Commit: 2f26d91 · Finding: DEP-04 (supersedes GEN-19)
Problem
dtolnay/rust-toolchain@stable at .github/workflows/ci.yml:20,30,48,64, .github/workflows/deploy.yml:23, .github/workflows/e2e.yml:22 — mutable tag.taiki-e/install-action@just at .github/workflows/e2e.yml:40 — floats on the upstream just tag with no version.
deploy.yml publishes to the Linode production host, so a compromised or hijacked upstream action immediately runs in a release-privileged context.
Fix
- Pin all actions to full commit SHAs at minimum for
deploy.yml. Example: dtolnay/rust-toolchain@<sha> # stable.
- Run
pinact (or pin-github-action) across all three workflows.
- Enable Dependabot for GitHub Actions (
.github/dependabot.yml entry for github-actions, weekly) to keep SHAs fresh.
Obvious fix — will be auto-PR'd.
Commit:
2f26d91· Finding:DEP-04(supersedes GEN-19)Problem
dtolnay/rust-toolchain@stableat.github/workflows/ci.yml:20,30,48,64,.github/workflows/deploy.yml:23,.github/workflows/e2e.yml:22— mutable tag.taiki-e/install-action@justat.github/workflows/e2e.yml:40— floats on the upstreamjusttag with no version.deploy.ymlpublishes to the Linode production host, so a compromised or hijacked upstream action immediately runs in a release-privileged context.Fix
deploy.yml. Example:dtolnay/rust-toolchain@<sha> # stable.pinact(orpin-github-action) across all three workflows..github/dependabot.ymlentry forgithub-actions, weekly) to keep SHAs fresh.Obvious fix — will be auto-PR'd.