Skip to content

Fix unpinned-action in cdn.yml#714

Open
CodeOpsAI wants to merge 1 commit into
wenyan-lang:masterfrom
CodeOpsAI:codeopsai/unpinned-action-db0c611
Open

Fix unpinned-action in cdn.yml#714
CodeOpsAI wants to merge 1 commit into
wenyan-lang:masterfrom
CodeOpsAI:codeopsai/unpinned-action-db0c611

Conversation

@CodeOpsAI

Copy link
Copy Markdown

🤖 An AI-generated pull request from codeopsai. We open PRs only when we find a concrete, citable issue worth fixing. Not useful? Comment "no thanks" and we won't open more.

About codeopsai

codeopsai analyzes public GitHub Actions workflows for security and reliability issues and opens fixes for maintainer review. Every PR carries citations to the relevant standard (CWE, GitHub docs) and a structural verification trail; if our evidence bar isn't met, we don't open the PR.

Mistake, or unwelcome? Comment here or open an issue at github.com/codeopsai/feedback. We read every one and adjust.

Why these matter

Why pin to a SHA (unpinned-action)

Each unpinned action reference can be force-moved to attacker-controlled code by the action's owner or anyone who compromises their account — exactly what happened in the tj-actions/changed-files attack (CVE-2025-30066, Mar 2025). Pinning to a 40-character commit SHA freezes the exact reviewed code.

Reference: CWE-829 · GitHub/OWASP guidance · Real-world precedent: tj-actions/changed-files supply-chain attack (CVE-2025-30066, Mar 2025)

.github/workflows/cdn.yml

  • 🟠 MED antfu/gha-publish-to-git (job publish)
  • ⚪ LOW actions/checkout (job publish)
  • ⚪ LOW actions/setup-node (job publish)
Diff
--- a/.github/workflows/cdn.yml
+++ b/.github/workflows/cdn.yml
@@ -12,15 +12,15 @@
       matrix:
         node-version: [ 16 ]
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@7c12f8017d5436eb855f1ed4399f037a36fbd9e8
         with:
           node-version: ${{ matrix.node-version }}
           registry-url: https://registry.npmjs.org/
       - run: npm ci
       - run: npm run build:site
-      - uses: antfu/gha-publish-to-git@master
+      - uses: antfu/gha-publish-to-git@528b85e1d7b83e8a9ef32a1f93f909bc7b93bfc7
         with:
           branch: cdn
           github_token: '${{ secrets.GITHUB_TOKEN  }}'

Have other repositories you'd like analysed? Request a scan at codeopsai.com.


AI-generated. Review the diff before merging.

This PR addresses 3 workflow findings:
- [low] unpinned-action in .github/workflows/cdn.yml: Unpinned action version: actions/checkout@v2
- [low] unpinned-action in .github/workflows/cdn.yml: Unpinned action version: actions/setup-node@v2
- [medium] unpinned-action in .github/workflows/cdn.yml: Unpinned action version: antfu/gha-publish-to-git@master

These workflows handle CI/CD with elevated privileges; the affected configurations expand attack surface or grant tokens broader access than needed. See the PR description for per-finding rationale and citations.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant