fix: pin 33 unpinned action(s),remove 4 debug env var(s)

[dagecko]

Security: Harden GitHub Actions workflows

Hey, we found some CI/CD security issues in this repo's workflows using Runner Guard, our open-source CI/CD security scanner at Vigilant. These are the same vulnerability classes being actively exploited right now in the tj-actions, Trivy, LiteLLM supply chain attack chain. We scanned the top 50K repos on GitHub and over 20,000 have this same problem. We're trying to get fixes out to as many maintainers as possible before more repos get hit.

This PR fixes what we could automatically, and flags anything else that needs a manual look. There's a real person behind this PR, we're actively checking back on comments so if you have any questions just drop them here and we'll respond.

Fixes applied (in this PR)

Rule	Severity	File	Description
RGS-007	high	.github/workflows/check.yml	Pinned 1 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/deploy-app2.yml	Pinned 5 third-party action(s) to commit SHA
RGS-015	medium	.github/workflows/deploy-app2.yml	Removed 1 debug environment variable(s)
RGS-007	high	.github/workflows/deploy-ceremony.yml	Pinned 5 third-party action(s) to commit SHA
RGS-015	medium	.github/workflows/deploy-ceremony.yml	Removed 1 debug environment variable(s)
RGS-007	high	.github/workflows/deploy-docs.yml	Pinned 4 third-party action(s) to commit SHA
RGS-015	medium	.github/workflows/deploy-docs.yml	Removed 1 debug environment variable(s)
RGS-007	high	.github/workflows/deploy-zkgm-dev.yml	Pinned 5 third-party action(s) to commit SHA
RGS-015	medium	.github/workflows/deploy-zkgm-dev.yml	Removed 1 debug environment variable(s)
RGS-007	high	.github/workflows/nightly-e2e-lst.yml	Pinned 1 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/nightly.yml	Pinned 1 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/package-release.yml	Pinned 2 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/package-snapshot.yml	Pinned 2 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/release-component.yml	Pinned 7 third-party action(s) to commit SHA

Advisory: additional findings (manual review recommended)

No additional findings beyond the fixes applied above.

Why this matters

GitHub Actions workflows that use untrusted input in run: blocks, expose
secrets inline, or use unpinned third-party actions are vulnerable to
code injection, credential theft, and supply chain attacks. These are the same
vulnerability classes exploited in the tj-actions/changed-files incident
and subsequent supply chain attacks, which compromised CI secrets across
thousands of repositories.

How to verify

Review the diff — each change is mechanical and preserves workflow behavior:

• SHA pinning (RGS-007): Pins third-party actions to immutable commit SHAs
  (original version tag preserved as comment)
• Debug env removal (RGS-015): Removes ACTIONS_RUNNER_DEBUG/ACTIONS_STEP_DEBUG
  which leak secrets in workflow logs

Run brew install Vigilant-LLC/tap/runner-guard && runner-guard scan . or install from the
repo to verify.

---

Found by Runner Guard | Built by Vigilant Cyber Security | Learn more

If this PR is not welcome, just close it -- we won't send another.

[vercel]

@dagecko is attempting to deploy a commit to the unionbuild Team on Vercel.

A member of the Team first needs to authorize it.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​vitest@​3.2.4
	npm/​vite@​6.3.6
	npm/​@​testing-library/​svelte@​5.2.8

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm vite is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: app2/package.json → npm/vite@6.3.6 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@6.3.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report