Skip to content

fix: pin 6 unpinned action(s)#7345

Open
dagecko wants to merge 1 commit intoTheAlgorithms:masterfrom
dagecko:runner-guard/fix-ci-security
Open

fix: pin 6 unpinned action(s)#7345
dagecko wants to merge 1 commit intoTheAlgorithms:masterfrom
dagecko:runner-guard/fix-ci-security

Conversation

@dagecko
Copy link
Copy Markdown

@dagecko dagecko commented Mar 26, 2026

This is a re-submission of #7343, which was closed due to a branch issue on my end. Same fixes, apologies for the noise.

Security: Harden GitHub Actions workflows

Hey, I found some CI/CD security issues in this repo's GitHub Actions workflows. These are the same vulnerability classes that were exploited in the tj-actions/changed-files supply chain attack. I've been reviewing repos that are affected and submitting fixes where I can.

This PR applies mechanical fixes and flags anything else that needs a manual look. Happy to answer any questions.

Fixes applied

Rule Severity File Description
RGS-007 high .github/workflows/build.yml Pinned 2 third-party action(s) to commit SHA
RGS-007 high .github/workflows/clang-format-lint.yml Pinned 1 third-party action(s) to commit SHA
RGS-007 high .github/workflows/infer.yml Pinned 1 third-party action(s) to commit SHA
RGS-007 high .github/workflows/update-directorymd.yml Pinned 2 third-party action(s) to commit SHA

Additional findings (manual review recommended)

No additional findings beyond the fixes applied above.

Why this matters

GitHub Actions workflows that use untrusted input in run: blocks or reference unpinned third-party actions are vulnerable to code injection and supply chain attacks. These are the same vulnerability classes exploited in the tj-actions/changed-files incident which compromised CI secrets across thousands of repositories.

How to verify

Review the diff, each change is mechanical and preserves workflow behavior:

  • SHA pinning: Pins third-party actions to immutable commit SHAs (original version tag preserved as comment)

If this PR is not welcome, just close it and I won't send another.

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Mar 26, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.46%. Comparing base (ebcf5ad) to head (b0a786c).

Additional details and impacted files 
@@            Coverage Diff            @@
##             master    #7345   +/-   ##
=========================================
  Coverage     79.46%   79.46%           
  Complexity     7083     7083           
=========================================
  Files           790      790           
  Lines         23164    23164           
  Branches       4556     4556           
=========================================
  Hits          18407    18407           
  Misses         4021     4021           
  Partials        736      736

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@dagecko
Copy link
Copy Markdown
Author

dagecko commented Mar 27, 2026

Let me know if you have any questions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DenizAltunkapan DenizAltunkapan Awaiting requested review from DenizAltunkapan DenizAltunkapan is a code owner

@yanglbme yanglbme Awaiting requested review from yanglbme yanglbme is a code owner

@alxkm alxkm Awaiting requested review from alxkm alxkm is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dagecko @codecov-commenter