Skip to content

fix: pin unpinned GitHub Actions to commit SHAs#14453

Closed
dagecko wants to merge 1 commit intoTheAlgorithms:masterfrom
dagecko:runner-guard/fix-ci-security
Closed

fix: pin unpinned GitHub Actions to commit SHAs#14453
dagecko wants to merge 1 commit intoTheAlgorithms:masterfrom
dagecko:runner-guard/fix-ci-security

Conversation

@dagecko
Copy link

@dagecko dagecko commented Mar 26, 2026

Describe your change:

Hey, we found some CI/CD security issues in this repo's GitHub Actions workflows. Specifically, several third-party actions are referenced by mutable version tags instead of pinned commit SHAs, which makes them vulnerable to supply chain attacks (the same class of vulnerability exploited in the recent tj-actions, Trivy, and LiteLLM attack chain). This PR pins them to immutable SHAs.

  • Add an algorithm?
  • Fix a bug or typo in an existing algorithm?
  • Add or change doctests?
  • Documentation change?

Checklist:

  • I have read CONTRIBUTING.md.
  • This pull request is all my own work -- I have not plagiarized.
  • I know that pull requests will not be merged if they fail the automated tests.
  • This PR only changes one algorithm file.
  • All new Python files are placed inside an existing directory.
  • All filenames are in all lowercase characters with no spaces or dashes.
  • All functions and variable names follow Python naming conventions.
  • All function parameters and return values are annotated with Python type hints.
  • All functions have doctests that pass the automated testing.
  • All new algorithms include at least one URL that points to Wikipedia or another similar explanation.

There's a real person behind this PR. If you have any questions just drop them here and we'll respond.

Found by Runner Guard | Vigilant

@dagecko
fix: pin 6 unpinned action(s),extract 1 unsafe expression(s) to env vars
0cc8ad1 
Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard).

Changes:
 .github/workflows/build.yml            | 2 +-
 .github/workflows/devcontainer_ci.yml  | 2 +-
 .github/workflows/directory_writer.yml | 4 +++-
 .github/workflows/project_euler.yml    | 4 ++--
 .github/workflows/ruff.yml             | 2 +-
 .github/workflows/sphinx.yml           | 2 +-
 6 files changed, 9 insertions(+), 7 deletions(-)
@dagecko dagecko requested a review from cclauss as a code owner March 26, 2026 16:12
@algorithms-keeper algorithms-keeper bot added enhancement This PR modified some existing files awaiting reviews This PR is ready to be reviewed labels Mar 26, 2026
cclauss
cclauss requested changes Mar 26, 2026
View reviewed changes
.github/workflows/build.yml
- run: sudo apt-get update && sudo apt-get install -y libhdf5-dev
- uses: actions/checkout@v6
- uses: astral-sh/setup-uv@v7
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
Copy link
Member

@cclauss cclauss Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment is # v7, whereas the current version is v7.6.0, so if you are going to pin to the latest version, then comment needs to match.

v7 allows GitHub Actions to run the latest-and-greatest 7.x.y version trusting Astral's Semantic Versioning. If we are going to pin to a particular version, then Dependabot will generate a ton more pull requests.

.github/workflows/devcontainer_ci.yml
steps:
- uses: actions/checkout@v6
- uses: devcontainers/ci@v0.3
- uses: devcontainers/ci@8bf61b26e9c3a98f69cb6ce2f88d24ff59b785c6 # v0.3
Copy link
Member

@cclauss cclauss Mar 26, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment is # v0.3, whereas the current version is v0.3.1900000417, so if you are going to pin to the latest version, then comment needs to match.

v0.3 allows GitHub Actions to run the latest-and-greatest 0.3.y version trusting devcontainers' Semantic Versioning. If we are going to pin to a particular version, then Dependabot will generate a ton more pull requests.

.github/workflows/directory_writer.yml
git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/$GITHUB_REPOSITORY
git remote set-url origin https://x-access-token:${GITHUB_TOKEN}@github.com/$GITHUB_REPOSITORY
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Copy link
Member

@cclauss cclauss Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does GitHub recommend this in their docs?

@algorithms-keeper algorithms-keeper bot added awaiting changes A maintainer has requested changes to this PR and removed awaiting reviews This PR is ready to be reviewed labels Mar 26, 2026
@dagecko dagecko closed this by deleting the head repository Mar 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cclauss cclauss cclauss requested changes

Assignees

No one assigned

Labels

awaiting changes A maintainer has requested changes to this PR enhancement This PR modified some existing files

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dagecko @cclauss