,27 @@ jobs:
                 totalDeleted++;
                 totalBytes += cache.size_in_bytes;
 
-                await github.rest.actions.deleteActionsCacheById({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  cache_id: cache.id
-                });
-
-                console.log(`Deleted cache ${cache.id} (${sizeInMb(cache.size_in_bytes)} MB) for ref ${cache.ref}`);
+                try {
+                  await github.rest.actions.deleteActionsCacheByKey({
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    key: cache.key,
+                    ref: cache.ref
+                  });
+                  console.log(`Deleted cache ${cache.key} (${sizeInMb(cache.size_in_bytes)} MB) for ref ${cache.ref}`);
+                } catch (error) {
+                  console.warn(`Error deleting cache by key: ${error.message}. Attempting alternative method...`);
+                  try {
+                    await github.rest.actions.deleteActionsCacheByKey({
+                      owner: context.repo.owner,
+                      repo: context.repo.repo,
+                      key: cache.key
+                    });
+                    console.log(`Deleted cache ${cache.key} (${sizeInMb(cache.size_in_bytes)} MB) without ref parameter`);
+                  } catch (secondError) {
+                    console.error(`Failed to delete cache ${cache.key}: ${secondError.message}`);
+                  }
+                }
               }
             }
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,5 +1,7 @@
 ---
 name: "CI"
+permissions:
+  contents: read
 
 on:
   push:
@@ -72,15 +74,15 @@ jobs:
               rust_toolchain: stable
     runs-on: ${{ matrix.sys.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-      - uses: oxidize-rb/actions/upload-core-dumps@v1
+      - uses: oxidize-rb/actions/upload-core-dumps@d4731ac609739be0920f0faf5569b58b8eb1a262 # v1
 
       - name: Setup debug info
         shell: bash
         run: script/ci/set-debug-env.sh
 
-      - uses: oxidize-rb/actions/setup-ruby-and-rust@v1
+      - uses: oxidize-rb/actions/setup-ruby-and-rust@d4731ac609739be0920f0faf5569b58b8eb1a262 # v1
         if: matrix.ruby_version != 'skip'
         with:
           cache-version: v2
@@ -150,7 +152,7 @@ jobs:
         if: env.ACTIONS_STEP_DEBUG == 'true'
         run: bundle exec rake bindings:generate
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         if: always()
         with:
           name: rb-sys-ci-debug-artifacts-${{ matrix.sys.os }}-${{ matrix.ruby_version }}
@@ -171,11 +173,11 @@ jobs:
             rust_toolchain: stable
     runs-on: ${{ matrix.sys.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-      - uses: oxidize-rb/actions/upload-core-dumps@v1
+      - uses: oxidize-rb/actions/upload-core-dumps@d4731ac609739be0920f0faf5569b58b8eb1a262 # v1
 
-      - uses: oxidize-rb/actions/setup-ruby-and-rust@v1
+      - uses: oxidize-rb/actions/setup-ruby-and-rust@d4731ac609739be0920f0faf5569b58b8eb1a262 # v1
         with:
           ruby-version: none
           rustup-toolchain: ${{ matrix.sys.rust_toolchain }}
@@ -187,7 +189,7 @@ jobs:
           echo "GEM_HOME=~/.gem/ruby/${{ matrix.ruby_version }}" >> $GITHUB_ENV
 
       - name: ⚡ Cache
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
         with:
           path: |
             /opt/rubies/${{ matrix.ruby_version }}
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -38,7 +38,7 @@ jobs:
       matrix:
         toolchain: ${{ fromJSON(needs.fetch_ci_data.outputs.toolchains-data) }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Set rb-sys version variable
         id: vars
@@ -55,28 +55,28 @@ jobs:
           echo "aliases=$aliases" >> $GITHUB_ENV
 
       # Test the container
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           repository: "oxidize-rb/oxi-test"
           path: "tmp/oxi-test"
 
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@e34163cd15f4bb403dcd72d98e295997e6a55798 # v1
         with:
           ruby-version: "3.1"
 
       - name: Login to Docker Hub
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
 
       - name: Prepare Docker images list
         id: prepare_images
@@ -91,7 +91,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
         with:
           images: |
             ${{ env.images }}
@@ -108,7 +108,7 @@ jobs:
             org.oxidize-rb.ruby.platform=${{ env.ruby_platform }}
 
       - name: Docker build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: ./docker
@@ -182,7 +182,7 @@ jobs:
             --highestUserWastedPercent "$highest_user_wasted_percent"
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@99baf0d8b4e787c3cfd7b602664c8ce60a43cd38 # master
         with:
           image-ref: "${{ secrets.DOCKER_HUB_USERNAME }}/${{ env.ruby_platform }}:sha-${{ github.sha }}"
           format: "sarif"
@@ -193,13 +193,13 @@ jobs:
           exit-code: "0" # Changed from "1" to "0" to prevent failing on EOL OS warnings
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3
         with:
           sarif_file: "trivy-results-${{ env.ruby_platform }}.sarif"
           category: "docker-${{ env.ruby_platform }}"
 
       - name: Docker push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6
         with:
           builder: ${{ steps.buildx.outputs.name }}
           context: ./docker
@@ -212,15 +212,15 @@ jobs:
           cache-to: ${{ secrets.DOCKER_HUB_USERNAME }}/${{ env.ruby_platform }}:cache-${{ steps.vars.outputs.rb-sys-version }}
 
       - name: Docker Hub Description
-        uses: peter-evans/dockerhub-description@v4
+        uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
           repository: rbsys/${{ env.ruby_platform }}
           readme-filepath: ./readme.md
 
       - name: Slack Noti on Failure
-        uses: 8398a7/action-slack@v3
+        uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3
         with:
           status: ${{ job.status }}
           fields: repo,message,commit,author,action,eventName,ref,workflow,job,took,pullRequest
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -1,6 +1,9 @@
 ---
 name: "Docs"
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -16,9 +19,9 @@ jobs:
     name: 📑 Validate Docs
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@e34163cd15f4bb403dcd72d98e295997e6a55798 # v1
         with:
           bundler-cache: true
           ruby-version: "3.2"
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -1,5 +1,7 @@
 ---
 name: Integration
+permissions:
+  contents: read
 on:
   push:
     branches:
@@ -41,15 +43,15 @@ jobs:
           INPUTS: ${{ toJSON(matrix) }}
         run: |
           echo "$INPUTS" | jq
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           repository: ${{ matrix.repo.name }}
           ref: ${{ matrix.repo.ref }}
           path: repo
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           path: rb-sys
-      - uses: oxidize-rb/actions/setup-ruby-and-rust@v1
+      - uses: oxidize-rb/actions/setup-ruby-and-rust@d4731ac609739be0920f0faf5569b58b8eb1a262 # v1
         id: setup
         with:
           cache-version: v2
@@ -76,14 +78,14 @@ jobs:
     name: Bundle install in Dockerfile
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           repository: ${{ matrix.repo.name }}
           ref: ${{ matrix.repo.ref }}
           path: repo
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
 
       - name: Generate Dockerfile
         run: |
@@ -106,7 +108,7 @@ jobs:
           cat Gemfile.issue
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6
         with:
           context: .
           file: ./Dockerfile.issue
diff --git a/.github/workflows/publish-book.yml b/.github/workflows/publish-book.yml
@@ -16,9 +16,9 @@ jobs:
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-      - uses: oxidize-rb/actions/setup-ruby-and-rust@v1
+      - uses: oxidize-rb/actions/setup-ruby-and-rust@d4731ac609739be0920f0faf5569b58b8eb1a262 # v1
         with:
           ruby-version: "3.4"
           bundler-cache: true
@@ -31,7 +31,7 @@ jobs:
         run: bundle exec rake book:build
 
       - name: Deploy
-        uses: peaceiris/actions-gh-pages@v4
+        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4
         if: ${{ github.ref == 'refs/heads/main' }}
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/docker/Dockerfile.aarch64-linux b/docker/Dockerfile.aarch64-linux
@@ -17,11 +17,12 @@ ENV RUBY_TARGET="aarch64-linux" \
     CMAKE_aarch64_unknown_linux_gnu="/opt/cmake/bin/cmake" \
     CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER="aarch64-linux-gnu-gcc"
 
-COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh /
+COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh setup/delete-unused-files.sh /
 
 RUN bash -c "source /lib.sh && install_packages libclang-12-dev llvm-12-dev clang-12 libc6-arm64-cross libc6-dev-arm64-cross" && \
     /rustup.sh && \
     /rubygems.sh && \
     /cmake.sh && \
     /rubybashrc.sh && \
+    /delete-unused-files.sh && \
     /rb-sys-dock.sh
diff --git a/docker/Dockerfile.aarch64-linux-musl b/docker/Dockerfile.aarch64-linux-musl
@@ -18,11 +18,12 @@ ENV RUBY_TARGET="aarch64-linux-musl" \
     BINDGEN_EXTRA_CLANG_ARGS_aarch64_unknown_linux_musl="--sysroot=/usr/aarch64-linux-musl" \
     CMAKE_aarch64_unknown_linux_musl="cmake"
 
-COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh /
+COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh setup/delete-unused-files.sh /
 
 RUN bash -c "source /lib.sh && install_packages libclang-12-dev llvm-12-dev" && \
     /rustup.sh && \
     /rubygems.sh && \
     /cmake.sh && \
     /rubybashrc.sh && \
+    /delete-unused-files.sh && \
     /rb-sys-dock.sh
diff --git a/docker/Dockerfile.arm-linux b/docker/Dockerfile.arm-linux
@@ -16,11 +16,12 @@ ENV RUBY_TARGET="arm-linux" \
     PKG_CONFIG_PATH="/usr/lib/arm-linux-gnueabihf/pkgconfig" \
     CMAKE_arm_unknown_linux_gnueabihf="/opt/cmake/bin/cmake"
 
-COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh /
+COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh setup/delete-unused-files.sh /
 
 RUN bash -c "source /lib.sh && install_packages libclang-dev clang llvm-dev libc6-armhf-cross libc6-dev-armhf-cross" && \
     /rustup.sh && \
     /rubygems.sh && \
     /cmake.sh && \
     /rubybashrc.sh && \
+    /delete-unused-files.sh && \
     /rb-sys-dock.sh
diff --git a/docker/Dockerfile.arm64-darwin b/docker/Dockerfile.arm64-darwin
@@ -17,12 +17,13 @@ ENV RUBY_TARGET="arm64-darwin" \
     PKG_CONFIG="aarch64-apple-darwin-pkg-config" \
     CMAKE_aarch64_apple_darwin="/opt/cmake/bin/cmake"
 
-COPY setup/lib.sh setup/osxcross-shebang.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh /
+COPY setup/lib.sh setup/osxcross-shebang.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh setup/delete-unused-files.sh /
 
 RUN bash -c "source /lib.sh && install_packages libclang-dev clang libc6-arm64-cross libc6-dev-arm64-cross" && \
     /rustup.sh && \
     /rubygems.sh && \
     /cmake.sh && \
     /rubybashrc.sh && \
+    /delete-unused-files.sh && \
     /rb-sys-dock.sh && \
     /osxcross-shebang.sh
diff --git a/docker/Dockerfile.x64-mingw-ucrt b/docker/Dockerfile.x64-mingw-ucrt
@@ -16,11 +16,12 @@ ENV RUBY_TARGET="x64-mingw-ucrt" \
     PKG_CONFIG_PATH_x86_64_pc_windows_gnu="/usr/x86_64-w64-mingw32/pkgconfig" \
     CMAKE_x86_64_pc_windows_gnu="/opt/cmake/bin/cmake"
 
-COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh /
+COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh setup/delete-unused-files.sh /
 
 RUN bash -c "source /lib.sh && install_packages libclang-dev" && \
     /rustup.sh && \
     /rubygems.sh && \
     /cmake.sh && \
     /rubybashrc.sh && \
+    /delete-unused-files.sh && \
     /rb-sys-dock.sh
diff --git a/docker/Dockerfile.x64-mingw32 b/docker/Dockerfile.x64-mingw32
@@ -16,12 +16,13 @@ ENV RUBY_TARGET="x64-mingw32" \
     PKG_CONFIG_PATH_x86_64_pc_windows_gnu="/usr/x86_64-w64-mingw32/pkgconfig" \
     CMAKE_x86_64_pc_windows_gnu="/opt/cmake/bin/cmake"
 
-COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh /
+COPY setup/lib.sh setup/rustup.sh setup/rubygems.sh setup/cmake.sh setup/rubybashrc.sh setup/rb-sys-dock.sh setup/delete-unused-files.sh /
 
 RUN bash -c "source /lib.sh && install_packages libclang-dev" && \
     /rustup.sh && \
     /rubygems.sh && \
     /cmake.sh && \
     /rubybashrc.sh && \
+    /delete-unused-files.sh && \
     /rb-sys-dock.sh
 
diff --git a/docker/Dockerfile.x86-linux b/docker/Dockerfile.x86-linux
diff --git a/docker/Dockerfile.x86-mingw32 b/docker/Dockerfile.x86-mingw32
diff --git a/docker/Dockerfile.x86_64-darwin b/docker/Dockerfile.x86_64-darwin
diff --git a/docker/Dockerfile.x86_64-linux b/docker/Dockerfile.x86_64-linux
diff --git a/docker/Dockerfile.x86_64-linux-musl b/docker/Dockerfile.x86_64-linux-musl
diff --git a/docker/setup/delete-unused-files.sh b/docker/setup/delete-unused-files.sh
