Severity: Warning
File: .github/workflows/publish.yml (and others)
Lines: 220, 271, 333, 384, 435, 484
Description:
signpath/github-action-submit-signing-request@v2 is used 6 times, pinned to @v2 (mutable tag). A tag can be force-pushed, allowing a supply-chain attack. Also affected: codecov/codecov-action@v5, coverallsapp/github-action@v2, peaceiris/actions-gh-pages@v3, gitleaks/gitleaks-action@v2, cssnr/virustotal-action@v1, actions/github-script@v7, github/codeql-action/*@v4.
Suggested fix:
Pin all third-party actions to a specific commit SHA. Use Dependabot's github-actions ecosystem to keep SHAs current.
Severity: Warning
File:
.github/workflows/publish.yml(and others)Lines: 220, 271, 333, 384, 435, 484
Description:
signpath/github-action-submit-signing-request@v2is used 6 times, pinned to@v2(mutable tag). A tag can be force-pushed, allowing a supply-chain attack. Also affected:codecov/codecov-action@v5,coverallsapp/github-action@v2,peaceiris/actions-gh-pages@v3,gitleaks/gitleaks-action@v2,cssnr/virustotal-action@v1,actions/github-script@v7,github/codeql-action/*@v4.Suggested fix:
Pin all third-party actions to a specific commit SHA. Use Dependabot's
github-actionsecosystem to keep SHAs current.