From 86000a5a4745b0988717834b6b161faa2a84addb Mon Sep 17 00:00:00 2001 From: Chris Nyhuis Date: Thu, 26 Mar 2026 15:11:23 -0400 Subject: [PATCH 1/2] fix: pin 17 unpinned action(s),extract 7 unsafe expression(s) to env vars Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard). Changes: .github/workflows/build.yaml | 8 ++++---- .github/workflows/publish.yaml | 28 +++++++++++++++++----------- .github/workflows/release.yaml | 26 +++++++++++++++++--------- 3 files changed, 38 insertions(+), 24 deletions(-) --- .github/workflows/build.yaml | 8 ++++---- .github/workflows/publish.yaml | 28 +++++++++++++++++----------- .github/workflows/release.yaml | 26 +++++++++++++++++--------- 3 files changed, 38 insertions(+), 24 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 98418ca50669..01b93e48a2e6 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -34,7 +34,7 @@ jobs: - name: Checkout repo uses: actions/checkout@v6 - name: Check changed files - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: filter with: filters: | @@ -98,7 +98,7 @@ jobs: if: needs.changes.outputs.helm == 'true' steps: - uses: actions/checkout@v6 - - uses: azure/setup-helm@v4 + - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4 with: token: ${{ secrets.GITHUB_TOKEN }} - run: helm plugin install https://github.com/instrumenta/helm-kubeval @@ -151,7 +151,7 @@ jobs: test/package-lock.json - run: SKIP_SUBMODULE_DEPS=1 npm ci - run: npm run test:unit - - uses: codecov/codecov-action@v5 + - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5 if: success() with: token: ${{ secrets.CODECOV_TOKEN }} @@ -167,7 +167,7 @@ jobs: with: submodules: true - run: sudo apt update && sudo apt install -y libkrb5-dev - - uses: awalsh128/cache-apt-pkgs-action@latest + - uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # latest with: packages: quilt version: 1.0 diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index f59767c4fc4e..c492069ce774 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -33,7 +33,7 @@ jobs: node-version-file: .node-version - name: Download npm package from release artifacts - uses: robinraju/release-downloader@v1.12 + uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12 with: repository: "coder/code-server" tag: ${{ github.event.inputs.version || github.ref_name }} @@ -43,9 +43,11 @@ jobs: # Strip out the v (v4.9.1 -> 4.9.1). - name: Get and set VERSION run: | - TAG="${{ github.event.inputs.version || github.ref_name }}" + TAG="${INPUT_VERSION}" echo "VERSION=${TAG#v}" >> $GITHUB_ENV + env: + INPUT_VERSION: ${{ github.event.inputs.version || github.ref_name }} - run: npm run publish:npm env: VERSION: ${{ env.VERSION }} @@ -88,11 +90,13 @@ jobs: # Strip out the v (v4.9.1 -> 4.9.1). - name: Get and set VERSION run: | - TAG="${{ github.event.inputs.version || github.ref_name }}" + TAG="${INPUT_VERSION}" echo "VERSION=${TAG#v}" >> $GITHUB_ENV + env: + INPUT_VERSION: ${{ github.event.inputs.version || github.ref_name }} - name: Validate package - uses: heyhusen/archlinux-package-action@v3.0.0 + uses: heyhusen/archlinux-package-action@c9f94059ccbebe8710d31d582f33ef4e84fe575c # v3.0.0 env: VERSION: ${{ env.VERSION }} with: @@ -119,19 +123,19 @@ jobs: uses: actions/checkout@v6 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Login to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -140,11 +144,13 @@ jobs: # Strip out the v (v4.9.1 -> 4.9.1). - name: Get and set VERSION run: | - TAG="${{ github.event.inputs.version || github.ref_name }}" + TAG="${INPUT_VERSION}" echo "VERSION=${TAG#v}" >> $GITHUB_ENV + env: + INPUT_VERSION: ${{ github.event.inputs.version || github.ref_name }} - name: Download deb artifacts - uses: robinraju/release-downloader@v1.12 + uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12 with: repository: "coder/code-server" tag: v${{ env.VERSION }} @@ -152,7 +158,7 @@ jobs: out-file-path: "release-packages" - name: Download rpm artifacts - uses: robinraju/release-downloader@v1.12 + uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12 with: repository: "coder/code-server" tag: v${{ env.VERSION }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a1904a6d9954..98c892958807 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -111,14 +111,16 @@ jobs: # Strip out the v (v4.9.1 -> 4.9.1). - name: Get and set VERSION run: | - TAG="${{ inputs.version || github.ref_name }}" + TAG="${REF_NAME}" echo "VERSION=${TAG#v}" >> $GITHUB_ENV + env: + REF_NAME: ${{ inputs.version || github.ref_name }} - env: VERSION: ${{ env.VERSION }} run: npm run package $PKG_ARCH - - uses: softprops/action-gh-release@v1 + - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 with: draft: true discussion_category_name: "📣 Announcements" @@ -171,15 +173,17 @@ jobs: # Strip out the v (v4.9.1 -> 4.9.1). - name: Get and set VERSION run: | - TAG="${{ inputs.version || github.ref_name }}" + TAG="${REF_NAME}" echo "VERSION=${TAG#v}" >> $GITHUB_ENV + env: + REF_NAME: ${{ inputs.version || github.ref_name }} - name: Build packages with nfpm env: VERSION: ${{ env.VERSION }} run: npm run package - - uses: softprops/action-gh-release@v1 + - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 with: draft: true discussion_category_name: "📣 Announcements" @@ -232,15 +236,17 @@ jobs: # Strip out the v (v4.9.1 -> 4.9.1). - name: Get and set VERSION run: | - TAG="${{ inputs.version || github.ref_name }}" + TAG="${REF_NAME}" echo "VERSION=${TAG#v}" >> $GITHUB_ENV + env: + REF_NAME: ${{ inputs.version || github.ref_name }} - name: Build packages with nfpm env: VERSION: ${{ env.VERSION }} run: npm run package - - uses: softprops/action-gh-release@v1 + - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 with: draft: true discussion_category_name: "📣 Announcements" @@ -257,7 +263,7 @@ jobs: with: name: npm-release-package - - uses: softprops/action-gh-release@v1 + - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 with: draft: true discussion_category_name: "📣 Announcements" @@ -269,7 +275,7 @@ jobs: timeout-minutes: 15 steps: - name: Download artifacts - uses: dawidd6/action-download-artifact@v16 + uses: dawidd6/action-download-artifact@2536c51d3d126276eb39f74d6bc9c72ac6ef30d3 # v16 id: download with: branch: ${{ github.ref }} @@ -284,9 +290,11 @@ jobs: # Strip out the v (v4.9.1 -> 4.9.1). - name: Get and set VERSION run: | - TAG="${{ inputs.version || github.ref_name }}" + TAG="${REF_NAME}" echo "VERSION=${TAG#v}" >> $GITHUB_ENV + env: + REF_NAME: ${{ inputs.version || github.ref_name }} - name: Modify version env: VERSION: ${{ env.VERSION }} From 087d9b77ea6eea922225b1673a7bd3564d19d10a Mon Sep 17 00:00:00 2001 From: Asher Date: Thu, 26 Mar 2026 11:59:42 -0800 Subject: [PATCH 2/2] Directly set tag env var Might as well. --- .github/workflows/publish.yaml | 9 +++------ .github/workflows/release.yaml | 12 ++++-------- 2 files changed, 7 insertions(+), 14 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index c492069ce774..16d5d578edac 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -43,11 +43,10 @@ jobs: # Strip out the v (v4.9.1 -> 4.9.1). - name: Get and set VERSION run: | - TAG="${INPUT_VERSION}" echo "VERSION=${TAG#v}" >> $GITHUB_ENV env: - INPUT_VERSION: ${{ github.event.inputs.version || github.ref_name }} + TAG: ${{ github.event.inputs.version || github.ref_name }} - run: npm run publish:npm env: VERSION: ${{ env.VERSION }} @@ -90,11 +89,10 @@ jobs: # Strip out the v (v4.9.1 -> 4.9.1). - name: Get and set VERSION run: | - TAG="${INPUT_VERSION}" echo "VERSION=${TAG#v}" >> $GITHUB_ENV env: - INPUT_VERSION: ${{ github.event.inputs.version || github.ref_name }} + TAG: ${{ github.event.inputs.version || github.ref_name }} - name: Validate package uses: heyhusen/archlinux-package-action@c9f94059ccbebe8710d31d582f33ef4e84fe575c # v3.0.0 env: @@ -144,11 +142,10 @@ jobs: # Strip out the v (v4.9.1 -> 4.9.1). - name: Get and set VERSION run: | - TAG="${INPUT_VERSION}" echo "VERSION=${TAG#v}" >> $GITHUB_ENV env: - INPUT_VERSION: ${{ github.event.inputs.version || github.ref_name }} + TAG: ${{ github.event.inputs.version || github.ref_name }} - name: Download deb artifacts uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12 with: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 98c892958807..fdd41f7416dc 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -111,11 +111,10 @@ jobs: # Strip out the v (v4.9.1 -> 4.9.1). - name: Get and set VERSION run: | - TAG="${REF_NAME}" echo "VERSION=${TAG#v}" >> $GITHUB_ENV env: - REF_NAME: ${{ inputs.version || github.ref_name }} + TAG: ${{ inputs.version || github.ref_name }} - env: VERSION: ${{ env.VERSION }} run: npm run package $PKG_ARCH @@ -173,11 +172,10 @@ jobs: # Strip out the v (v4.9.1 -> 4.9.1). - name: Get and set VERSION run: | - TAG="${REF_NAME}" echo "VERSION=${TAG#v}" >> $GITHUB_ENV env: - REF_NAME: ${{ inputs.version || github.ref_name }} + TAG: ${{ inputs.version || github.ref_name }} - name: Build packages with nfpm env: VERSION: ${{ env.VERSION }} @@ -236,11 +234,10 @@ jobs: # Strip out the v (v4.9.1 -> 4.9.1). - name: Get and set VERSION run: | - TAG="${REF_NAME}" echo "VERSION=${TAG#v}" >> $GITHUB_ENV env: - REF_NAME: ${{ inputs.version || github.ref_name }} + TAG: ${{ inputs.version || github.ref_name }} - name: Build packages with nfpm env: VERSION: ${{ env.VERSION }} @@ -290,11 +287,10 @@ jobs: # Strip out the v (v4.9.1 -> 4.9.1). - name: Get and set VERSION run: | - TAG="${REF_NAME}" echo "VERSION=${TAG#v}" >> $GITHUB_ENV env: - REF_NAME: ${{ inputs.version || github.ref_name }} + TAG: ${{ inputs.version || github.ref_name }} - name: Modify version env: VERSION: ${{ env.VERSION }}