test: Add GitHub Pages docs deployment#49
Conversation
- Add docs/ folder with index and API reference - Add GitHub Actions workflow for Pages deployment - Testing if GitHub Pages works in this repo
![semgrep-code-twilio[bot]](https://avatars.githubusercontent.com/u/109142?s=60&v=4){kind=small}
|
|
||
| - name: Deploy to GitHub Pages | ||
| id: deployment | ||
| uses: actions/deploy-pages@v4 |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Mutable version tag v4 in actions/deploy-pages allows silent updates that could inject malicious code into your GitHub Pages deployment.
More details about this
The step uses: actions/deploy-pages@v4 references the action using a mutable version tag (v4), which can be silently updated by the action maintainer at any time without your knowledge.
Exploit Scenario:
- An attacker compromises the
actions/deploy-pagesrepository or its maintainer account - They push malicious code and retag the
v4release to point to their compromised code - Your workflow runs and pulls the malicious version because
v4now resolves to the attacker's code - The malicious action executes with the permissions granted to this job (
contents: read,pages: write,id-token: write), allowing the attacker to deploy malicious content to your GitHub Pages site, exfiltrate credentials, or modify your repository
This is the same attack vector that enabled the trivy-action and kics-github-action compromises. Using a pinned commit SHA ensures you always run the exact version you tested and approved, preventing silent malicious updates.
To resolve this comment:
✨ Commit fix suggestion
| uses: actions/deploy-pages@v4 | |
| uses: actions/deploy-pages@8ade135a41bc03ea155e62e844d188df1ea18608 # v4 pinned to commit SHA for security |
View step-by-step instructions
- Find the specific commit SHA for the
actions/deploy-pagesaction version you want to use. You can find this by visiting https://github.com/actions/deploy-pages/tags and clicking on your intended version (e.g.,v4), then copying the 40-character commit SHA associated with that tag. - Replace
uses: actions/deploy-pages@v4withuses: actions/deploy-pages@<commit-sha>, for example:uses: actions/deploy-pages@8ade135a41bc03ea155e62e844d188df1ea18608. - Make sure to update future workflow references to this action in the same way to keep your workflow secure.
This change locks the action to a specific code state and prevents unexpected code changes from upstream repository compromises.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.
Need help with this issue? Consult our Semgrep Findings Documentation or ask in #help-appsec on Slack.
You can view more details about this finding in the Semgrep AppSec Platform.
| uses: actions/configure-pages@v5 | ||
|
|
||
| - name: Upload artifact | ||
| uses: actions/upload-pages-artifact@v3 |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
GitHub Actions step uses mutable tag @v3 instead of a pinned commit SHA, allowing the action owner to silently inject malicious code into your CI/CD pipeline.
More details about this
The GitHub Actions workflow uses actions/upload-pages-artifact@v3, which references a mutable version tag instead of a pinned commit SHA. This allows the action owner to silently change what code runs in your CI/CD pipeline without your knowledge.
Here's how an attacker could exploit this:
-
Compromise the action's repository: An attacker compromises the
actions/upload-pages-artifactrepository or gains access to push tags to it (this has happened in the wild with actions liketrivy-actionandkics-github-action). -
Repoint the tag: They push malicious code and repoint the
v3tag to point to their compromised version instead of the original. -
Your workflow executes the malicious code: The next time your workflow runs (either on a push to the
docsbranch or via manual dispatch), GitHub Actions automatically pulls the latest code forv3and executes it with the permissions your workflow grants (contents: read,pages: write,id-token: write). -
Malicious action runs: The compromised action could steal your repository's credentials, modify your Pages deployment, exfiltrate secrets, or pivot to other resources your runner has access to.
The @v3 tag is mutable—the action owner can move it at any time. By pinning to a full 40-character commit SHA instead (e.g., actions/upload-pages-artifact@abc123def456...), you ensure your workflow always runs the exact version you tested, regardless of tag movements.
To resolve this comment:
✨ Commit fix suggestion
| uses: actions/upload-pages-artifact@v3 | |
| # Pinned to the full commit SHA for security. | |
| uses: actions/upload-pages-artifact@8ade135a41bc03ea155e62e844d188df1ea18608 |
View step-by-step instructions
- Go to the GitHub repository for
actions/upload-pages-artifactathttps://github.com/actions/upload-pages-artifact. - Locate the latest release or the specific release you want to use and copy the full 40-character commit SHA for that release.
- Replace
uses: actions/upload-pages-artifact@v3withuses: actions/upload-pages-artifact@<commit-sha>, substituting<commit-sha>with the commit SHA you copied.
For example:uses: actions/upload-pages-artifact@8ade135a41bc03ea155e62e844d188df1ea18608
Pinning to the full commit SHA ensures that your workflow always uses the intended action code, preventing supply-chain attacks if the tag is repointed in the future.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.
Need help with this issue? Consult our Semgrep Findings Documentation or ask in #help-appsec on Slack.
You can view more details about this finding in the Semgrep AppSec Platform.
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Pages | ||
| uses: actions/configure-pages@v5 |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
GitHub Actions step uses mutable version tag v5 instead of a pinned commit SHA, allowing the action owner to silently push malicious code that runs in your workflow.
More details about this
The actions/configure-pages@v5 step is using a mutable version tag (v5) instead of pinning to a specific commit SHA. This means the action owner can silently change what code runs at this step without any warning or approval—including injecting malicious code into your workflow.
How an attacker could exploit this:
- An attacker gains control of the
actions/configure-pagesrepository (or tricks GitHub into reassigning it) - They push malicious code and retag
v5to point to the compromised commit - Your next workflow run automatically uses the new
v5, which now executes the attacker's code with access to your GitHub Pages secrets and repository permissions - The attacker extracts the
id-token(which haswriteaccess to pages) and uses it to modify your deployed documentation or exfiltrate sensitive data
This attack pattern has happened before—notably with trivy-action and kics-github-action—making it a real supply-chain threat.
To resolve this comment:
✨ Commit fix suggestion
| uses: actions/configure-pages@v5 | |
| # Pinned to the full commit SHA for security; see https://github.com/actions/configure-pages/tags for latest | |
| uses: actions/configure-pages@e44b1c85704970a97e1541a415a3ccc0c07bc252 |
View step-by-step instructions
- Replace the version reference in
uses: actions/configure-pages@v5with a specific 40-character commit SHA from the upstreamactions/configure-pagesrepository. - Find the latest commit SHA for the
v5version by visiting https://github.com/actions/configure-pages/tags and copying the full commit hash for the desired version. - Update the line to:
uses: actions/configure-pages@<commit-sha>, replacing<commit-sha>with the actual 40-character SHA you copied.
Pinning to a full commit SHA prevents unexpected changes to workflows if the tag is repointed in the future, reducing your risk of supply-chain attacks.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.
Need help with this issue? Consult our Semgrep Findings Documentation or ask in #help-appsec on Slack.
You can view more details about this finding in the Semgrep AppSec Platform.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
GitHub Actions step uses mutable version tag @v4 instead of pinned commit SHA, allowing attackers to silently redirect the action to malicious code.
More details about this
The actions/checkout step uses version tag @v4 instead of a pinned commit SHA. Version tags and branch references in GitHub Actions can be silently repointed by the action's owner to malicious code without any update to your workflow file. This enables supply-chain attacks where a compromised maintainer could redirect @v4 to inject malicious code that exfiltrates repository secrets or modifies your build output.
Exploit scenario:
- An attacker gains control of the
actions/checkoutrepository and force-pushes thev4tag to point to a commit containing malicious code - When your workflow runs, it automatically uses this new malicious version due to the mutable tag reference
- The malicious checkout action could execute arbitrary code with access to
GITHUB_TOKEN, allowing the attacker to read your repository secrets or push backdoors to your main branch - Your workflow file never changed—the attack is silent and difficult to detect
Pin to a full 40-character commit SHA (e.g., actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608) to ensure you always run the exact version you tested.
To resolve this comment:
✨ Commit fix suggestion
| uses: actions/checkout@v4 | |
| # Pinned to commit SHA to prevent supply-chain attacks. See: https://github.com/actions/checkout/commits/v4 | |
| uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 |
View step-by-step instructions
- Find the commit SHA for the exact version of the action you want to use. You can find this by visiting the action's repository (for example, https://github.com/actions/checkout) and looking at the "commits" tab or in the release/tag list.
- Replace
uses: actions/checkout@v4withuses: actions/checkout@<commit-sha>where<commit-sha>is the full 40-character commit hash you found in step 1 (for example:uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608). - Repeat these steps for any other GitHub Actions referenced by branch or tag names (such as
v4,v3,main, or similar).
Pinning to a full commit SHA ensures the workflow always uses the same, reviewed code and protects against supply-chain attacks resulting from upstream changes.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.
Need help with this issue? Consult our Semgrep Findings Documentation or ask in #help-appsec on Slack.
You can view more details about this finding in the Semgrep AppSec Platform.
There was a problem hiding this comment.
Pull request overview
This PR adds a GitHub Pages documentation deployment as a test, including markdown docs for the SDK and a GitHub Actions workflow to deploy to Pages.
Changes:
- Adds
docs/index.md,docs/api-reference.md, anddocs/_config.yml(Jekyll Cayman theme) - Adds a GitHub Actions workflow to deploy
docs/to GitHub Pages on pushes to thedocsbranch
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| docs/index.md | Landing page for the docs site |
| docs/api-reference.md | Auto-generated API reference for the TAC Python SDK |
| docs/_config.yml | Jekyll config selecting the Cayman theme |
| .github/workflows/docs.yml | Workflow that uploads docs/ artifact and deploys to GitHub Pages |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
Type of Change
Checklist
SDK Parity
This is the Python SDK. If this change affects shared functionality, ensure the TypeScript SDK is updated as well.