Prepare release 2.15.3 #11578

chencs · 2025-05-28T23:53:44Z

What this PR does

Cuts the CHANGELOG and updates VERSION for release 2.15.3.

Which issue(s) this PR fixes or relates to

Fixes #

Checklist

Tests updated.
Documentation added.
CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX].
about-versioning.md updated with experimental features.

github-actions · 2025-05-28T23:55:07Z

😢 zizmor failed with exit code 14.

Expand for full output

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
 --> ./.github/workflows/backport.yaml:2:1
  |
2 | / on:
3 | |   pull_request_target:
4 | |     types:
5 | |       - closed
6 | |       - labeled
  | |_______________^ pull_request_target is almost always used insecurely
  |
  = note: audit confidence → Medium

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:48:7
   |
48 |     - uses: helm/kind-action@v1.10.0
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:50:7
   |
50 |       uses: dsaltares/fetch-gh-release-asset@1.1.2
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:58:7
   |
58 |       uses: dsaltares/fetch-gh-release-asset@1.1.2
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/compare-helm-with-jsonnet.yml:66:7
   |
66 |       uses: dsaltares/fetch-gh-release-asset@1.1.2
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
 --> ./.github/workflows/dependabot_reviewer.yml:5:1
  |
5 | on: pull_request_target
  | ^^^^^^^^^^^^^^^^^^^^^^^ pull_request_target is almost always used insecurely
  |
  = note: audit confidence → Medium

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/dependabot_reviewer.yml:23:9
   |
23 |         uses: dependabot/fetch-metadata@v2.2.0
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/generate-docs-helm-tests-renovate-pr.yml:39:9
   |
39 |         - name: Run Git Config
   |           ^^^^^^^^^^^^^^^^^^^^ this step
40 | /         run: |
41 | |           git config --global --add safe.directory '*'
42 | |           git config --global user.email "${{ github.event.pull_request.user.login }}@users.noreply.github.com"
43 | |           git config --global user.name "${{ github.event.pull_request.user.login }}"
   | |_____________________________________________________________________________________^ github.event.pull_request.user.login may expand into attacker-controllable code
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/generate-docs-helm-tests-renovate-pr.yml:39:9
   |
39 |         - name: Run Git Config
   |           ^^^^^^^^^^^^^^^^^^^^ this step
40 | /         run: |
41 | |           git config --global --add safe.directory '*'
42 | |           git config --global user.email "${{ github.event.pull_request.user.login }}@users.noreply.github.com"
43 | |           git config --global user.name "${{ github.event.pull_request.user.login }}"
   | |_____________________________________________________________________________________^ github.event.pull_request.user.login may expand into attacker-controllable code
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/generate-docs-helm-tests-renovate-pr.yml:46:9
   |
46 |         uses: ksivamuthu/actions-setup-gh-cli@v2
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/helm-weekly-release-pr.yaml:14:9
   |
14 |       - uses: imjasonh/setup-crane@v0.4
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/helm-weekly-release-pr.yaml:21:9
   |
21 |         uses: peter-evans/create-pull-request@v5
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
   --> ./.github/workflows/push-mimir-build-image.yml:110:9
    |
110 |         - name: Add commit to PR in order to update Build Image version
    |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
111 |           if: steps.compare_tag.outputs.isDifferent == 'true'
112 | /         run: |
113 | |           echo "Get current Build Image Version"
...   |
125 | |             git push origin HEAD
126 | |           fi
    | |____________^ github.event.pull_request.user.login may expand into attacker-controllable code
    |
    = note: audit confidence → High

error[template-injection]: code injection via template expansion
   --> ./.github/workflows/push-mimir-build-image.yml:110:9
    |
110 |         - name: Add commit to PR in order to update Build Image version
    |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
111 |           if: steps.compare_tag.outputs.isDifferent == 'true'
112 | /         run: |
113 | |           echo "Get current Build Image Version"
...   |
125 | |             git push origin HEAD
126 | |           fi
    | |____________^ github.event.pull_request.user.login may expand into attacker-controllable code
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/push-mimir-build-image.yml:37:9
   |
37 |         uses: docker/setup-qemu-action@v3
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/push-mimir-build-image.yml:40:9
   |
40 |         uses: docker/setup-buildx-action@v3
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/sbom-report.yml:17:7
   |
17 |       uses: anchore/sbom-action@v0.17.8
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/test-build-deploy.yml:193:9
    |
193 |         uses: azure/setup-helm@v4
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/test-build-deploy.yml:253:9
    |
253 |         uses: docker/setup-qemu-action@v3
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/test-build-deploy.yml:256:9
    |
256 |         uses: docker/setup-buildx-action@v3
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/test-build-deploy.yml:2:1
   |
 2 | / on:
 3 | |   push:
...  |
 9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
10 | |   pull_request:
   | |_______________^ generally used when publishing artifacts generated at runtime
11 |
...
69 |         - name: Cache golangci-lint cache
70 |           uses: actions/cache@v4
   |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/test-build-deploy.yml:2:1
   |
 2 | / on:
 3 | |   push:
...  |
 9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
10 | |   pull_request:
   | |_______________^ generally used when publishing artifacts generated at runtime
11 |
...
79 |         - name: Cache Go build cache
80 |           uses: actions/cache@v4
   |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/test-build-deploy.yml:2:1
   |
 2 | / on:
 3 | |   push:
...  |
 9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
10 | |   pull_request:
   | |_______________^ generally used when publishing artifacts generated at runtime
11 |
...
86 |         - name: Cache Go module cache
87 |           uses: actions/cache@v4
   |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/test-build-deploy.yml:2:1
    |
  2 | / on:
  3 | |   push:
...   |
  9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
 10 | |   pull_request:
    | |_______________^ generally used when publishing artifacts generated at runtime
 11 |
...
225 |         - name: Cache Go build cache
226 |           uses: actions/cache@v4
    |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/test-build-deploy.yml:2:1
    |
  2 | / on:
  3 | |   push:
...   |
  9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
 10 | |   pull_request:
    | |_______________^ generally used when publishing artifacts generated at runtime
 11 |
...
265 |         - name: Cache Go build cache
266 |           uses: actions/cache@v4
    |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/test-build-deploy.yml:2:1
    |
  2 | / on:
  3 | |   push:
...   |
  9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
 10 | |   pull_request:
    | |_______________^ generally used when publishing artifacts generated at runtime
 11 |
...
332 |         - name: Cache Go build cache
333 |           uses: actions/cache@v4
    |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
    |
    = note: audit confidence → Low

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
   --> ./.github/workflows/test-build-deploy.yml:2:1
    |
  2 | / on:
  3 | |   push:
...   |
  9 | |       - mimir-[0-9]+.[0-9]+.[0-9]+**
 10 | |   pull_request:
    | |_______________^ generally used when publishing artifacts generated at runtime
 11 |
...
407 |         - name: Cache Go build cache
408 |           uses: actions/cache@v4
    |           ^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
    |
    = note: audit confidence → Low

117 findings (79 ignored, 11 suppressed): 0 unknown, 0 informational, 0 low, 0 medium, 27 high

Prepare release 2.15.3

245e87c

chencs marked this pull request as ready for review May 29, 2025 00:58

chencs requested a review from a team as a code owner May 29, 2025 00:58

narqo approved these changes May 29, 2025

View reviewed changes

tacole02 approved these changes May 29, 2025

View reviewed changes

chencs merged commit 4c3449d into release-2.15 May 29, 2025
33 checks passed

chencs deleted the casie/prepare-release-2.15.3 branch May 29, 2025 18:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Prepare release 2.15.3 #11578

Prepare release 2.15.3 #11578

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Prepare release 2.15.3 #11578

Prepare release 2.15.3 #11578

Uh oh!

Conversation

What this PR does

Which issue(s) this PR fixes or relates to

Checklist

Uh oh!

Uh oh!

Uh oh!

Uh oh!