Severity: LOW
Problem
.github/workflows/release-macos.yml uses tag-based action references:
actions/checkout@v4 (line 20)pnpm/action-setup@v4 (line 23)actions/setup-node@v4 (line 28)dtolnay/rust-toolchain@stable (line 34)softprops/action-gh-release@v2 (line 209)
If any of these tags are compromised or moved to point to a different commit, the workflow could execute malicious code.
Proposed Solution
Pin each action to its current commit SHA:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
Also add persist-credentials: false to the checkout step (line 20) to prevent the GitHub token from persisting in git config.
References
Severity: LOW
Problem
.github/workflows/release-macos.ymluses tag-based action references:actions/checkout@v4(line 20)pnpm/action-setup@v4(line 23)actions/setup-node@v4(line 28)dtolnay/rust-toolchain@stable(line 34)softprops/action-gh-release@v2(line 209)If any of these tags are compromised or moved to point to a different commit, the workflow could execute malicious code.
Proposed Solution
Pin each action to its current commit SHA:
Also add
persist-credentials: falseto the checkout step (line 20) to prevent the GitHub token from persisting in git config.References
PLAN.mditem Pin GitHub Actions by commit SHA for supply chain security #19