From ea402eb362e64bea9b446719ac69cfe6ff3d887e Mon Sep 17 00:00:00 2001 From: GitHub Copilot Agent Date: Fri, 13 Feb 2026 18:22:04 +0100 Subject: [PATCH 1/2] fix(actions): harden workflow_run checkout in convergence workflow --- .github/workflows/nuget-online-convergence.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/nuget-online-convergence.yml b/.github/workflows/nuget-online-convergence.yml index 1af3a78..2609226 100644 --- a/.github/workflows/nuget-online-convergence.yml +++ b/.github/workflows/nuget-online-convergence.yml @@ -26,7 +26,10 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: - ref: ${{ github.event.workflow_run.head_sha }} + # Security hardening: do not checkout workflow_run head_sha in a privileged workflow. + # Always use the trusted default branch content for verifier scripts. + ref: ${{ github.event.repository.default_branch }} + persist-credentials: false - name: Resolve release metadata id: meta From b439dfed726224ab66ae01667a4849aac1659eb1 Mon Sep 17 00:00:00 2001 From: GitHub Copilot Agent Date: Fri, 13 Feb 2026 18:25:25 +0100 Subject: [PATCH 2/2] fix(scorecard): disable publish_results and drop unused id-token perm --- .github/workflows/scorecard.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index fc7893e..66366a3 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -10,7 +10,6 @@ on: permissions: security-events: write - id-token: write contents: read actions: read @@ -29,7 +28,9 @@ jobs: with: results_file: artifacts/ci/scorecard/results.sarif results_format: sarif - publish_results: true + # Keep deterministic local evidence + SARIF upload, avoid remote publish rejection + # when workflow permissions include security-events write for SARIF upload. + publish_results: false - name: Upload SARIF to code scanning uses: github/codeql-action/upload-sarif@v3