mirror of
https://github.com/RayLabsHQ/gitea-mirror.git
synced 2026-06-13 09:54:48 +02:00
ARUNAVO RAY
a02865a1aa
Tags are mutable. A compromised maintainer (or a maintainer's compromised machine) can force-move v-tags to point at malicious commits, and any workflow using `@vN` picks up the malicious code on its next run — see the recent `actions-cool/issues-helper` / `maintain-one-comment` incident exfiltrating credentials from `Runner.Worker` memory. This commit pins every third-party action in the two workflows that handle secrets (GHCR push, Docker Hub login, Scout token) to immutable 40-char SHAs, with a trailing comment naming the release version for readability. SHAs are the latest released tag at time of pin. The two DeterminateSystems actions were on `@main` — a *branch* ref that moves on every push, materially worse than a tag — and are now pinned to the latest release SHAs (v22 / v13). First-party `actions/*` and `github/codeql-action` are left on tags for now; they're a separate, lower-risk follow-up.