Priority Level
Medium
Task Summary
pack-tutorials.yml uses softprops/action-gh-release@v2 (mutable tag) to upload tutorial archives to GitHub releases. This action is maintained by a single person on a personal GitHub account and has no security policy.
Mutable version tags on third-party actions are a known supply chain risk vector - the same class of issue behind CVE-2025-30066 (tj-actions/changed-files compromise).
Additionally, the action is still on Node.js 20 with no node24-compatible release. GitHub will force Node.js 24 on June 2, 2026 and remove Node.js 20 on September 16, 2026.
Technical Details & Implementation Plan
Replace the third-party action with a gh release upload step in pack-tutorials.yml:
- name: Upload tutorial archive to release
env:
GH_TOKEN: ${{ github.token }}
run: gh release upload "${{ steps.get_release.outputs.tag }}" "${{ env.ZIP_FILE_NAME }}"gh is pre-installed on all GitHub-hosted runners. This eliminates the third-party dependency entirely.
Dependencies
Blocked by #450 (Node.js 24 action upgrades) - should be addressed together or after that PR merges.
Priority Level
Medium
Task Summary
pack-tutorials.ymlusessoftprops/action-gh-release@v2(mutable tag) to upload tutorial archives to GitHub releases. This action is maintained by a single person on a personal GitHub account and has no security policy.Mutable version tags on third-party actions are a known supply chain risk vector - the same class of issue behind CVE-2025-30066 (tj-actions/changed-files compromise).
Additionally, the action is still on Node.js 20 with no node24-compatible release. GitHub will force Node.js 24 on June 2, 2026 and remove Node.js 20 on September 16, 2026.
Technical Details & Implementation Plan
Replace the third-party action with a
gh release uploadstep inpack-tutorials.yml:ghis pre-installed on all GitHub-hosted runners. This eliminates the third-party dependency entirely.Dependencies
Blocked by #450 (Node.js 24 action upgrades) - should be addressed together or after that PR merges.