Bump go#770
Conversation
carvel-bot
force-pushed
the
bump-go
branch
2 times, most recently
from
30b7ac4 to
b73b1d1
Compare
Signed-off-by: Joao Pereira <joaopapereira@gmail.com>
Kusari Analysis Results:Caution Flagged Issues Detected The dependency change (Go stdlib upgrade from v1.25.7 to v1.26.3) is safe and routine with no vulnerabilities, advisories, or risk concerns. However, the code analysis identified a medium severity security issue in .github/workflows/gh-test.yml: the test-all job lacks an explicit permissions block, causing it to inherit overly broad default GitHub Actions token permissions. This violates least-privilege principles and could expose repository secrets or allow unintended write access during CI runs triggered by pull requests. Action required: Add a minimal permissions block to the test-all job restricting the GitHub token to read-only access (e.g., contents: read) before merging. Note View full detailed analysis result for more information on the output and the checks that were run. Required Code MitigationsThe test-all job does not define an explicit permissions block. Default GitHub Actions permissions are overly broad for a test workflow triggered on pull requests. Add a minimal permissions block at the job level to restrict the GitHub token to read-only access.
Found this helpful? Give it a 👍 or 👎 reaction! |
Signed-off-by: Joao Pereira <joaopapereira@gmail.com>
|
Kusari PR Analysis rerun based on - 8af34f7 performed at: 2026-05-14T20:59:37Z - link to updated analysis |
![kusari-inspector[bot]](https://avatars.githubusercontent.com/in/1220830?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 |
There was a problem hiding this comment.
Issue: The actions/checkout step does not set persist-credentials: false. This means the GitHub token is persisted in the git config for the duration of the job, increasing the risk of credential exposure. Set persist-credentials: false unless downstream steps require git authentication.
Recommended Code Changes:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: '0'
persist-credentials: false
| run: go get go | ||
| - name: Create Pull Request | ||
| uses: peter-evans/create-pull-request@v6 | ||
| uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 |
There was a problem hiding this comment.
Issue: The update-go job does not define an explicit permissions block. Default permissions are broader than necessary. Since this job creates a pull request using a bot token, restrict the job-level permissions to the minimum required.
Recommended Code Changes:
jobs:
update-go:
runs-on: ubuntu-latest
permissions:
contents: read
Signed-off-by: Joao Pereira <joaopapereira@gmail.com>
|
Kusari PR Analysis rerun based on - 8c041ca performed at: 2026-05-14T21:03:20Z - link to updated analysis |
|
Kusari is having a bad day so i will merge this PR even with that failure |
2 participants
Auto-generated by https://github.com/carvel-dev/imgpkg/actions/runs/25860716070
Signed-off-by: Carvel Bot svc.bot.carvel@vmware.com