fix: pin 1 unpinned action(s),extract 1 unsafe expression(s) to env vars#3455
fix: pin 1 unpinned action(s),extract 1 unsafe expression(s) to env vars#3455dagecko wants to merge 1 commit intoiluwatar:masterfrom
Conversation
Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard). Changes: .github/workflows/presubmit.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
PR SummaryAutomated security fixes applied by Runner Guard to GitHub Actions: pins a third-party action to a commit SHA and extracts an unsafe expression in a run block to an environment variable. The workflow now reads LLM_API_KEY from the environment and pins the action to a fixed SHA to reduce supply-chain and secret leakage risks. Changes
autogenerated by presubmit.ai |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
✅ LGTM!
Review Summary
Commits Considered (1)
- cf619f0: fix: pin 1 unpinned action(s),extract 1 unsafe expression(s) to env vars
Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard).
Changes:
.github/workflows/presubmit.yml | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
Files Processed (1)
- .github/workflows/presubmit.yml (1 hunk)
Actionable Comments (0)
Skipped Comments (3)
-
.github/workflows/presubmit.yml [20-23]
best_practice: "Secret presence check within the run block"
-
.github/workflows/presubmit.yml [24-25]
best_practice: "Ensure correct step-scoped env for secret"
-
.github/workflows/presubmit.yml [26-26]
best_practice: "SHA pinning with misleading inline comment"
|
1 participant
Fix: CI/CD Security Vulnerabilities in GitHub Actions
Hi! Runner Guard, an open-source
CI/CD security scanner by Vigilant Cyber Security,
identified security vulnerabilities in this repository's GitHub Actions workflows.
This PR applies automated fixes where possible and reports additional findings
for your review.
Fixes applied (in this PR)
.github/workflows/presubmit.yml.github/workflows/presubmit.ymlAdvisory: additional findings (manual review recommended)
| Rule | Severity | File | Description |
| RGS-001 | critical |
.github/workflows/maven-pr-builder.yml| pull_request_target with Fork Code Checkout || RGS-004 | high |
.github/workflows/presubmit.yml| Comment-Triggered Workflow Without Author Authorization Check || RGS-004 | high |
.github/workflows/presubmit.yml| Comment-Triggered Workflow Without Author Authorization Check |Why this matters
GitHub Actions workflows that use untrusted input in
run:blocks, exposesecrets inline, or use unpinned third-party actions are vulnerable to
code injection, credential theft, and supply chain attacks. These are the same
vulnerability classes exploited in the tj-actions/changed-files incident
and subsequent supply chain attacks, which compromised CI secrets across
thousands of repositories.
How to verify
Review the diff — each change is mechanical and preserves workflow behavior:
${{ }}expressions fromrun:blocks intoenv:mappings, preventing shell injection(original version tag preserved as comment)
ACTIONS_RUNNER_DEBUG/ACTIONS_STEP_DEBUGwhich leak secrets in workflow logs
Run
brew install Vigilant-LLC/tap/runner-guard && runner-guard scan .or install from therepo to verify.
Found by Runner Guard | Built by Vigilant Cyber Security | Learn more
If this PR is not welcome, just close it -- we won't send another.