[PR #5264] [CLOSED] fix: pin 8 unpinned action(s),extract 1 unsafe expression(s) to env vars #5216

New issue

Closed

opened 2026-05-05 14:56:52 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 14:56:52 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/fatedier/frp/pull/5264
Author: @dagecko
Created: 3/26/2026
Status: ❌ Closed

Base: dev ← Head: runner-guard/fix-ci-security

📝 Commits (1)

0b8febd fix: pin 8 unpinned action(s),extract 1 unsafe expression(s) to env vars

📊 Changes

3 files changed (+12 additions, -10 deletions)

View changed files

📝 .github/workflows/build-and-push-image.yml (+10 -8)
📝 .github/workflows/golangci-lint.yml (+1 -1)
📝 .github/workflows/goreleaser.yml (+1 -1)

📄 Description

Fix: CI/CD Security Vulnerabilities in GitHub Actions

Hi! Runner Guard, an open-source
CI/CD security scanner by Vigilant Cyber Security,
identified security vulnerabilities in this repository's GitHub Actions workflows.

This PR applies automated fixes where possible and reports additional findings
for your review.

Fixes applied (in this PR)

Rule	Severity	File	Description
RGS-007	high	`.github/workflows/build-and-push-image.yml`	Pinned 6 third-party action(s) to commit SHA
RGS-002	high	`.github/workflows/build-and-push-image.yml`	Extracted 1 unsafe expression(s) to env vars
RGS-007	high	`.github/workflows/golangci-lint.yml`	Pinned 1 third-party action(s) to commit SHA
RGS-007	high	`.github/workflows/goreleaser.yml`	Pinned 1 third-party action(s) to commit SHA

Advisory: additional findings (manual review recommended)

No additional findings beyond the fixes applied above.

Why this matters

GitHub Actions workflows that use untrusted input in run: blocks, expose
secrets inline, or use unpinned third-party actions are vulnerable to
code injection, credential theft, and supply chain attacks. These are the same
vulnerability classes exploited in the tj-actions/changed-files incident
and subsequent supply chain attacks, which compromised CI secrets across
thousands of repositories.

How to verify

Review the diff — each change is mechanical and preserves workflow behavior:

Expression extraction (RGS-002/008/014): Moves ${{ }} expressions from
run: blocks into env: mappings, preventing shell injection
SHA pinning (RGS-007): Pins third-party actions to immutable commit SHAs
(original version tag preserved as comment)
Debug env removal (RGS-015): Removes ACTIONS_RUNNER_DEBUG/ACTIONS_STEP_DEBUG
which leak secrets in workflow logs

Run brew install Vigilant-LLC/tap/runner-guard && runner-guard scan . or install from the
repo to verify.

Found by Runner Guard | Built by Vigilant Cyber Security | Learn more

If this PR is not welcome, just close it -- we won't send another.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fatedier/frp/pull/5264 **Author:** [@dagecko](https://github.com/dagecko) **Created:** 3/26/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `runner-guard/fix-ci-security` --- ### 📝 Commits (1) - [`0b8febd`](https://github.com/fatedier/frp/commit/0b8febdd14cd6f7bed36521bb0a405b975bd155d) fix: pin 8 unpinned action(s),extract 1 unsafe expression(s) to env vars ### 📊 Changes **3 files changed** (+12 additions, -10 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/build-and-push-image.yml` (+10 -8) 📝 `.github/workflows/golangci-lint.yml` (+1 -1) 📝 `.github/workflows/goreleaser.yml` (+1 -1) </details> ### 📄 Description ## Fix: CI/CD Security Vulnerabilities in GitHub Actions Hi! [Runner Guard](https://github.com/Vigilant-LLC/runner-guard), an open-source CI/CD security scanner by [Vigilant Cyber Security](https://www.vigilantdefense.com), identified security vulnerabilities in this repository's GitHub Actions workflows. This PR applies automated fixes where possible and reports additional findings for your review. ### Fixes applied (in this PR) | Rule | Severity | File | Description | |------|----------|------|-------------| | RGS-007 | high | `.github/workflows/build-and-push-image.yml` | Pinned 6 third-party action(s) to commit SHA | | RGS-002 | high | `.github/workflows/build-and-push-image.yml` | Extracted 1 unsafe expression(s) to env vars | | RGS-007 | high | `.github/workflows/golangci-lint.yml` | Pinned 1 third-party action(s) to commit SHA | | RGS-007 | high | `.github/workflows/goreleaser.yml` | Pinned 1 third-party action(s) to commit SHA | ### Advisory: additional findings (manual review recommended) No additional findings beyond the fixes applied above. ### Why this matters GitHub Actions workflows that use untrusted input in `run:` blocks, expose secrets inline, or use unpinned third-party actions are vulnerable to code injection, credential theft, and supply chain attacks. These are the same vulnerability classes exploited in the [tj-actions/changed-files incident](https://www.vigilantdefense.com/resources/runner-guard) and subsequent supply chain attacks, which compromised CI secrets across thousands of repositories. ### How to verify Review the diff — each change is mechanical and preserves workflow behavior: - **Expression extraction** (RGS-002/008/014): Moves `${{ }}` expressions from `run:` blocks into `env:` mappings, preventing shell injection - **SHA pinning** (RGS-007): Pins third-party actions to immutable commit SHAs (original version tag preserved as comment) - **Debug env removal** (RGS-015): Removes `ACTIONS_RUNNER_DEBUG`/`ACTIONS_STEP_DEBUG` which leak secrets in workflow logs Run `brew install Vigilant-LLC/tap/runner-guard && runner-guard scan .` or install from the [repo](https://github.com/Vigilant-LLC/runner-guard) to verify. --- Found by [Runner Guard](https://github.com/Vigilant-LLC/runner-guard) | Built by [Vigilant Cyber Security](https://www.vigilantdefense.com) | [Learn more](https://www.vigilantdefense.com/resources/runner-guard) If this PR is not welcome, just close it -- we won't send another. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>