[release-2.15] ci: Don't install Docker for jobs that run directly on the host #11534

mimir-github-bot · 2025-05-26T11:02:06Z

Backport 640b6a9 from #11424

* test not installing * Only drop in the workflows that run directly on the host (cherry picked from commit 640b6a9)

github-actions · 2025-05-26T11:03:21Z

😢 zizmor failed with exit code 14.

Expand for full output

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
 --> ./.github/workflows/backport.yaml:2:1
  |
2 | / on:
3 | |   pull_request_target:
4 | |     types:
5 | |       - closed
6 | |       - labeled
  | |_______________^ pull_request_target is almost always used insecurely
  |
  = note: audit confidence → Medium

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:48:7
   |
48 |     - uses: helm/[email protected]
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:50:7
   |
50 |       uses: dsaltares/[email protected]
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:58:7
   |
58 |       uses: dsaltares/[email protected]
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:66:7
   |
66 |       uses: dsaltares/[email protected]
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
 --> ./.github/workflows/dependabot_reviewer.yml:5:1
  |
5 | on: pull_request_target
  | ^^^^^^^^^^^^^^^^^^^^^^^ pull_request_target is almost always used insecurely
  |
  = note: audit confidence → Medium

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/dependabot_reviewer.yml:23:9
   |
23 |         uses: dependabot/[email protected]
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/generate-docs-helm-tests-renovate-pr.yml:39:9
   |
39 |         - name: Run Git Config
   |           ^^^^^^^^^^^^^^^^^^^^ this step
40 | /         run: |
41 | |           git config --global --add safe.directory '*'
42 | |           git config --global user.email "${{ github.event.pull_request.user.login }}@users.noreply.github.com"
43 | |           git config --global user.name "${{ github.event.pull_request.user.login }}"
   | |_____________________________________________________________________________________^ github.event.pull_request.user.login may expand into attacker-controllable code
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/generate-docs-helm-tests-renovate-pr.yml:39:9
   |
39 |         - name: Run Git Config
   |           ^^^^^^^^^^^^^^^^^^^^ this step
40 | /         run: |
41 | |           git config --global --add safe.directory '*'
42 | |           git config --global user.email "${{ github.event.pull_request.user.login }}@users.noreply.github.com"
43 | |           git config --global user.name "${{ github.event.pull_request.user.login }}"
   | |_____________________________________________________________________________________^ github.event.pull_request.user.login may expand into attacker-controllable code
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/generate-docs-helm-tests-renovate-pr.yml:46:9
   |
46 |         uses: ksivamuthu/actions-setup-gh-cli@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/helm-weekly-release-pr.yaml:14:9
   |
14 |       - uses: imjasonh/[email protected]
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/helm-weekly-release-pr.yaml:21:9
   |
21 |         uses: peter-evans/create-pull-request@v5
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
   --> ./.github/workflows/push-mimir-build-image.yml:111:9
    |
111 |         - name: Add commit to PR in order to update Build Image version
    |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
112 |           if: steps.compare_tag.outputs.isDifferent == 'true'
113 | /         run: |
114 | |           echo "Get current Build Image Version"
...   |
126 | |             git push origin HEAD
127 | |           fi
    | |____________^ github.event.pull_request.user.login may expand into attacker-controllable code
    |
    = note: audit confidence → High

error[template-injection]: code injection via template expansion
   --> ./.github/workflows/push-mimir-build-image.yml:111:9
    |
111 |         - name: Add commit to PR in order to update Build Image version
    |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
112 |           if: steps.compare_tag.outputs.isDifferent == 'true'
113 | /         run: |
114 | |           echo "Get current Build Image Version"
...   |
126 | |             git push origin HEAD
127 | |           fi
    | |____________^ github.event.pull_request.user.login may expand into attacker-controllable code
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/push-mimir-build-image.yml:35:9
   |
35 |         uses: docker/setup-qemu-action@v3
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/push-mimir-build-image.yml:38:9
   |
38 |         uses: docker/setup-buildx-action@v3
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/push-mimir-build-image.yml:41:9
   |
41 |         uses: docker/login-action@v3
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/sbom-report.yml:17:7
   |
17 |       uses: anchore/[email protected]
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/test-build-deploy.yml:193:9
    |
193 |         uses: azure/setup-helm@v4
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/test-build-deploy.yml:253:9
    |
253 |         uses: docker/setup-qemu-action@v3
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/test-build-deploy.yml:256:9
    |
256 |         uses: docker/setup-buildx-action@v3
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/test-build-deploy.yml:2:1
   |
 2 | / on:
 3 | |   push:
...  |
 9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
10 | |   pull_request:
   | |_______________^ generally used when publishing artifacts generated at runtime
11 |
...
69 |         - name: Cache golangci-lint cache
70 |           uses: actions/cache@v4
   |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/test-build-deploy.yml:2:1
   |
 2 | / on:
 3 | |   push:
...  |
 9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
10 | |   pull_request:
   | |_______________^ generally used when publishing artifacts generated at runtime
11 |
...
79 |         - name: Cache Go build cache
80 |           uses: actions/cache@v4
   |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/test-build-deploy.yml:2:1
   |
 2 | / on:
 3 | |   push:
...  |
 9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
10 | |   pull_request:
   | |_______________^ generally used when publishing artifacts generated at runtime
11 |
...
86 |         - name: Cache Go module cache
87 |           uses: actions/cache@v4
   |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/test-build-deploy.yml:2:1
    |
  2 | / on:
  3 | |   push:
...   |
  9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
 10 | |   pull_request:
    | |_______________^ generally used when publishing artifacts generated at runtime
 11 |
...
225 |         - name: Cache Go build cache
226 |           uses: actions/cache@v4
    |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/test-build-deploy.yml:2:1
    |
  2 | / on:
  3 | |   push:
...   |
  9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
 10 | |   pull_request:
    | |_______________^ generally used when publishing artifacts generated at runtime
 11 |
...
265 |         - name: Cache Go build cache
266 |           uses: actions/cache@v4
    |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/test-build-deploy.yml:2:1
    |
  2 | / on:
  3 | |   push:
...   |
  9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
 10 | |   pull_request:
    | |_______________^ generally used when publishing artifacts generated at runtime
 11 |
...
332 |         - name: Cache Go build cache
333 |           uses: actions/cache@v4
    |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/test-build-deploy.yml:2:1
    |
  2 | / on:
  3 | |   push:
...   |
  9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
 10 | |   pull_request:
    | |_______________^ generally used when publishing artifacts generated at runtime
 11 |
...
407 |         - name: Cache Go build cache
408 |           uses: actions/cache@v4
    |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
    |
    = note: audit confidence → Low

118 findings (79 ignored, 11 suppressed): 0 unknown, 0 informational, 0 low, 0 medium, 28 high

* fix: changelog from 2.15 to 2.16 for memberlist kv store , ha tracker (#11339) (#11341) (cherry picked from commit 1570fd5) * fix(deps): update module golang.org/x/net to v0.38.0 [security] (#11297) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * ci: Don't install Docker for jobs that run directly on the host (#11424) (#11534) * test not installing * Only drop in the workflows that run directly on the host (cherry picked from commit 640b6a9) Co-authored-by: Alexander Weaver <[email protected]> * [release-2.15] Upgrade Alpine Linux in Dockerfiles to 3.20.6 (#11530) * Upgrade Dockerfiles to alpine:3.20.6 --------- Signed-off-by: Arve Knudsen <[email protected]> Co-authored-by: Copilot <[email protected]> * Fix Docker Hub login (#11539) (#11541) (cherry picked from commit 6c69ae6) Co-authored-by: Armand Grillet <[email protected]> * [release-2.15] Build: Upgrade to Go v1.23.9 (#11537) * Build: Upgrade to Go v1.23.9 * Update build image version to pr11537-e41e7bc20d --------- Signed-off-by: Arve Knudsen <[email protected]> Co-authored-by: aknuds1 <[email protected]> * Prepare release 2.15.3 (#11578) * ci: Don't install Docker for jobs that run directly on the host (#11611) * CI: Use dockerhub credentials from vault (#11390) (#11621) Porting #11388 and #11389 from r341 Signed-off-by: Oleg Zaytsev <[email protected]> Co-authored-by: Oleg Zaytsev <[email protected]> * Update module github.com/ebitengine/purego to 0.8.3 (#11636) (#11637) (cherry picked from commit 44334c1) * remove alpine Dockerfile * fix modules.txt --------- Signed-off-by: Arve Knudsen <[email protected]> Signed-off-by: Oleg Zaytsev <[email protected]> Co-authored-by: Nikos Angelopoulos <[email protected]> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: mimir-github-bot[bot] <199097951+mimir-github-bot[bot]@users.noreply.github.com> Co-authored-by: Alexander Weaver <[email protected]> Co-authored-by: Arve Knudsen <[email protected]> Co-authored-by: Copilot <[email protected]> Co-authored-by: Armand Grillet <[email protected]> Co-authored-by: aknuds1 <[email protected]> Co-authored-by: Oleg Zaytsev <[email protected]>

ci: Don't install Docker for jobs that run directly on the host (#11424)

c60734f

* test not installing * Only drop in the workflows that run directly on the host (cherry picked from commit 640b6a9)

mimir-github-bot bot requested a review from a team as a code owner May 26, 2025 11:02

mimir-github-bot bot requested a review from alexweav May 26, 2025 11:02

mimir-github-bot bot added the backport label May 26, 2025

aknuds1 approved these changes May 26, 2025

View reviewed changes

aknuds1 enabled auto-merge (squash) May 26, 2025 11:04

aknuds1 merged commit c1c8045 into release-2.15 May 26, 2025
33 of 34 checks passed

aknuds1 deleted the backport-11424-to-release-2.15 branch May 26, 2025 11:20

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[release-2.15] ci: Don't install Docker for jobs that run directly on the host #11534

[release-2.15] ci: Don't install Docker for jobs that run directly on the host #11534

Uh oh!

mimir-github-bot bot commented May 26, 2025

Uh oh!

github-actions bot commented May 26, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

[release-2.15] ci: Don't install Docker for jobs that run directly on the host #11534

[release-2.15] ci: Don't install Docker for jobs that run directly on the host #11534

Uh oh!

Conversation

mimir-github-bot bot commented May 26, 2025

Uh oh!

github-actions bot commented May 26, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants