error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/backend-code-checks.yml:32:9
   |
 3 | / on:
 4 | |   pull_request:
 5 | |     paths-ignore:
 6 | |       - '*.md'
...  |
15 | |       - 'docs/**'
16 | |       - 'latest.json'
   | |_____________________- generally used when publishing artifacts generated at runtime
...
32 | /         with:
33 | |           # Explicitly set Go version to 1.24.1 to ensure consistent OpenAPI spec generation
34 | |           # The crypto/x509 package has additional fields in Go 1.24.1 that affect the generated specs
35 | |           # This ensures the GHAs environment matches what we use in the Drone pipeline
36 | |           go-version: 1.24.1
37 | |           cache: true
   | |_____________________^ opt-in for caching here
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/go-lint.yml:23:9
   |
 2 | / on:
 3 | |   push:
 4 | |     paths:
 5 | |       - pkg/**
...  |
10 | |       - release-*.*.*
11 | |   pull_request:
   | |_______________- generally used when publishing artifacts generated at runtime
...
23 |         - uses: actions/setup-go@v5
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

error[bot-conditions]: spoofable bot actor check
  --> ./.github/workflows/pr-dependabot-update-go-workspace.yml:20:13
   |
18 | /   update:
19 | |     runs-on: "ubuntu-latest"
20 | |     if: ${{ github.actor == 'dependabot[bot]' && github.event.pull_request.head.repo.full_name == github.repository }}
   | |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ actor context may be spoofable
21 | |     continue-on-error: true
...  |
68 | |           git push origin "$BRANCH_NAME"
69 | |         fi
   | |___________- this job
   |
   = note: audit confidence → Medium
   = note: this finding has an auto-fix

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/run-schema-v2-e2e.yml:26:9
   |
 3 | / on:
 4 | |   push:
 5 | |     branches:
 6 | |       - main
...  |
 9 | |     branches:
10 | |       - '**'
   | |____________- generally used when publishing artifacts generated at runtime
...
26 |           uses: actions/setup-go@v5
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^ cache enabled by default here
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/run-schema-v2-e2e.yml:31:9
   |
 3 | / on:
 4 | |   push:
 5 | |     branches:
 6 | |       - main
...  |
 9 | |     branches:
10 | |       - '**'
   | |____________- generally used when publishing artifacts generated at runtime
...
31 | /         with:
32 | |           node-version-file: '.nvmrc'
33 | |           cache: 'yarn'
   | |_______________________^ opt-in for caching here
   |
   = note: audit confidence → Low

275 findings (66 ignored, 204 suppressed, 4 fixable): 0 informational, 0 low, 0 medium, 5 high