[plan] Pin unpinned-uses actions to SHAs in daily-cli-performance and issue-monster workflows #22250
Description
Objective
Pin unpinned GitHub Actions to specific commit SHAs in daily-cli-performance.md and issue-monster.md to prevent supply chain attacks via tag mutation.
Context
Source: Static Analysis Report - 2026-03-22
Vulnerability: unpinned-uses — GitHub Actions used without pinning to a specific SHA, allowing supply chain attacks via tag mutation.
Affected files:
.github/workflows/daily-cli-performance.md.github/workflows/issue-monster.md
The compiled daily-cli-performance.lock.yml contains:
uses: actions/github-script@v8This action reference uses a mutable tag (@v8) rather than a pinned SHA.
Approach
- Find the current SHA for
actions/github-script@v8:gh api repos/actions/github-script/git/refs/tags/v8 # Or: git ls-remote https://github.com/actions/github-script refs/tags/v8 - Update the action references in the
.mdsource files to use the full SHA:uses: actions/github-script@SHA_HERE # v8
- Check if the
.mdfile directly specifies these actions or if they're generated by the compiler - If compiler-generated, update the compiler template in
pkg/workflow/to pin to SHA - Run
make recompileto regenerate the lock files
Files to Investigate
.github/workflows/daily-cli-performance.md.github/workflows/issue-monster.mdpkg/workflow/*.go— check ifactions/github-script@v8is hardcoded in compiler templates
Acceptance Criteria
- Zizmor no longer reports
unpinned-usesfordaily-cli-performanceandissue-monster - All
uses:references in the affected lock files point to full 40-character commit SHAs - A comment with the original tag (e.g.,
# v8) is preserved for readability - The workflows still function correctly after pinning
Generated by Plan Command for issue #discussion #22240 · ◷
- expires on Mar 24, 2026, 8:48 AM UTC
Metadata
Metadata
Type
Fields
Give feedbackNo fields configured for issues without a type.