fix: pin 5 unpinned action(s), extract 1 unsafe expression(s) to env vars#1775
fix: pin 5 unpinned action(s), extract 1 unsafe expression(s) to env vars#1775dagecko wants to merge 1 commit intomicrosoft:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s GitHub Actions workflows by pinning third-party actions to immutable commit SHAs and reducing shell-injection risk by moving an inline expression from a run: block into env:.
Changes:
- Pin 5 previously tag-pinned third-party actions to full commit SHAs (with version comments).
- Extract
${{ github.token }}from an inlinerun:string into an environment variable. - Reformat a long
WORKFLOW_DESCRIPTIONenvironment value indaily-repo-status.lock.yml.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/lock.yml | Pin OSDKDev/lock-issues to an immutable SHA. |
| .github/workflows/links.yml | Pin lycheeverse/lychee-action and peter-evans/create-issue-from-file to immutable SHAs. |
| .github/workflows/daily-repo-status.lock.yml | Move github.token into env for safer shell usage; adjust workflow description formatting. |
| .github/workflows/azure-static-web-apps-ashy-river-0debb7803.yml | Pin Azure/static-web-apps-deploy (2 occurrences) to an immutable SHA. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 4/4 changed files
- Comments generated: 4
| WORKFLOW_DESCRIPTION: "This workflow creates daily repo status reports. It gathers recent repository | ||
| activity (issues, PRs, discussions, releases, code changes) and generates | ||
| engaging GitHub issues with productivity insights, community highlights, | ||
| and project recommendations." |
There was a problem hiding this comment.
WORKFLOW_DESCRIPTION was changed from a single-line double-quoted string with explicit \n escapes to a multi-line double-quoted scalar. YAML parsers can fold/normalize literal newlines in quoted scalars differently than \n, which can change the value passed to the script. Consider reverting to explicit \n escapes or using a block scalar (|/>-) to make the intended newlines unambiguous.
| WORKFLOW_DESCRIPTION: "This workflow creates daily repo status reports. It gathers recent repository | |
| activity (issues, PRs, discussions, releases, code changes) and generates | |
| engaging GitHub issues with productivity insights, community highlights, | |
| and project recommendations." | |
| WORKFLOW_DESCRIPTION: "This workflow creates daily repo status reports. It gathers recent repository\nactivity (issues, PRs, discussions, releases, code changes) and generates\nengaging GitHub issues with productivity insights, community highlights,\nand project recommendations." |
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Link Checker | ||
| id: lychee | ||
| uses: lycheeverse/lychee-action@v2 | ||
| uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2 |
There was a problem hiding this comment.
The PR description says workflows are pinned to immutable SHAs, but this workflow still uses actions/checkout@v4 (mutable tag). Please pin actions/checkout to a full commit SHA here as well, or update the PR description/scope to clarify that only specific third-party actions are pinned.
| - uses: actions/checkout@v3 | ||
| with: | ||
| submodules: true | ||
| - name: Build And Deploy | ||
| id: builddeploy | ||
| uses: Azure/static-web-apps-deploy@v1 | ||
| uses: Azure/static-web-apps-deploy@1a947af9992250f3bc2e68ad0754c0b0c11566c9 # v1 |
There was a problem hiding this comment.
This workflow still uses actions/checkout@v3 (mutable tag). Since this PR is about pinning actions to immutable SHAs, consider pinning actions/checkout here too (or clarify in the PR description that GitHub-owned actions are intentionally left unpinned).
| env: | ||
| REPO_NAME: ${{ github.repository }} | ||
| SERVER_URL: ${{ github.server_url }} | ||
| GITHUB_TOKEN: ${{ github.token }} | ||
| run: | | ||
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | ||
| git config --global user.name "github-actions[bot]" | ||
| # Re-authenticate git with GitHub token | ||
| SERVER_URL_STRIPPED="${SERVER_URL#https://}" | ||
| git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" | ||
| git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" |
There was a problem hiding this comment.
This workflow file is marked as auto-generated ("DO NOT EDIT"). To avoid the next gh aw compile overwriting these security tweaks, apply the change in the referenced source workflow (githubnext/agentics/workflows/daily-repo-status.md) and recompile so the generated output stays in sync.
See below for a potential fix:
# Configure Git to use the GitHub token without persisting it in the remote URL
ASKPASS_SCRIPT="${RUNNER_TEMP}/git-askpass.sh"
cat > "${ASKPASS_SCRIPT}" <<'EOF'
#!/bin/sh
case "$1" in
*Username*) echo "x-access-token" ;;
*Password*) echo "${GITHUB_TOKEN}" ;;
*) echo "" ;;
esac
EOF
chmod 700 "${ASKPASS_SCRIPT}"
{
echo "GIT_ASKPASS=${ASKPASS_SCRIPT}"
echo "GIT_TERMINAL_PROMPT=0"
} >> "${GITHUB_ENV}"
Re-submission of #1773. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.
Summary
This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags and extracts expressions from
run:blocks intoenv:mappings.Changes by file
${{ github.token }}→GITHUB_TOKENenv varHow to verify
Review the diff — each change is mechanical and preserves workflow behavior:
action@v3becomesaction@abc123 # v3— original version preserved as comment${{ expr }}inrun:moves toenv:block, referenced as"${ENV_VAR}"in the scriptI wrote a scanner called Runner Guard and open sourced it here so you can scan yourself if you want to. Also put up a link to my research on Twitter if you're interested.
If you have any questions, reach out. I'll be monitoring comms.
- Chris Nyhuis (dagecko)