pin qltysh/qlty-action to commit SHA (security: zizmor unpinned-uses)#3
Merged
Merged
Conversation
Third-party GitHub Actions referenced by a mutable tag (@v2) can be silently hijacked if the maintainer or a compromised account force-pushes the tag. Pin to the exact commit SHA that v2 currently resolves to (v2.2.0, 2025-08-11) and keep the human-readable version as a trailing comment for review. Official actions (actions/checkout, actions/setup-java, actions/cache) are intentionally left at @v4 — zizmor's allow-list and standard practice treat them as trusted. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… excessive-permissions)
Without an explicit permissions block, the job inherits the repository default,
which on this repo grants the broad read/write GITHUB_TOKEN scope. Switch to
default-deny at the workflow level (permissions: {}) and grant only what the
job actually uses:
- contents: read for actions/checkout
- pull-requests: write so the SonarCloud Maven plugin can decorate PRs and post
inline comments via GITHUB_TOKEN
- checks: write so the same plugin can publish the "SonarCloud Code Analysis"
check status
Qlty coverage upload uses its own QLTY_COVERAGE_TOKEN, so the GITHUB_TOKEN does
not need any additional scopes for that step.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Coverage Impact This PR will not change total coverage. 🚦 See full report on Qlty Cloud »🛟 Help
|
actions/checkout defaults to writing GITHUB_TOKEN into .git/config so that later git operations can authenticate as the workflow. None of the downstream steps here use git push / tag / fetch beyond the initial checkout: mvn verify runs Sonar via SONAR_TOKEN and GITHUB_TOKEN as env vars, and Qlty coverage upload uses QLTY_COVERAGE_TOKEN. Setting persist-credentials: false removes the credential from .git/config so it cannot leak through anything that subsequently archives or uploads the repo working tree. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Third-party GitHub Actions referenced by a mutable tag (@v2) can be silently hijacked if the maintainer or a compromised account force-pushes the tag. Pin to the exact commit SHA that v2 currently resolves to (v2.2.0, 2025-08-11) and keep the human-readable version as a trailing comment for review.
Official actions (actions/checkout, actions/setup-java, actions/cache) are intentionally left at @v4 — zizmor's allow-list and standard practice treat them as trusted.