[PR #5271] [CLOSED] fix: pin 8 unpinned action(s), extract 1 inline secret to env var #5222

New issue

Closed

opened 2026-05-05 14:56:59 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 14:56:59 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/fatedier/frp/pull/5271
Author: @dagecko
Created: 3/30/2026
Status: ❌ Closed

Base: dev ← Head: runner-guard/fix-ci-security

📝 Commits (1)

5a608bb fix: pin 8 unpinned action(s), extract 1 inline secret to env var

📊 Changes

3 files changed (+12 additions, -10 deletions)

View changed files

📝 .github/workflows/build-and-push-image.yml (+10 -8)
📝 .github/workflows/golangci-lint.yml (+1 -1)
📝 .github/workflows/goreleaser.yml (+1 -1)

📄 Description

Re-submission of #5264. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.

Summary

This PR pins all GitHub Actions to immutable commit SHAs and extracts an inline secret from a run: block into an env: mapping.

Pin 8 unpinned actions to full 40-character SHAs
Extract 1 inline secret from run block to env var

How to verify

Review the diff, each change is mechanical and preserves workflow behavior:

SHA pinning: action@v3 becomes action@abc123 # v3, original version preserved as comment
Secret extraction: ${{ secrets.* }} in run: moves to env: block, referenced as "${ENV_VAR}" in the script
No workflow logic, triggers, or permissions are modified

I've been researching CI/CD supply chain attack vectors and submitting fixes to affected repos. Based on that research I built a scanner called Runner Guard and open sourced it here so you can scan yourself if you want to. I'll be posting more advisories over the next few weeks on Twitter if you want to stay in the loop.

If you have any questions, reach out. I'll be monitoring comms.

- Chris (dagecko)

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fatedier/frp/pull/5271 **Author:** [@dagecko](https://github.com/dagecko) **Created:** 3/30/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `runner-guard/fix-ci-security` --- ### 📝 Commits (1) - [`5a608bb`](https://github.com/fatedier/frp/commit/5a608bba92b17902651e8bc32e914ae070efbd0b) fix: pin 8 unpinned action(s), extract 1 inline secret to env var ### 📊 Changes **3 files changed** (+12 additions, -10 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/build-and-push-image.yml` (+10 -8) 📝 `.github/workflows/golangci-lint.yml` (+1 -1) 📝 `.github/workflows/goreleaser.yml` (+1 -1) </details> ### 📄 Description Re-submission of #5264. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise. ## Summary This PR pins all GitHub Actions to immutable commit SHAs and extracts an inline secret from a `run:` block into an `env:` mapping. - Pin 8 unpinned actions to full 40-character SHAs - Extract 1 inline secret from run block to env var ## How to verify Review the diff, each change is mechanical and preserves workflow behavior: - **SHA pinning**: `action@v3` becomes `action@abc123 # v3`, original version preserved as comment - **Secret extraction**: `${{ secrets.* }}` in `run:` moves to `env:` block, referenced as `"${ENV_VAR}"` in the script - No workflow logic, triggers, or permissions are modified I've been researching CI/CD supply chain attack vectors and submitting fixes to affected repos. Based on that research I built a scanner called Runner Guard and open sourced it [here](https://github.com/Vigilant-LLC/runner-guard) so you can scan yourself if you want to. I'll be posting more advisories over the next few weeks [on Twitter](https://x.com/vigilance_one) if you want to stay in the loop. If you have any questions, reach out. I'll be monitoring comms. \- Chris (dagecko) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>