File: .github/workflows/deploy.yml:43-44
Severity: security
Obvious? no
sudo apt-get update && sudo apt-get install -y sshpass runs in the deploy job that holds DEPLOY_PASSWORD. Whichever version Ubuntu's repos serve at job time is installed without pinning. While Ubuntu archive integrity is generally trusted, the dependency on sshpass itself is an antipattern (see #227). If #227 is fixed by moving to native SSH key auth, this entire step disappears, removing the install-time supply-chain surface.
Fix: eliminate the sshpass step by switching to SSH key authentication (e.g., webfactory/ssh-agent SHA-pinned, or appleboy/ssh-action SHA-pinned).
Filed by /general-audit @ 6404719 (2026-05-03). master: #567.
File:
.github/workflows/deploy.yml:43-44Severity: security
Obvious? no
sudo apt-get update && sudo apt-get install -y sshpassruns in the deploy job that holdsDEPLOY_PASSWORD. Whichever version Ubuntu's repos serve at job time is installed without pinning. While Ubuntu archive integrity is generally trusted, the dependency onsshpassitself is an antipattern (see #227). If #227 is fixed by moving to native SSH key auth, this entire step disappears, removing the install-time supply-chain surface.Fix: eliminate the sshpass step by switching to SSH key authentication (e.g.,
webfactory/ssh-agentSHA-pinned, orappleboy/ssh-actionSHA-pinned).Filed by
/general-audit@6404719(2026-05-03). master: #567.