Improve CI and security#53
Merged
Merged
Conversation
- Pin third-party actions to immutable commit SHAs (softprops/action-gh-release, thomashampson/delete-older-releases, actions/checkout@v3) to prevent tag hijacking - Add 'environment: release' to all publishing jobs for secrets/approval gating - Branch protection on master already applied via GitHub API (requires PR review, status checks, blocks force-push and deletion)
…e args, -v shorthand - Remove -v shorthand for --verbose (CF CLI intercepts -v before the plugin sees it) - Expand ~ in --local-dir to the user's home directory - Reject --local-dir values containing path traversal sequences (..) - Validate --local-dir exists before execution, including in dry-run mode - Reject whitespace-only --args values with a clear error message
- Enable gosec in golangci-lint; add targeted nolint annotations for
intentional exec.Command("cf",...) / exec.Command(javaPath,...) usage
and correct file permissions (0755 dirs, 0644 JAR/hash, 0600 downloads)
- Add govulncheck to PR validation and build workflows; runs in report
mode since remaining findings are stdlib-only (require Go 1.25.x)
- Add govulncheck to scripts/lint-go.sh for local development
- Bump go.mod to 1.24.6 (fixes GO-2025-3956: exec.LookPath path confusion)
- Fix .golangci.yml: move G204 exclusion to linters.settings.gosec.excludes (v2 schema dropped issues.exclude-rules in favour of per-linter settings) - Remove now-redundant //nolint:gosec G204 annotations across all call sites - govulncheck: parse JSON output and emit ::warning annotations so findings appear inline in the GitHub Actions UI and PR diff view
- Shell-quote appName in jstall sshCmd to fix G702 (command injection via taint analysis); add shellQuote helper using single-quote escaping - Bump all GitHub Actions to Node.js 24-compatible versions: checkout v4→v6, setup-go v5→v6, setup-python v4→v6, setup-node v4→v6, golangci-lint-action v8→v9
- Fix govulncheck JSON parser: output is multi-line JSON objects, not NDJSON; use raw_decode() instead of line-by-line json.loads() - Upgrade golang.org/x/crypto to v0.52.0 (fixes GO-2026-5005 through GO-2026-5023: 13 CVEs in SSH/TLS/auth packages) - Upgrade golang.org/x/sys to v0.45.0 (fixes GO-2026-5024) - Bump go directive to 1.25.0 to match updated dependency requirements
dbriemann
approved these changes
May 29, 2026
ansteiner
approved these changes
May 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.