Skip to content

Fix unpinned-action in ci.yml#793

Open
CodeOpsAI wants to merge 1 commit into
minekube:masterfrom
CodeOpsAI:codeopsai/unpinned-action-0e887b0
Open

Fix unpinned-action in ci.yml#793
CodeOpsAI wants to merge 1 commit into
minekube:masterfrom
CodeOpsAI:codeopsai/unpinned-action-0e887b0

Conversation

@CodeOpsAI

Copy link
Copy Markdown

🤖 An AI-generated pull request from codeopsai. We open PRs only when we find a concrete, citable issue worth fixing. Not useful? Comment "no thanks" and we won't open more.

About codeopsai

codeopsai analyzes public GitHub Actions workflows for security and reliability issues and opens fixes for maintainer review. Every PR carries citations to the relevant standard (CWE, GitHub docs) and a structural verification trail; if our evidence bar isn't met, we don't open the PR.

Mistake, or unwelcome? Comment here or open an issue at github.com/codeopsai/feedback. We read every one and adjust.

Why these matter

Why pin to a SHA (unpinned-action)

Each unpinned action reference can be force-moved to attacker-controlled code by the action's owner or anyone who compromises their account — exactly what happened in the tj-actions/changed-files attack (CVE-2025-30066, Mar 2025). Pinning to a 40-character commit SHA freezes the exact reviewed code.

Reference: CWE-829 · GitHub/OWASP guidance · Real-world precedent: tj-actions/changed-files supply-chain attack (CVE-2025-30066, Mar 2025)

.github/workflows/ci.yml

  • 🟠 MED docker/setup-buildx-action (job docker-smoke)
  • 🟠 MED docker/build-push-action (job docker-smoke)
  • 🟠 MED docker/build-push-action (job docker-smoke)
  • 🟠 MED docker/setup-buildx-action (job build)
  • 🟠 MED docker/login-action (job build)
  • 🟠 MED docker/build-push-action (job build)
  • 🟠 MED docker/build-push-action (job build)
  • 🟠 MED goreleaser/goreleaser-action (job releaser)
  • ⚪ LOW actions/checkout (job lint)
  • ⚪ LOW actions/setup-go (job lint)
  • ⚪ LOW actions/checkout (job test)
  • ⚪ LOW actions/setup-go (job test)
  • ⚪ LOW actions/checkout (job docker-smoke)
  • ⚪ LOW actions/checkout (job build)
  • ⚪ LOW actions/checkout (job releaser)
  • ⚪ LOW actions/setup-go (job releaser)
Diff
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,10 +17,10 @@
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
 
       - name: Setup Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
         with:
           go-version-file: go.mod
 
@@ -37,10 +37,10 @@
     runs-on: ${{ matrix.platform }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
 
       - name: Setup Go with cache
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
         with:
           cache: true
           go-version-file: go.mod
@@ -67,13 +67,13 @@
     runs-on: ${{ matrix.runner }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
 
       - name: Set up docker buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5
 
       - name: Build gate image (host arch, load)
... (71 more diff lines — see Files changed)

Have other repositories you'd like analysed? Request a scan at codeopsai.com.


AI-generated. Review the diff before merging.

This PR addresses 16 workflow findings:
- [low] unpinned-action in .github/workflows/ci.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/ci.yml: Unpinned action version: actions/setup-go@v6
- [low] unpinned-action in .github/workflows/ci.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/ci.yml: Unpinned action version: actions/setup-go@v6
- [low] unpinned-action in .github/workflows/ci.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/ci.yml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/ci.yml: Unpinned action version: docker/build-push-action@v7
- [medium] unpinned-action in .github/workflows/ci.yml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/ci.yml: Unpinned action version: actions/checkout@v6
- [medium] unpinned-action in .github/workflows/ci.yml: Unpinned action version: docker/setup-buildx-action@v4
- [medium] unpinned-action in .github/workflows/ci.yml: Unpinned action version: docker/login-action@v4
- [medium] unpinned-action in .github/workflows/ci.yml: Unpinned action version: docker/build-push-action@v7
- [medium] unpinned-action in .github/workflows/ci.yml: Unpinned action version: docker/build-push-action@v7
- [low] unpinned-action in .github/workflows/ci.yml: Unpinned action version: actions/checkout@v6
- [low] unpinned-action in .github/workflows/ci.yml: Unpinned action version: actions/setup-go@v6
- [medium] unpinned-action in .github/workflows/ci.yml: Unpinned action version: goreleaser/goreleaser-action@v7

These workflows handle CI/CD with elevated privileges; the affected configurations expand attack surface or grant tokens broader access than needed. See the PR description for per-finding rationale and citations.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant