chore(security): bump upload-artifact v4.6.2 -> v7.0.1 + add OpenSSF Scorecard#14
Merged
bilbospocketses merged 1 commit intoMay 19, 2026
Conversation
…Scorecard upload-artifact bump (ci.yml 1 site, release.yml 3 sites) - SHA ea165f8d -> 043fb46d. Closes the Node 20 deprecation banner that has been firing on every workflow run since GitHub's 2026-06-02 force_node24 cutover was announced; v7.x runs on Node 24. - Root cause of why this drifted while every other action stayed current: the prior pin had a bare `# v4` comment (just the major). Dependabot uses the trailing comment as the version anchor and treats bare-major as a "track v4 line" range pin -- so it never proposed a major-bump PR even though v5, v6, and v7 had all shipped. The 5 other actions in this repo all had precise `# v<x>.<y>.<z>` comments at SHA-pin time and got Dependabot bumps in PRs #1, #2, #3, #4, #5 on 2026-05-18. upload-artifact was silently skipped. - New pin uses precise `# v7.0.1` comment so future bumps surface normally. - v5 dropped immutable artifact names (same `name:` rejected twice per run). Verified safe: this repo uses 4 distinct names across the 4 upload sites (test-results, unsigned-windows-exes, unsigned-windows-msi, windows-final). OpenSSF Scorecard workflow (new .github/workflows/scorecard.yml) - Triggers: branch_protection_rule (catches master-ruleset regressions), weekly cron Monday 09:00 ET (matches Dependabot + CodeQL cadence), push to master. - SARIF uploads to Security tab (security-events: write) so findings sit next to CodeQL. Published to api.securityscorecards.dev via OIDC for the public scorecard.dev viewer page. - All actions SHA-pinned with precise version comments. Workflow-level `permissions: read-all` with narrower per-job grants. - Allowlist: `ossf/scorecard-action@*` added to repo-level patterns_allowed (was just `softprops/action-gh-release@*`). `github/codeql-action/upload-sarif` covered by github_owned_allowed. - Mostly informational -- CM already passes the bulk of Scorecard's checks via the Tier 1-5 hardening pass. Ongoing value is drift detection (a future workflow regressing on Token-Permissions or Pinned-Dependencies would surface a score delta).
bilbospocketses
deleted the
chore/security-followup-upload-artifact-scorecard
branch
This was referenced May 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two security-followup items from a cross-repo posture audit vs. ws-scrcpy-web and oao.
upload-artifact bump (ci.yml 1 site, release.yml 3 sites)
ea165f8d(v4.6.2) ->043fb46d(v7.0.1).force_node24cutover was announced for 2026-06-02; v7.x runs on Node 24.# v4comment (just the major). Dependabot's github-actions ecosystem uses the trailing comment as the version anchor — bare-major is interpreted as a "track v4 line" range pin, so it never proposed a major-bump PR even though v5, v6, and v7 had all shipped upstream.# v<x>.<y>.<z>comments at SHA-pin time and got Dependabot bumps in PRs build(deps): bump actions/setup-dotnet from 4.3.1 to 5.2.0 #1, build(deps): bump actions/attest-build-provenance from 2.4.0 to 4.1.0 #2, build(deps): bump actions/checkout from 4.3.1 to 6.0.2 #3, build(deps): bump actions/download-artifact from 4.3.0 to 8.0.1 #4, build(deps): bump softprops/action-gh-release from 2.6.2 to 3.0.0 #5 on 2026-05-18.upload-artifactwas silently skipped — Dependabot Updates workflow run log for that day shows 5 individualfor actions/<x> - Updateruns and zero forupload-artifact.# v7.0.1comment so future bumps surface normally.name:rejected twice per run). This repo uses 4 distinct names across the 4 upload sites (test-results,unsigned-windows-exes,unsigned-windows-msi,windows-final), so safe.OpenSSF Scorecard workflow (new
.github/workflows/scorecard.yml)branch_protection_rule(catches master-ruleset regressions), weekly cron Monday 09:00 ET (matches Dependabot + CodeQL cadence), push to master.security-events: write) so findings sit next to CodeQL. Published toapi.securityscorecards.devvia OIDC (id-token: write) for the publicscorecard.dev/viewer/?uri=github.com/bilbospocketses/control-menupage.permissions: read-allwith narrower per-job grants.ossf/scorecard-action@*added to repo-levelpatterns_allowed(was justsoftprops/action-gh-release@*).github/codeql-action/upload-sarifis github-owned, covered bygithub_owned_allowed. Pre-merge — already applied viagh api PUT.Test plan