Skip to content

fix: pin 2 unpinned action(s)#1915

Merged
bluwy merged 1 commit into
changesets:mainfrom
dagecko:runner-guard/fix-ci-security
May 4, 2026
Merged

fix: pin 2 unpinned action(s)#1915
bluwy merged 1 commit into
changesets:mainfrom
dagecko:runner-guard/fix-ci-security

Conversation

@dagecko

@dagecko dagecko commented Apr 4, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR hardens your CI/CD workflows against supply chain attacks by pinning GitHub Actions to immutable commit SHAs and extracting unsafe expressions from run: blocks into env: mappings.

Fixes applied (in this PR)

Rule Severity File Description
RGS-007 medium ci.yml Pinned 1 action(s) to commit SHA
RGS-007 medium publish.yml Pinned 1 action(s) to commit SHA

Advisory: additional findings (manual review recommended)

Rule Severity File Description
RGS-004 high publish.yml Comment-Triggered Workflow Without Author Authorization Check
RGS-004 high publish.yml Comment-Triggered Workflow Without Author Authorization Check
RGS-004 high publish.yml Comment-Triggered Workflow Without Author Authorization Check
RGS-004 high publish.yml Comment-Triggered Workflow Without Author Authorization Check
RGS-004 high publish.yml Comment-Triggered Workflow Without Author Authorization Check
RGS-004 high publish.yml Comment-Triggered Workflow Without Author Authorization Check
RGS-004 high publish.yml Comment-Triggered Workflow Without Author Authorization Check
RGS-004 high publish.yml Comment-Triggered Workflow Without Author Authorization Check
RGS-004 high publish.yml Comment-Triggered Workflow Without Author Authorization Check
RGS-004 high publish.yml Comment-Triggered Workflow Without Author Authorization Check
RGS-004 high publish.yml Comment-Triggered Workflow Without Author Authorization Check
RGS-004 high publish.yml Comment-Triggered Workflow Without Author Authorization Check
RGS-004 high publish.yml Comment-Triggered Workflow Without Author Authorization Check
RGS-004 high publish.yml Comment-Triggered Workflow Without Author Authorization Check
RGS-004 high publish.yml Comment-Triggered Workflow Without Author Authorization Check
RGS-005 medium publish.yml Excessive Permissions on Untrusted Trigger
RGS-005 medium publish.yml Excessive Permissions on Untrusted Trigger
RGS-019 medium publish.yml Step Output Interpolated in run Block
RGS-019 medium publish.yml Step Output Interpolated in run Block
RGS-019 medium publish.yml Step Output Interpolated in run Block
RGS-019 medium publish.yml Step Output Interpolated in run Block

Why this PR

I've been scanning the top 50,000 GitHub repositories for CI/CD pipeline vulnerabilities over the last 5 weeks as part of an ongoing research effort into the supply chain attack campaign that started with tj-actions in March and has escalated through multiple phases since, where attackers compromise maintainer accounts and force-push malicious code to mutable action tags - every downstream project referencing those tags then executes the attacker's code with full access to secrets and deployment credentials.

You may notice that I have opened up a lot of PRs - don't take that as a negative. I've been working around the clock on this and monitoring all comms. It may take me an hour or two to get back to a comment you leave.

How to verify

Every change is mechanical and preserves workflow behavior:

  • SHA pinning: action@v3 becomes action@abc123 # v3 - original version preserved as comment
  • Expression extraction: ${{ expr }} in run: moves to env: block, referenced as "${ENV_VAR}" in the script
  • No workflow logic, triggers, or permissions are modified

I've had 22 merges so far. I created a tool called Runner Guard to assist in my research - it does mechanical, non-AI fixes to reduce hallucinations to zero and produce consistent fixes. If you would like to scan it yourself to validate my work, feel free.

Happy to answer any questions - I'm monitoring comms on every PR.

- Chris Nyhuis (dagecko)

Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard).

Changes:
 .github/workflows/ci.yml      | 2 +-
 .github/workflows/publish.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
@changeset-bot

changeset-bot Bot commented Apr 4, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 98eeb60

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@codecov

codecov Bot commented Apr 4, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.37%. Comparing base (036fdd4) to head (98eeb60).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #1915   +/-   ##
=======================================
  Coverage   83.37%   83.37%           
=======================================
  Files          56       56           
  Lines        2466     2466           
  Branches      742      747    +5     
=======================================
  Hits         2056     2056           
  Misses        404      404           
  Partials        6        6           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@bluwy bluwy added this pull request to the merge queue May 4, 2026
Merged via the queue into changesets:main with commit 951094b May 4, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants