From 199f36649f3c2b21b65c750d583fa033083160a6 Mon Sep 17 00:00:00 2001 From: XananasX7 Date: Sun, 28 Jun 2026 02:22:10 +0000 Subject: [PATCH] fix(security): pin third-party Actions in pull_request_target workflows to SHAs lewagon/wait-on-check-action@v1.3.4 is a tag-pinned third-party action used in pull_request_target context with pull-requests:write permission. A supply-chain attack via that action could approve malicious PRs. Pinned to commit SHA. --- .github/workflows/auto-review.yml | 4 ++-- .github/workflows/automerge.yml | 2 +- .github/workflows/ci-done.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/auto-review.yml b/.github/workflows/auto-review.yml index cec2e03ed..fd0cfc15b 100644 --- a/.github/workflows/auto-review.yml +++ b/.github/workflows/auto-review.yml @@ -30,14 +30,14 @@ jobs: # create review pull-requests: write steps: - - uses: lewagon/wait-on-check-action@v1.3.4 + - uses: lewagon/wait-on-check-action@ccfb013c15c8afb7bf2b7c028fb74dc5a068cccc # v1.3.4 with: ref: ${{ github.event.pull_request.head.sha }} repo-token: ${{ github.token }} check-regexp: "test.*" wait-interval: 60 - - uses: "actions/github-script@v7" + - uses: "actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b" # v7 with: github-token: ${{ github.token }} script: | diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml index a82dcc31a..935a630e7 100644 --- a/.github/workflows/automerge.yml +++ b/.github/workflows/automerge.yml @@ -41,7 +41,7 @@ jobs: # wait-on-check requires only checks read checks: read steps: - - uses: lewagon/wait-on-check-action@v1.3.4 + - uses: lewagon/wait-on-check-action@ccfb013c15c8afb7bf2b7c028fb74dc5a068cccc # v1.3.4 with: ref: ${{ github.event.pull_request.head.sha }} check-regexp: "test.*" diff --git a/.github/workflows/ci-done.yml b/.github/workflows/ci-done.yml index c4633549a..79896ccbd 100644 --- a/.github/workflows/ci-done.yml +++ b/.github/workflows/ci-done.yml @@ -19,7 +19,7 @@ jobs: # publish creates a check run checks: write steps: - - uses: actions/github-script@v7 + - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | var artifacts = await github.rest.actions.listWorkflowRunArtifacts({