Skip to content

Harden for OpenSSF Scorecard: SHA-pin actions, scope tokens, patch x/sys#7

Merged
ErenAri merged 1 commit into
mainfrom
scorecard-hardening
Jun 14, 2026
Merged

Harden for OpenSSF Scorecard: SHA-pin actions, scope tokens, patch x/sys#7
ErenAri merged 1 commit into
mainfrom
scorecard-hardening

Conversation

@ErenAri

@ErenAri ErenAri commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Targets the high-weight Scorecard zeros (overall 6.2):

Check Before Fix
Token-Permissions 0 Top-level perms set to contents: read; write scopes (contents/pages/id-token) moved to the jobs that need them in release-artifacts.yml + compatibility-matrix-publish.yml
Pinned-Dependencies 0 Every uses: across all 14 workflows pinned by full commit SHA + version comment (Dependabot still updates them)
Vulnerabilities 9 GO-2026-5024 in golang.org/x/sys@v0.35.0 (unreachable — CI govulncheck stays green) bumped to v0.44.0, re-vendored

Side effect: the patched x/sys requires go ≥ 1.25, so the go directive is now 1.25.0 (CI already runs 1.25.11); README prerequisite updated to match.

Expected lift: 6.2 -> ~7.5–8.0. Remaining zeros (Code-Review, Contributors, Maintained) are structural/time-based for a young solo repo; Branch-Protection needs a PAT repo_token (separate, needs a secret).

🤖 Generated with Claude Code

Targets the high-weight Scorecard zeros (currently 6.2 overall):

- Token-Permissions (0): release-artifacts.yml and compatibility-matrix-publish.yml
  declared contents/pages/id-token write at the top level. Top level is now
  contents: read; the write scopes moved to the single job that needs them.
- Pinned-Dependencies (0): every `uses:` across all workflows is now pinned by
  full commit SHA with a version comment (Dependabot still updates these).
- Vulnerabilities (9): OSV flagged GO-2026-5024 in golang.org/x/sys@v0.35.0
  (not reachable, so CI govulncheck stays green). Bumped to v0.44.0 and
  re-vendored; this raises the go directive to 1.25.0 (CI already uses 1.25.11).

Also refresh the README Go prerequisite (1.22+ -> 1.25+) and the stale
"pinned to major version tags" comment.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@ErenAri ErenAri merged commit 271a8b9 into main Jun 14, 2026
7 of 8 checks passed
@ErenAri ErenAri deleted the scorecard-hardening branch June 14, 2026 22:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant