From 3ee83907c9b29afad1629e2c564d64b60a9a5942 Mon Sep 17 00:00:00 2001 From: Chris Nyhuis Date: Thu, 26 Mar 2026 01:08:31 -0400 Subject: [PATCH] fix: pin 10 unpinned action(s),extract 9 unsafe expression(s) to env vars Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard). Changes: .github/workflows/cleanup-orphaned-content.yml | 4 ++-- .github/workflows/cloudfront-api-cache.yml | 5 ++++- .github/workflows/cloudfront-fe-cache.yml | 5 ++++- .github/workflows/deployment.yml | 25 +++++++++++++++++-------- .github/workflows/sync-content-to-repo.yml | 8 +++++--- .github/workflows/sync-repo-to-database.yml | 7 +++++-- .github/workflows/upgrade-dependencies.yml | 4 ++-- 7 files changed, 39 insertions(+), 19 deletions(-) --- .../workflows/cleanup-orphaned-content.yml | 4 +-- .github/workflows/cloudfront-api-cache.yml | 5 +++- .github/workflows/cloudfront-fe-cache.yml | 5 +++- .github/workflows/deployment.yml | 25 +++++++++++++------ .github/workflows/sync-content-to-repo.yml | 8 +++--- .github/workflows/sync-repo-to-database.yml | 7 ++++-- .github/workflows/upgrade-dependencies.yml | 4 +-- 7 files changed, 39 insertions(+), 19 deletions(-) diff --git a/.github/workflows/cleanup-orphaned-content.yml b/.github/workflows/cleanup-orphaned-content.yml index f2bbc0f6b7de..0f33b6fa1992 100644 --- a/.github/workflows/cleanup-orphaned-content.yml +++ b/.github/workflows/cleanup-orphaned-content.yml @@ -14,7 +14,7 @@ jobs: - uses: actions/checkout@v4 - name: Setup pnpm@v9 - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4 with: version: 9 run_install: false @@ -58,7 +58,7 @@ jobs: - name: Create PR if: steps.verify-changed-files.outputs.changed == 'true' - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7 with: delete-branch: false branch: "chore/cleanup-orphaned-content-${{ inputs.roadmap_slug }}" diff --git a/.github/workflows/cloudfront-api-cache.yml b/.github/workflows/cloudfront-api-cache.yml index fc8a584c777e..228618c1ee56 100644 --- a/.github/workflows/cloudfront-api-cache.yml +++ b/.github/workflows/cloudfront-api-cache.yml @@ -10,7 +10,10 @@ jobs: curl -L \ -X POST \ -H "Accept: application/vnd.github+json" \ - -H "Authorization: Bearer ${{ secrets.GH_PAT }}" \ + -H "Authorization: Bearer ${GH_PAT}" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/roadmapsh/infra-ansible/actions/workflows/playbook.yml/dispatches \ -d '{ "ref":"master", "inputs": { "playbook": "roadmap_web.yml", "tags": "cloudfront-api", "is_verbose": false } }' + + env: + GH_PAT: ${{ secrets.GH_PAT }} \ No newline at end of file diff --git a/.github/workflows/cloudfront-fe-cache.yml b/.github/workflows/cloudfront-fe-cache.yml index 0f69e825a85d..796988b0d2cd 100644 --- a/.github/workflows/cloudfront-fe-cache.yml +++ b/.github/workflows/cloudfront-fe-cache.yml @@ -10,7 +10,10 @@ jobs: curl -L \ -X POST \ -H "Accept: application/vnd.github+json" \ - -H "Authorization: Bearer ${{ secrets.GH_PAT }}" \ + -H "Authorization: Bearer ${GH_PAT}" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/roadmapsh/infra-ansible/actions/workflows/playbook.yml/dispatches \ -d '{ "ref":"master", "inputs": { "playbook": "roadmap_web.yml", "tags": "cloudfront,cloudfront-course", "is_verbose": false } }' + + env: + GH_PAT: ${{ secrets.GH_PAT }} \ No newline at end of file diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index e9bb29fef223..68edfd033e7e 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -14,7 +14,7 @@ jobs: - uses: actions/setup-node@v4 with: node-version: 20 - - uses: pnpm/action-setup@v4.0.0 + - uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0 with: version: 9 @@ -23,7 +23,9 @@ jobs: # ------------------- - name: Prepare configuration files run: | - git clone https://${{ secrets.GH_PAT }}@github.com/roadmapsh/infra-config.git configuration --depth 1 + git clone https://${GH_PAT}@github.com/roadmapsh/infra-config.git configuration --depth 1 + env: + GH_PAT: ${{ secrets.GH_PAT }} - name: Copy configuration files run: | cp configuration/dist/github/developer-roadmap.env .env @@ -37,22 +39,27 @@ jobs: - name: Generate Production Build run: | - git clone https://${{ secrets.GH_PAT }}@github.com/roadmapsh/web-draw.git .temp/web-draw --depth 1 + git clone https://${GH_PAT}@github.com/roadmapsh/web-draw.git .temp/web-draw --depth 1 npm run generate-renderer npm run compress:images npm run build + env: + GH_PAT: ${{ secrets.GH_PAT }} # -------------------- # Deploy to EC2 # -------------------- - - uses: webfactory/ssh-agent@v0.7.0 + - uses: webfactory/ssh-agent@836c84ec59a0e7bc0eabc79988384eb567561ee2 # v0.7.0 with: ssh-private-key: ${{ secrets.EC2_PRIVATE_KEY }} - name: Deploy Application to EC2 run: | - rsync -apvz --delete --no-times --exclude "configuration" -e "ssh -o StrictHostKeyChecking=no" -p ./ ${{ secrets.EC2_USERNAME }}@${{ secrets.EC2_HOST }}:/var/www/roadmap.sh/ + rsync -apvz --delete --no-times --exclude "configuration" -e "ssh -o StrictHostKeyChecking=no" -p ./ ${EC2_USERNAME}@${EC2_HOST}:/var/www/roadmap.sh/ + env: + EC2_USERNAME: ${{ secrets.EC2_USERNAME }} + EC2_HOST: ${{ secrets.EC2_HOST }} - name: Restart PM2 - uses: appleboy/ssh-action@master + uses: appleboy/ssh-action@8743aa11bfbda97acb45c151ae7a2e0b203f1914 # master with: host: ${{ secrets.EC2_HOST }} username: ${{ secrets.EC2_USERNAME }} @@ -69,7 +76,9 @@ jobs: curl -L \ -X POST \ -H "Accept: application/vnd.github+json" \ - -H "Authorization: Bearer ${{ secrets.GH_PAT }}" \ + -H "Authorization: Bearer ${GH_PAT}" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/roadmapsh/infra-ansible/actions/workflows/playbook.yml/dispatches \ - -d '{ "ref":"master", "inputs": { "playbook": "roadmap_web.yml", "tags": "cloudfront", "is_verbose": false } }' \ No newline at end of file + -d '{ "ref":"master", "inputs": { "playbook": "roadmap_web.yml", "tags": "cloudfront", "is_verbose": false } }' + env: + GH_PAT: ${{ secrets.GH_PAT }} \ No newline at end of file diff --git a/.github/workflows/sync-content-to-repo.yml b/.github/workflows/sync-content-to-repo.yml index 8b39a7d714f6..6dd9945c6dfe 100644 --- a/.github/workflows/sync-content-to-repo.yml +++ b/.github/workflows/sync-content-to-repo.yml @@ -15,7 +15,7 @@ jobs: - uses: actions/checkout@v4 - name: Setup pnpm@v9 - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4 with: version: 9 run_install: false @@ -31,8 +31,10 @@ jobs: echo "Installing Dependencies" pnpm install echo "Syncing Content to Repo" - npm run sync:content-to-repo -- --roadmap-slug=${{ inputs.roadmap_slug }} --secret=${{ secrets.GH_SYNC_SECRET }} + npm run sync:content-to-repo -- --roadmap-slug=${{ inputs.roadmap_slug }} --secret=${GH_SYNC_SECRET} + env: + GH_SYNC_SECRET: ${{ secrets.GH_SYNC_SECRET }} - name: Check for changes id: verify-changed-files run: | @@ -44,7 +46,7 @@ jobs: - name: Create PR if: steps.verify-changed-files.outputs.changed == 'true' - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7 with: delete-branch: false branch: "chore/sync-content-to-repo-${{ inputs.roadmap_slug }}" diff --git a/.github/workflows/sync-repo-to-database.yml b/.github/workflows/sync-repo-to-database.yml index 1355646411b3..b8942ed9ec9b 100644 --- a/.github/workflows/sync-repo-to-database.yml +++ b/.github/workflows/sync-repo-to-database.yml @@ -14,7 +14,7 @@ jobs: - uses: actions/checkout@v4 - name: Setup pnpm@v9 - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4 with: version: 9 run_install: false @@ -54,4 +54,7 @@ jobs: echo "Running sync script for roadmap: ${{ inputs.roadmap_slug }}" echo "Files: ${{ steps.roadmap-files.outputs.files }}" - npm run sync:repo-to-database -- --files="${{ steps.roadmap-files.outputs.files }}" --secret=${{ secrets.GH_SYNC_SECRET }} + npm run sync:repo-to-database -- --files="${{ steps.roadmap-files.outputs.files }}" --secret=${GH_SYNC_SECRET} + + env: + GH_SYNC_SECRET: ${{ secrets.GH_SYNC_SECRET }} \ No newline at end of file diff --git a/.github/workflows/upgrade-dependencies.yml b/.github/workflows/upgrade-dependencies.yml index 339ae5214d2b..228faae63019 100644 --- a/.github/workflows/upgrade-dependencies.yml +++ b/.github/workflows/upgrade-dependencies.yml @@ -17,7 +17,7 @@ jobs: node-version: 20 - name: Setup pnpm@v9 - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4 with: version: 9 @@ -28,7 +28,7 @@ jobs: pnpm install --lockfile-only - name: Create Pull Request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7 with: delete-branch: false branch: "update-deps"