fix: pin 2 actions to commit SHA, extract 2 expressions to env vars#7541
fix: pin 2 actions to commit SHA, extract 2 expressions to env vars#7541dagecko wants to merge 2 commits intomermaid-js:developfrom
Conversation
|
✅ Deploy Preview for mermaid-js ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: Dunning-Kruger/unlock-issues@b06b7f7e5c3f2eaa1c6d5d89f40930e4d6d9699e # v1 | ||
| with: | ||
| repo-token: '${{ secrets.GITHUB_TOKEN }}' |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
@mermaid-js/examples
mermaid
@mermaid-js/layout-elk
@mermaid-js/layout-tidy-tree
@mermaid-js/mermaid-zenuml
@mermaid-js/parser
@mermaid-js/tiny
commit: |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #7541 +/- ##
=======================================
Coverage 3.34% 3.34%
=======================================
Files 524 524
Lines 55256 55256
Branches 795 795
=======================================
Hits 1850 1850
Misses 53406 53406
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
Did some research into the CodeQL envvar-injection-critical guidance (https://codeql.github.com/codeql-query-help/actions/actions-envvar-injection-critical/) and wanted to add this additional change to prevent shell injection through attacker-controllable values like ref names and workflow inputs, and to prevent unexpected behavior from special characters in secret values. Before: echo ${REF_NAME} After: echo "${REF_NAME}"
2 participants
Re-submission of #7529. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.
Summary
This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags and extracts expressions from
run:blocks intoenv:mappings.Changes by file
A note on internal action pinning
This PR pins all actions including org-owned ones. Best practice is to pin everything — the tj-actions/changed-files attack was an internally maintained action that was compromised, and every repo referencing it by tag silently executed attacker code. That said, it's your codebase. If you'd prefer to leave org-owned actions unpinned, let us know and we'll adjust the PR.
How to verify
Review the diff — each change is mechanical and preserves workflow behavior:
action@v3becomesaction@abc123 # v3— original version preserved as comment${{ expr }}inrun:moves toenv:block, referenced as$ENV_VARin the scriptI put up some research on this on Twitter and a research site if you want more context. I wrote a scanner called Runner Guard and open sourced it here.
If you have any questions, reach out. I'll be monitoring comms.
- Chris Nyhuis (dagecko)