fix: pin 7 unpinned action(s), extract 3 unsafe expression(s) to env vars#4355
Open
dagecko wants to merge 1 commit intopeter-evans:mainfrom
Open
fix: pin 7 unpinned action(s), extract 3 unsafe expression(s) to env vars#4355dagecko wants to merge 1 commit intopeter-evans:mainfrom
dagecko wants to merge 1 commit intopeter-evans:mainfrom
Conversation
Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard). Changes: .github/workflows/automerge-dependabot.yml | 2 +- .github/workflows/ci.yml | 8 ++++---- .github/workflows/cpr-example-command.yml | 2 +- .github/workflows/slash-command-dispatch.yml | 2 +- .github/workflows/update-major-version.yml | 9 +++++++-- 5 files changed, 14 insertions(+), 9 deletions(-)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR hardens your CI/CD workflows against supply chain attacks by pinning GitHub Actions to immutable commit SHAs and extracting unsafe expressions from
run:blocks intoenv:mappings.A note on pinning internal/org-owned actions: Some of the actions pinned in this PR are ones you maintain. The reason we pin these as well is that the tj-actions compromise in March 2025 and the Trivy compromise in March 2026 both worked by compromising a maintainer account and pushing malicious code to mutable tags that the organization controlled. Scoped permissions on a workflow reduce the blast radius but do not prevent the compromise - a compromised maintainer account can modify the action code itself, which then executes in every downstream workflow regardless of that workflow's permission settings. SHA pinning is the only mechanism that prevents a force-pushed tag from changing what your workflow executes.
Fixes applied (in this PR)
automerge-dependabot.ymlci.ymlcpr-example-command.ymlslash-command-dispatch.ymlupdate-major-version.ymlAdvisory: additional findings (manual review recommended)
slash-command-dispatch.ymlupdate-major-version.ymlcpr-example-command.ymlWhy this PR
I've been scanning the top 50,000 GitHub repositories for CI/CD pipeline vulnerabilities over the last 5 weeks as part of an ongoing research effort into the supply chain attack campaign that started with tj-actions in March and has escalated through multiple phases since, where attackers compromise maintainer accounts and force-push malicious code to mutable action tags - every downstream project referencing those tags then executes the attacker's code with full access to secrets and deployment credentials.
You may notice that I have opened up a lot of PRs - don't take that as a negative. I've been working around the clock on this and monitoring all comms. It may take me an hour or two to get back to a comment you leave.
How to verify
Every change is mechanical and preserves workflow behavior:
action@v3becomesaction@abc123 # v3- original version preserved as comment${{ expr }}inrun:moves toenv:block, referenced as"${ENV_VAR}"in the scriptI've had 22 merges so far. I created a tool called Runner Guard to assist in my research - it does mechanical, non-AI fixes to reduce hallucinations to zero and produce consistent fixes. If you would like to scan it yourself to validate my work, feel free.
Happy to answer any questions - I'm monitoring comms on every PR.
- Chris Nyhuis (dagecko)