Conversation
anujm1
requested review from
koenkooi,
lumag,
ndechesne,
ricardosalveti,
sbanerjee-quic and
vkraleti
as code owners
| save_job_details: true | ||
| result_file_name: "${{ matrix.target.result_file }}" | ||
| - uses: mwasilew/github-action-matrix-outputs-write@v2 | ||
| - uses: mwasilew/github-action-matrix-outputs-write@f7202d2224ebed937f287a2e2813e47fddd12bc8 # v2 |
There was a problem hiding this comment.
@mwasilew can we move this one under qualcomm / qualcomm-linux / foundriesio?
There was a problem hiding this comment.
We can. I think I started OSR for this. Let me check it and report back here. There is also a chance I will eliminate it when refactoring the test.yml workflow.
There was a problem hiding this comment.
OSR is still under review :(
There was a problem hiding this comment.
As addressed in the OSR, we need @mwasilew to provide the correct Qualcomm organization as @ricardosalveti is stating there are a few options.
@mwasilew what organization will this move under (qualcomm / qualcomm-linux / foundriesio)? In addition, what will be the repo name?
|
I think we should push this to |
Test run workflowTest jobs for commit 72861a2
All jobs summary
|
Test Results 23 files - 1 23 suites - 1 1h 21m 16s ⏱️ - 38m 4s For more details on these failures, see this check. Results for commit 82eebe6. ± Comparison against base commit ef1247e. ♻️ This comment has been updated with latest results. |
|
Repolinter is failing. It looks like there's a list of actions that can be run maintained somewhere and for andstor/file-existence-action and todogroup/repolinter-action, the pattern to match includes tag. So, that will need to changed first. |
I whitelisted the sha'd versions. Can you rerun? |
checkout action by default causes a credential to be persisted on disk [1]. Versions before v6 used to store it in .git/config in checked-out repository. v6 fixed this and stored credentials to an area [2] which is later cleaned up. Use v6 of the action to include the change and be more secure. Set persist-credentials to false nonetheless as recommended by zizmor. [1] https://docs.zizmor.sh/audits/#artipacked [1] https://github.com/orgs/community/discussions/179107#discussioncomment-14906259 Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
GitHub [1] and zizmor [2] recommend that actions, especially third party actions, should be pinned by hash instead of tags since tags are mutable and can introduce vulnerabilities if a malicious actor gains access to the action repository [3]. Change all third party actions to use hash instead of tag. [1] https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions [2] https://docs.zizmor.sh/audits/#unpinned-uses [3] https://nvd.nist.gov/vuln/detail/cve-2025-30066 Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Thank you, it's working now. |
Test run workflowTest jobs for commit 82eebe6
All jobs summary
|
6 participants
zizmor recommends that "checkout" action should be updated and specifically asked not to persist credentials [1] and that actions should be pinned by hash instead of tag [2]. Change all third party actions to use hash instead of tag.
[1] https://docs.zizmor.sh/audits/#artipacked
[2] https://docs.zizmor.sh/audits/#unpinned-uses