fix: pin 2 unpinned action(s)#1915
Conversation
Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard). Changes: .github/workflows/ci.yml | 2 +- .github/workflows/publish.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1915 +/- ##
=======================================
Coverage 83.37% 83.37%
=======================================
Files 56 56
Lines 2466 2466
Branches 742 747 +5
=======================================
Hits 2056 2056
Misses 404 404
Partials 6 6 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Summary
This PR hardens your CI/CD workflows against supply chain attacks by pinning GitHub Actions to immutable commit SHAs and extracting unsafe expressions from
run:blocks intoenv:mappings.Fixes applied (in this PR)
ci.ymlpublish.ymlAdvisory: additional findings (manual review recommended)
publish.ymlpublish.ymlpublish.ymlpublish.ymlpublish.ymlpublish.ymlpublish.ymlpublish.ymlpublish.ymlpublish.ymlpublish.ymlpublish.ymlpublish.ymlpublish.ymlpublish.ymlpublish.ymlpublish.ymlpublish.ymlpublish.ymlpublish.ymlpublish.ymlWhy this PR
I've been scanning the top 50,000 GitHub repositories for CI/CD pipeline vulnerabilities over the last 5 weeks as part of an ongoing research effort into the supply chain attack campaign that started with tj-actions in March and has escalated through multiple phases since, where attackers compromise maintainer accounts and force-push malicious code to mutable action tags - every downstream project referencing those tags then executes the attacker's code with full access to secrets and deployment credentials.
You may notice that I have opened up a lot of PRs - don't take that as a negative. I've been working around the clock on this and monitoring all comms. It may take me an hour or two to get back to a comment you leave.
How to verify
Every change is mechanical and preserves workflow behavior:
action@v3becomesaction@abc123 # v3- original version preserved as comment${{ expr }}inrun:moves toenv:block, referenced as"${ENV_VAR}"in the scriptI've had 22 merges so far. I created a tool called Runner Guard to assist in my research - it does mechanical, non-AI fixes to reduce hallucinations to zero and produce consistent fixes. If you would like to scan it yourself to validate my work, feel free.
Happy to answer any questions - I'm monitoring comms on every PR.
- Chris Nyhuis (dagecko)