Harden for OpenSSF Scorecard: SHA-pin actions, scope tokens, patch x/sys#7
Merged
Conversation
Targets the high-weight Scorecard zeros (currently 6.2 overall): - Token-Permissions (0): release-artifacts.yml and compatibility-matrix-publish.yml declared contents/pages/id-token write at the top level. Top level is now contents: read; the write scopes moved to the single job that needs them. - Pinned-Dependencies (0): every `uses:` across all workflows is now pinned by full commit SHA with a version comment (Dependabot still updates these). - Vulnerabilities (9): OSV flagged GO-2026-5024 in golang.org/x/sys@v0.35.0 (not reachable, so CI govulncheck stays green). Bumped to v0.44.0 and re-vendored; this raises the go directive to 1.25.0 (CI already uses 1.25.11). Also refresh the README Go prerequisite (1.22+ -> 1.25+) and the stale "pinned to major version tags" comment. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Targets the high-weight Scorecard zeros (overall 6.2):
contents: read; write scopes (contents/pages/id-token) moved to the jobs that need them inrelease-artifacts.yml+compatibility-matrix-publish.ymluses:across all 14 workflows pinned by full commit SHA + version comment (Dependabot still updates them)GO-2026-5024ingolang.org/x/sys@v0.35.0(unreachable — CIgovulncheckstays green) bumped tov0.44.0, re-vendoredSide effect: the patched
x/sysrequires go ≥ 1.25, so the go directive is now1.25.0(CI already runs 1.25.11); README prerequisite updated to match.Expected lift: 6.2 -> ~7.5–8.0. Remaining zeros (Code-Review, Contributors, Maintained) are structural/time-based for a young solo repo; Branch-Protection needs a PAT
repo_token(separate, needs a secret).🤖 Generated with Claude Code