Skip to content

fix: pin 5 unpinned action(s)#63301

Closed
dagecko wants to merge 1 commit intomicrosoft:mainfrom
dagecko:runner-guard/fix-ci-security
Closed

fix: pin 5 unpinned action(s)#63301
dagecko wants to merge 1 commit intomicrosoft:mainfrom
dagecko:runner-guard/fix-ci-security

Conversation

@dagecko
Copy link

@dagecko dagecko commented Mar 26, 2026

Fix: CI/CD Security Vulnerabilities in GitHub Actions

Hi! Runner Guard, an open-source
CI/CD security scanner by Vigilant Cyber Security,
identified security vulnerabilities in this repository's GitHub Actions workflows.

This PR applies automated fixes where possible and reports additional findings
for your review.

Fixes applied (in this PR)

Rule Severity File Description
RGS-007 high .github/workflows/create-cherry-pick-pr.yml Pinned 1 third-party action(s) to commit SHA
RGS-007 high .github/workflows/new-release-branch.yaml Pinned 1 third-party action(s) to commit SHA
RGS-007 high .github/workflows/set-version.yaml Pinned 1 third-party action(s) to commit SHA
RGS-007 high .github/workflows/sync-branch.yaml Pinned 1 third-party action(s) to commit SHA
RGS-007 high .github/workflows/twoslash-repros.yaml Pinned 1 third-party action(s) to commit SHA

Advisory: additional findings (manual review recommended)

No additional findings beyond the fixes applied above.

Why this matters

GitHub Actions workflows that use untrusted input in run: blocks, expose
secrets inline, or use unpinned third-party actions are vulnerable to
code injection, credential theft, and supply chain attacks. These are the same
vulnerability classes exploited in the tj-actions/changed-files incident
and subsequent supply chain attacks, which compromised CI secrets across
thousands of repositories.

How to verify

Review the diff — each change is mechanical and preserves workflow behavior:

  • Expression extraction (RGS-002/008/014): Moves ${{ }} expressions from
    run: blocks into env: mappings, preventing shell injection
  • SHA pinning (RGS-007): Pins third-party actions to immutable commit SHAs
    (original version tag preserved as comment)
  • Debug env removal (RGS-015): Removes ACTIONS_RUNNER_DEBUG/ACTIONS_STEP_DEBUG
    which leak secrets in workflow logs

Run brew install Vigilant-LLC/tap/runner-guard && runner-guard scan . or install from the
repo to verify.

Found by Runner Guard | Built by Vigilant Cyber Security | Learn more

If this PR is not welcome, just close it -- we won't send another.

@dagecko
fix: pin 5 unpinned action(s)
1116338 
Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard).

Changes:
 .github/workflows/create-cherry-pick-pr.yml | 2 +-
 .github/workflows/new-release-branch.yaml   | 2 +-
 .github/workflows/set-version.yaml          | 2 +-
 .github/workflows/sync-branch.yaml          | 2 +-
 .github/workflows/twoslash-repros.yaml      | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)
@github-project-automation github-project-automation bot moved this to Not started in PR Backlog Mar 26, 2026
@jakebailey
Copy link
Member

jakebailey commented Mar 26, 2026

Note that these are all actions owned by our team and are unpinned on purpose. I do not think we need this.

@jakebailey jakebailey closed this Mar 26, 2026
@github-project-automation github-project-automation bot moved this from Not started to Done in PR Backlog Mar 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

PR Backlog
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dagecko @jakebailey