build(deps): Bump hashicorp/vault-action from 3 to 3.4.0

[dependabot]

Bumps hashicorp/vault-action from 3 to 3.4.0.

Release notes

Sourced from hashicorp/vault-action's releases.

v3.4.0

3.4.0 (June 13, 2025)

Bugs:

• replace all dot chars during normalization (hashicorp/vault-action#580)

Improvements:

• Prevent possible DoS via polynomial regex (hashicorp/vault-action#583)

v3.3.0

3.3.0 (March 3, 2025)

Features:

• Wildcard secret imports can use ** to retain case of exported env keys GH-545

v3.2.0

3.2.0 (March 3, 2025)

Improvements:

• Add retry for jwt auth login to fix intermittent login failures GH-574

v3.1.0

3.1.0 (January 9, 2025)

Improvements:

• fix wildcard handling when field contains dot GH-542
• bump body-parser from 1.20.0 to 1.20.3
• bump braces from 3.0.2 to 3.0.3
• bump cross-spawn from 7.0.3 to 7.0.6
• bump micromatch from 4.0.5 to 4.0.8

Features:

• secretId is no longer required for approle to support advanced use cases like machine login when bind_secret_id is false. GH-522
• Use pki configuration to generate certificates from Vault GH-564

Changelog

Sourced from hashicorp/vault-action's changelog.

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Low Risk
Low risk dependency pin in GitHub Actions workflows; behavior should be unchanged aside from upstream bugfix/security improvements in Vault secret fetching.

Overview
Bumps hashicorp/vault-action from v3 to v3.4.0 across the workflows that read secrets from Vault (Crowdin pull/push and review app deploy/delete). No other workflow logic is changed.

^{Reviewed by Cursor Bugbot for commit 5b06504. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verifying how vault-action is referenced in the repo for context.

Verdict: benign

Evidence

1. Identity / typosquatting — The dependency is hashicorp/vault-action on the canonical HashiCorp org, pinned as hashicorp/vault-action@v3.4.0 in repo workflows (delete-review.yml, crowdin-*.yml, deploy-review.yml). That matches a normal upkeep bump within the existing v3 line, not a substitute package.

2. Classic obfuscation / exfil / persistence — The automated report shows no post-allowlist IOCs. “Credential” and “spawn” heuristic hits trace to changelog prose (“secret paths”, npm package name cross-spawn) and to regex .exec(...) / minified libs inside dist/index.js (CryptoJS, KJUR, JSON/XML tooling), which is expected for a compiled Node action artifact—not shell exec/child_process or hidden outbound calls by themselves.

3. Invisible Unicode / GlassWorm — Scanner explicitly reports unicode: 0, confusable: 0 after allowlisting. That materially lowers risk for Trojan Source / invisible payload tricks in the scanned diff range.

4. Dependency integrity — Major tag v3, target v3.4.0 is coherent (same major; release/tag exists in normal SemVer story). Released notes (dot normalization, regex ReDoS hardening) read like legitimate maintenance/security fixes without suspicious novel behavior for your callers.

Scanner vs manual read: The volume of heuristic matches disagrees with a malware conclusion—they are overwhelmingly bundled-library noise and pattern overlap (charCodeAt, Regexp.exec). Treat the structured zero counts on unicode/confusable/IOC as the stronger signal; the heuristics here are supportive of “looks like normal vendored JS,” not compromise.

Practical merge check: Confirm the PR diff only updates the workflow uses: pin (no unrelated workflow edits, no alternate uses: owner/repo). That’s ordinary hygiene, not evidence of malignancy in what you shared.

Compatibility Analysis

Searching the repo for hashicorp/vault-action usage and scanning workflow files.

1) Where it’s used

hashicorp/vault-action is referenced only in GitHub Actions workflows (not app code):

Workflow	Role
.github/workflows/delete-review.yml	Fetch api_server_url from Vault for k8s
.github/workflows/deploy-review.yml	Same pattern for review deploy
.github/workflows/crowdin-push.yml	Crowdin token + project id
.github/workflows/crowdin-pull.yml	Same Crowdin secrets

In each case: Vault auth is done first with Chia-Network/actions/vault/login@main; vault-action is called with url, token: ${{ env.VAULT_TOKEN }}, and a fixed multiline secrets: list (explicit paths and field names, pipe to env vars like K8S_API_SERVER_URL, CROWDIN_PERSONAL_TOKEN).

The rg hits under malware_scan_report.json / .malware-scan/ are noise from scanned upstream changelog text, not usage in this repo.

---

2) Overlap with release-note changes

• Token auth after external login — You pass a pre-obtained token; you are not relying on in-action JWT/AppRole/PKI. Changes around JWT retry, optional secretId, and PKI do not apply to these call sites.
• Wildcard / ** / dots in field names — secrets: lines are static KV paths and simple field names (token, api_server_url, project-id-docs). No glob/wildcard imports, so v3.1–v3.3 wildcard/dot behavior is largely irrelevant.
• v3.4.0 dot normalization + regex hardening — Improves correctness and security on the action’s parsing path; your usage is the straightforward “path + field | ENV” form, so expected impact is none to minimal.

---

3) Risks / unknowns

• Environment-specific: First run after upgrade could still fail for non-action reasons (Vault policy, token, network, k8s runner). That’s operational, not specific to 3.4.0.
• Parsing edge cases: Only if you later add complex wildcard patterns or dotted field conventions could v3.4.0 normalization differ from older v3.x behavior; current YAML does not do that.
• Pinning: Moving from floating v3 to v3.4.0 is stricter and good for reproducibility; you’ll need Dependabot (or manual bumps) for future patches.

---

4) Recommendation

Merge. This is a same-major bump with security and bug fixes; current workflows use a narrow, stable pattern that does not hinge on the changed areas (JWT/AppRole PKI, wildcards). Optionally watch the next Crowdin or review-deploy workflow run after merge for confidence.

---

Malware Scan Summary

• Status: warn
• Warn only mode: true
• Changed upstream files scanned: 3
• Resolution strategy: to_version_single_commit
• Changed node/vendor paths: 0
• Changed lockfiles: 0
• Resolved upstream range: 4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b..4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b
• Resolved refs: from=4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b to=4c06c5ccf5c0761b6029f56cfb1dcf5565918a3b
• Unicode findings (post-allowlist): 0
• Confusable findings (post-allowlist): 0
• IOC findings (post-allowlist): 0
• Heuristic findings (post-allowlist): 85

Top findings

• dist/index.js:8966 codepoint_decoder :: var aCode = aChar.charCodeAt(0);
• dist/index.js:8981 codepoint_decoder :: var aCode = aChar.charCodeAt(0);
• dist/index.js:8984 codepoint_decoder :: decimal += (letters.charCodeAt(letters.length - i - 1) - aCode + 1) * Math.pow(26, i);
• dist/index.js:9060 codepoint_decoder :: return String.fromCodePoint(code.codePointAt(0) + format.zeroCode - 0x30);
• dist/index.js:9160 codepoint_decoder :: const formatCodepoints = stringToArray(primaryFormat).map(c => c.codePointAt(0)).reverse(); // reverse the array to determine positions of grouping-separator-signs
• dist/index.js:9190 codepoint_decoder :: character: String.fromCodePoint(codePoint)
• dist/index.js:9872 codepoint_decoder :: digits = digits.split('').map(char => String.fromCodePoint(char.codePointAt(0) - formatSpec.zeroCode + 0x30)).join('');
• dist/index.js:10942 codepoint_decoder :: var zeroCharCode = properties['zero-digit'].charCodeAt(0);
• dist/index.js:11231 codepoint_decoder :: return decimalDigitFamily[digit.charCodeAt(0) - 48];
• dist/index.js:16349 codepoint_decoder :: var CryptoJS=CryptoJS||(function(e,g){var a={};var b=a.lib={};var j=b.Base=(function(){function n(){}return{extend:function(p){n.prototype=this;var o=new n();if(p){o.mixIn(p)}if(!o.hasOwnProperty("init")){o.init=function(){o.$super.init.apply(this,arguments)}}o.init.prototype=o;o.$super=this;return o},create:function(){var o=this.extend();o.init.apply(o,arguments);return o},init:function(){},mixIn:function(p){for(var o in p){if(p.hasOwnProperty(o)){this[o]=p[o]}}if(p.hasOwnProperty("toString")){...[truncated]
• dist/index.js:16531 codepoint_decoder :: var dbits;var canary=244837814094590;var j_lm=((canary&16777215)==15715070);function BigInteger(e,d,f){if(e!=null){if("number"==typeof e){this.fromNumber(e,d,f)}else{if(d==null&&"string"!=typeof e){this.fromString(e,256)}else{this.fromString(e,d)}}}}function nbi(){return new BigInteger(null)}function am1(f,a,b,e,h,g){while(--g>=0){var d=a*this[f++]+b[e]+h;h=Math.floor(d/67108864);b[e++]=d&67108863}return h}function am2(f,q,r,e,o,a){var k=q&32767,p=q>>15;while(--a>=0){var d=this[f]&32767;var g=th...[truncated]
• dist/index.js:16540 codepoint_decoder :: var rng_state;var rng_pool;var rng_pptr;function rng_seed_int(a){rng_pool[rng_pptr++]^=a&255;rng_pool[rng_pptr++]^=(a>>8)&255;rng_pool[rng_pptr++]^=(a>>16)&255;rng_pool[rng_pptr++]^=(a>>24)&255;if(rng_pptr>=rng_psize){rng_pptr-=rng_psize}}function rng_seed_time(){rng_seed_int(new Date().getTime())}if(rng_pool==null){rng_pool=new Array();rng_pptr=0;var t;if(typeof window!=="undefined"&&(window.crypto!==undefined||window.msCrypto!==undefined)){var crypto=window.crypto||window.msCrypto;if(crypto.ge...[truncated]
• dist/index.js:16543 codepoint_decoder :: function parseBigInt(b,a){return new BigInteger(b,a)}function linebrk(c,d){var a="";var b=0;while(b+d<c.length){a+=c.substring(b,b+d)+"\n";b+=d}return a+c.substring(b,c.length)}function byte2Hex(a){if(a<16){return"0"+a.toString(16)}else{return a.toString(16)}}function pkcs1pad2(e,h){if(h<e.length+11){throw"Message too long for RSA";return null}var g=new Array();var d=e.length-1;while(d>=0&&h>0){var f=e.charCodeAt(d--);if(f<128){g[--h]=f}else{if((f>127)&&(f<2048)){g[--h]=(f&63)|128;g[--h]=(f>>6)|...[truncated]
• dist/index.js:16546 codepoint_decoder :: function pkcs1unpad2(g,j){var a=g.toByteArray();var f=0;while(f<a.length&&a[f]==0){++f}if(a.length-f!=j-1||a[f]!=2){return null}++f;while(a[f]!=0){if(++f>=a.length){return null}}var e="";while(++f<a.length){var h=a[f]&255;if(h<128){e+=String.fromCharCode(h)}else{if((h>191)&&(h<224)){e+=String.fromCharCode(((h&31)<<6)|(a[f+1]&63));++f}else{e+=String.fromCharCode(((h&15)<<12)|((a[f+1]&63)<<6)|(a[f+2]&63));f+=2}}}return e}function oaep_mgf1_str(c,a,e){var b="",d=0;while(b.length<a){b+=e(c+String.fr...[truncated]
• dist/index.js:16555 codepoint_decoder :: var jsonParse=(function(){var e="(?:-?\\b(?:0|[1-9][0-9]*)(?:\\.[0-9]+)?(?:[eE][+-]?[0-9]+)?\\b)";var j='(?:[^\\0-\\x08\\x0a-\\x1f"\\\\]|\\\\(?:["/\\\\bfnrt]|u[0-9A-Fa-f]{4}))';var i='(?:"'+j+'*")';var d=new RegExp("(?:false|true|null|[\\{\\}\\[\\]]|"+e+"|"+i+")","g");var k=new RegExp("\\\\(?:([^u])|u(.{4}))","g");var g={'"':'"',"/":"/","\\":"\\",b:"\b",f:"\f",n:"\n",r:"\r",t:"\t"};function h(l,m,n){return m?g[m]:String.fromCharCode(parseInt(n,16))}var c=new String("");var a="\\";var f={"{":Obje...[truncated]
• dist/index.js:16557 codepoint_decoder :: var ASN1HEX=new function(){};ASN1HEX.getLblen=function(c,a){if(c.substr(a+2,1)!="8"){return 1}var b=parseInt(c.substr(a+3,1));if(b==0){return -1}if(0<b&&b<10){return b+1}return -2};ASN1HEX.getL=function(c,b){var a=ASN1HEX.getLblen(c,b);if(a<1){return""}return c.substr(b+2,a*2)};ASN1HEX.getVblen=function(d,a){var c,b;c=ASN1HEX.getL(d,a);if(c==""){return -1}if(c.substr(0,1)==="8"){b=new BigInteger(c.substr(2),16)}else{b=new BigInteger(c,16)}return b.intValue()};ASN1HEX.getVidx=function(c,b){var a=...[truncated]
• dist/index.js:16564 codepoint_decoder :: var KJUR;if(typeof KJUR=="undefined"||!KJUR){KJUR={}}if(typeof KJUR.lang=="undefined"||!KJUR.lang){KJUR.lang={}}KJUR.lang.String=function(){};function Base64x(){}function stoBA(d){var b=new Array();for(var c=0;c<d.length;c++){b[c]=d.charCodeAt(c)}return b}function BAtos(b){var d="";for(var c=0;c<b.length;c++){d=d+String.fromCharCode(b[c])}return d}function BAtohex(b){var e="";for(var d=0;d<b.length;d++){var c=b[d].toString(16);if(c.length==1){c="0"+c}e=e+c}return e}function stohex(a){return BAto...[truncated]
• dist/index.js:16571 codepoint_decoder :: var _RE_HEXDECONLY=(/* unused pure expression or super */ null && (new RegExp("[^0-9a-f]","gi")));function _rsasign_getHexPaddedDigestInfoForString(d,e,a){var b=function(f){return KJUR.crypto.Util.hashString(f,a)};var c=b(d);return KJUR.crypto.Util.getPaddedDigestInfoHex(c,a,e)}function _zeroPaddingOfSignature(e,d){var c="";var a=d/4-e.length;for(var b=0;b<a;b++){c=c+"0"}return c+e}RSAKey.prototype.sign=function(d,a){var b=function(e){return KJUR.crypto.Util.hashString(e,a)};var c=b(d);return th...[truncated]
• dist/index.js:18311 codepoint_decoder :: bytes.push(str.charCodeAt(i));
• CHANGELOG.md:42 shell_process_spawn :: * bump cross-spawn from 7.0.3 to 7.0.6