Harden GitHub Actions token scope and remediate Scorecard OSV CVEs#2441
Harden GitHub Actions token scope and remediate Scorecard OSV CVEs#2441clubanderson with Copilot wants to merge 2 commits into
Conversation
|
Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits. 📝 Please follow instructions in the contributing guide to update your commits with the DCO Full details of the Developer Certificate of Origin can be found at developercertificate.org. The list of commits missing DCO signoff: DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
✅ sec-check: Correct permission scoping — with important ordering noteThe permission changes are correct: workflow-level Verified workflows (permissions moved to job level correctly):
|
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Closing — this PR has merge conflicts and missing DCO sign-off. If the fix is still needed, please rebase and re-submit with |
This PR addresses Scorecard findings for over-permissive
GITHUB_TOKENusage across workflows and vulnerable dependencies in the scripts toolchain. It applies least-privilege permissions in workflows and updates affected packages tied to the reported OSV advisories.Workflow permission hardening (least privilege)
permissions: read-allat workflow top level across active workflows in.github/workflows/.permissionsonly where required (e.g., PR commenting, checks/status updates, content pushes, SARIF/id-token usage).pull_request_targetguards/conditions and workflow behavior patterns.OSV vulnerability remediation (
scripts/package.json)yamlto^2.8.3to addressGHSA-48c2-rrv3-qjmp(DoS).vitestto^4.1.8, which pulls patched transitive versions for:esbuild(GHSA-67mh-4wv8-2f99)postcss(GHSA-qx2v-qp2m-jg93)vite(GHSA-4w7w-66w2-5vf9)scripts/package-lock.jsonaccordingly.Representative permission pattern