Remediate audit (#4929)

* remove slack notification on release Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * restrict cache usage Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-20 04:05:24 +02:00 · 2026-05-18 15:01:37 -04:00 · 2026-05-18 15:01:37 -04:00 · d97216ff70
commit d97216ff70
parent c09a009bda
3 changed files with 16 additions and 34 deletions
--- a/.github/actions/bootstrap/action.yaml
+++ b/.github/actions/bootstrap/action.yaml
@ -49,8 +49,17 @@ runs:
        IFS=' ' read -ra packages <<< "$APT_PACKAGES"
        DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y "${packages[@]}"
    # ORAS cache: restore-only on non-default branches / forks
    - name: Restore ORAS cache from github actions
-      if: inputs.download-test-fixture-cache == 'true'
+      if: ${{ inputs.download-test-fixture-cache == 'true' && (github.ref != format('refs/heads/{0}', github.event.repository.default_branch) || github.event.repository.fork == true) }}
      uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
      with:
        path: ${{ github.workspace }}/.tmp/oras-cache
        key: ${{ inputs.cache-key-prefix }}-oras-cache
    # ORAS cache: restore + save on the default branch of the canonical repo only.
    - name: Restore and save ORAS cache from github actions
      if: ${{ inputs.download-test-fixture-cache == 'true' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && github.event.repository.fork == false }}
      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
      with:
        path: ${{ github.workspace }}/.tmp/oras-cache
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -101,26 +101,6 @@ jobs:
          file: go.mod
          artifact-name: sbom.spdx.json
      - name: Notify Slack of new release
        uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c #v3.0.3
        continue-on-error: true
        with:
          webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
          webhook-type: incoming-webhook
          payload: |
            text: "A new Syft release has been published: https://github.com/anchore/syft/releases/tag/${{ github.event.inputs.version }}"
            blocks:
              - type: section
                text:
                  type: mrkdwn
                  text: |
                    *A new Syft release has been published* :rocket:
                    • Release: <https://github.com/anchore/syft/releases/tag/${{ github.event.inputs.version }}|${{ github.event.inputs.version }}>
                    • Repo: `${{ github.repository }}`
                    • Workflow: `${{ github.workflow }}`
                    • Event: `${{ github.event_name }}`
        if: ${{ success() }}
  release-install-script:
    needs: [release]
    if: ${{ always() && (needs.release.result == 'success' || github.event.inputs.phase == 'install-script-only') }}
--- a/.github/workflows/validations.yaml
+++ b/.github/workflows/validations.yaml
@ -21,9 +21,10 @@ jobs:
    name: "Static analysis"
    # runs-on.com: memory & general purpose instances for testing
    #   spot enabled: ok to interrupt non-production workloads
    #   s3-cache: faster actions cache
    #   tmpfs: faster io-intensive workflows
-    runs-on: &test-runner "runs-on=${{ github.run_id }}/cpu=4+8/ram=32+128/family=r5+r6+r7+r8+m4+m5+m6+m7+m8/spot=price-capacity-optimized/extras=s3-cache+tmpfs"
+    #   note: s3-cache intentionally omitted -- PR runs are untrusted and must not write to the
    #   shared cache backend that the trusted release workflow reads from (cache poisoning).
    runs-on: &test-runner "runs-on=${{ github.run_id }}/cpu=4+8/ram=32+128/family=r5+r6+r7+r8+m4+m5+m6+m7+m8/spot=price-capacity-optimized/extras=tmpfs"
    permissions:
      contents: read
    steps:
@ -91,15 +92,13 @@ jobs:
    # runs-on.com: compute instances for parallel builds
    #   spot disabled: reliability for build workflows (used for releases too)
    #   goreleaser uses parallelism of 12, so we need more CPUs
    #   s3-cache: faster actions cache
    #   tmpfs: faster io-intensive workflows
-    runs-on: "runs-on=${{ github.run_id }}/cpu=16+32/ram=32+128/family=c5+c6+c7+c8/spot=false/extras=s3-cache+tmpfs"
+    #   note: s3-cache intentionally omitted -- PR runs are untrusted and must not write to the
    #   shared cache backend that the trusted release workflow reads from (cache poisoning).
    runs-on: "runs-on=${{ github.run_id }}/cpu=16+32/ram=32+128/family=c5+c6+c7+c8/spot=false/extras=tmpfs"
    permissions:
      contents: read
    steps:
      # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility)
      - uses: runs-on/action@d141ef83eb66d096ce8afc767e09115a65c63b60  # v2.1.2
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false
@ -130,9 +129,6 @@ jobs:
    permissions:
      contents: read
    steps:
      # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility)
      - uses: runs-on/action@d141ef83eb66d096ce8afc767e09115a65c63b60  # v2.1.2
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false
@ -211,9 +207,6 @@ jobs:
    permissions:
      contents: read
    steps:
      # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility)
      - uses: runs-on/action@d141ef83eb66d096ce8afc767e09115a65c63b60  # v2.1.2
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          persist-credentials: false