fix: harden GitHub Actions against command injection and audit failures

google-labs-jules[bot] · christopherfoxjr · google-labs-jules[bot] · commit 48e411896e48 · 2026-05-15T21:00:20.000Z
Mitigate command injection vulnerabilities by mapping untrusted GitHub
context variables to environment variables. Standardize workflows by
adding missing job timeouts and specifying explicit shell execution.
Address repository audit failures including placeholder names, missing
H1 headers, unpinned action versions, and broken documentation links.

Signed-off-by: Jules Agent &lt;jules@example.com&gt;

Co-authored-by: christopherfoxjr &lt;213370400+christopherfoxjr@users.noreply.github.com&gt;
diff --git a/.Jules/sentinel.md b/.Jules/sentinel.md
@@ -1,11 +1,13 @@
 # Sentinel's Journal - Critical Security Learnings
 
 ## 2025-05-15 - GitHub Actions Command Injection via Context Variables
+
 **Vulnerability:** Command injection in GitHub Action `run:` blocks.
 **Learning:** Using `${{ github.event.pull_request.body }}` or `${{ github.event.pull_request.user.login }}` directly in shell scripts allows an attacker to execute arbitrary commands by crafting a malicious PR description or username.
 **Prevention:** Always map untrusted GitHub context variables to environment variables before using them in shell scripts.
 
 ## 2025-05-15 - GitHub Actions Audit Failures and Shell Specification
+
 **Vulnerability:** Missing explicit shell specifications and timeout-minutes in workflows.
 **Learning:** Many automated audits in this repository require strict adherence to security and reliability standards, including explicit shells (`bash`) and timeouts for every job to prevent resource exhaustion and inconsistent behavior.
 **Prevention:** Always include `timeout-minutes` for jobs and specify `shell: bash` (or similar) when needed by audits.
diff --git a/.github/workflows/audit-action-pinning.yml b/.github/workflows/audit-action-pinning.yml
@@ -12,6 +12,6 @@ jobs:
   audit-pinning:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check
         run: grep "uses: actions/" .github/workflows/*.yml | grep -v "@v" || echo "Pinned"
diff --git a/.github/workflows/audit-breezerc-opacity-percentage.yml b/.github/workflows/audit-breezerc-opacity-percentage.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check Opacity Range
         run: |
           OPACITIES=$(grep -oP 'BackgroundOpacity=\K[0-9]+' .github/workflows/kiba.yml)
diff --git a/.github/workflows/audit-build-reproducibility.yml b/.github/workflows/audit-build-reproducibility.yml
@@ -12,6 +12,6 @@ jobs:
   audit-repro:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Scan
         run: grep -E "date|random" .github/workflows/kiba.yml || echo "Clean"
diff --git a/.github/workflows/audit-calamares-branding-desc-format.yml b/.github/workflows/audit-calamares-branding-desc-format.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Validate Branding Desc
         run: |
           sed -n "/cat > config\/includes\.chroot\/etc\/calamares\/branding\/kibaos\/branding\.desc << 'BRANDING'/,/BRANDING/p" .github/workflows/kiba.yml | grep -v "BRANDING" > branding.desc
diff --git a/.github/workflows/audit-calamares-branding-integrity.yml b/.github/workflows/audit-calamares-branding-integrity.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Validate Product Name
         run: |
           grep "productName: \"KibaOS\"" .github/workflows/kiba.yml
diff --git a/.github/workflows/audit-calamares-module-yaml-syntax.yml b/.github/workflows/audit-calamares-module-yaml-syntax.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Validate Module YAML
         run: |
           grep -oP "cat > /etc/calamares/modules/\K[^ ]+\.conf" .github/workflows/kiba.yml | while read -r conf; do
diff --git a/.github/workflows/audit-desktop-ux-standards.yml b/.github/workflows/audit-desktop-ux-standards.yml
@@ -12,7 +12,7 @@ jobs:
   audit-ux:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check Palette and Fonts
         run: |
           grep "#bd93f9" .github/workflows/kiba.yml
diff --git a/.github/workflows/audit-dracula-palette-consistency.yml b/.github/workflows/audit-dracula-palette-consistency.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Verify Hex Codes
         run: |
           grep -oE "#[0-9a-fA-F]{6}" .github/workflows/kiba.yml | sort -u
diff --git a/.github/workflows/audit-embedded-chromium-json.yml b/.github/workflows/audit-embedded-chromium-json.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Validate Chromium JSON
         run: |
           sed -n "/cat > \/etc\/chromium\/policies\/managed\/kibaos\.json << 'CPOLICY'/,/CPOLICY/p" .github/workflows/kiba.yml | grep -v "CPOLICY" > policy.json
diff --git a/.github/workflows/audit-embedded-konsole-colorscheme.yml b/.github/workflows/audit-embedded-konsole-colorscheme.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Validate Konsole Colorscheme
         run: |
           sed -n "/cat > \/usr\/share\/konsole\/Dracula\.colorscheme << 'KONSOLE_COLORS'/,/KONSOLE_COLORS/p" .github/workflows/kiba.yml | grep -v "KONSOLE_COLORS" > dracula.colorscheme
diff --git a/.github/workflows/audit-embedded-ksplash-qml-syntax.yml b/.github/workflows/audit-embedded-ksplash-qml-syntax.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Validate Splash QML
         run: |
           sed -n "/cat > \/usr\/share\/plasma\/look-and-feel\/com\.kibaos\.watchdogs\.desktop\/contents\/splash\/Splash\.qml << 'WATCHSPLASH'/,/WATCHSPLASH/p" .github/workflows/kiba.yml | grep -v "WATCHSPLASH" > Splash.qml
diff --git a/.github/workflows/audit-embedded-starship-toml.yml b/.github/workflows/audit-embedded-starship-toml.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Validate Starship TOML
         run: |
           sed -n "/cat > \/etc\/skel\/\.config\/starship\.toml << 'STARSHIP_CONF'/,/STARSHIP_CONF/p" .github/workflows/kiba.yml | grep -v "STARSHIP_CONF" > starship.toml
diff --git a/.github/workflows/audit-embedded-zshrc-syntax-check.yml b/.github/workflows/audit-embedded-zshrc-syntax-check.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Validate Zshrc
         run: |
           sudo apt-get update && sudo apt-get install -y zsh
diff --git a/.github/workflows/audit-font-standardization.yml b/.github/workflows/audit-font-standardization.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check Inter and JetBrains Mono
         run: |
           grep "Inter" .github/workflows/kiba.yml
diff --git a/.github/workflows/audit-kernel-version-freshness.yml b/.github/workflows/audit-kernel-version-freshness.yml
@@ -13,7 +13,7 @@ jobs:
   audit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check Kernel Freshness
         run: |
           LATEST=$(curl -s https://api.github.com/repos/psygreg/linux-psycachy/releases/latest | jq -r .tag_name)
diff --git a/.github/workflows/audit-kiba-welcome-case-matching.yml b/.github/workflows/audit-kiba-welcome-case-matching.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Verify Case Statements
         run: |
           sed -n "/cat > \/usr\/local\/bin\/kiba-welcome << 'WELCOME'/,/WELCOME/p" .github/workflows/kiba.yml | grep -v "WELCOME" > kiba-welcome
diff --git a/.github/workflows/audit-kiba-welcome-zenity-label-length.yml b/.github/workflows/audit-kiba-welcome-zenity-label-length.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check Label Lengths
         run: |
           sed -n "/cat > \/usr\/local\/bin\/kiba-welcome << 'WELCOME'/,/WELCOME/p" .github/workflows/kiba.yml | grep -v "WELCOME" > kiba-welcome
diff --git a/.github/workflows/audit-kwinrc-shadow-color-hex.yml b/.github/workflows/audit-kwinrc-shadow-color-hex.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Verify Dracula Shadow Color
         run: |
           grep -q "ShadowColor=189,147,249" .github/workflows/kiba.yml || (echo "ShadowColor must be Dracula Purple (189,147,249)" && exit 1)
diff --git a/.github/workflows/audit-plymouth-script-braces.yml b/.github/workflows/audit-plymouth-script-braces.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check Braces in Plymouth Script
         run: |
           sed -n "/cat > \/usr\/share\/plymouth\/themes\/kibaos-spinner\/kibaos-spinner\.script << 'PLYMOUTH_SCRIPT'/,/PLYMOUTH_SCRIPT/p" .github/workflows/kiba.yml | grep -v "PLYMOUTH_SCRIPT" > script.script
diff --git a/.github/workflows/audit-plymouth-splash-compliance.yml b/.github/workflows/audit-plymouth-splash-compliance.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check Tagline and Duration
         run: |
           grep "Switch to simple" .github/workflows/kiba.yml
diff --git a/.github/workflows/audit-post-install-shellcheck-strict.yml b/.github/workflows/audit-post-install-shellcheck-strict.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Run Shellcheck
         run: |
           sed -n "/cat > \/usr\/share\/kibaos\/post-install\.sh << 'POSTINSTALLSH'/,/POSTINSTALLSH/p" .github/workflows/kiba.yml | grep -v "POSTINSTALLSH" > post-install.sh
diff --git a/.github/workflows/audit-sddm-conf-d-syntax.yml b/.github/workflows/audit-sddm-conf-d-syntax.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Validate SDDM Config
         run: |
           sed -n "/cat > \/etc\/sddm\.conf\.d\/autologin\.conf << 'SDDM_CONF'/,/SDDM_CONF/p" .github/workflows/kiba.yml | grep -v "SDDM_CONF" > sddm.conf
diff --git a/.github/workflows/audit-security-policy.yml b/.github/workflows/audit-security-policy.yml
@@ -12,6 +12,6 @@ jobs:
   audit-security:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Verify
         run: grep "security" SECURITY.md
diff --git a/.github/workflows/audit-shebang-consistency.yml b/.github/workflows/audit-shebang-consistency.yml
@@ -12,6 +12,6 @@ jobs:
   audit-shebang:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check
         run: grep -r "^#!" . --exclude-dir=.git | head -n 20
diff --git a/.github/workflows/audit-shell-tool-modernization.yml b/.github/workflows/audit-shell-tool-modernization.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Verify Modern Aliases
         run: |
           grep "alias ls='eza" .github/workflows/kiba.yml
diff --git a/.github/workflows/audit-shortcut-meta-key-enforcement.yml b/.github/workflows/audit-shortcut-meta-key-enforcement.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check Shortcuts for Meta
         run: |
           sed -n "/cat > \"\$SKEL_KDE\/kglobalshortcutsrc\" << 'KGLOBAL'/,/KGLOBAL/p" .github/workflows/kiba.yml | grep "=" | grep -v "KGLOBAL" > shortcuts.txt
diff --git a/.github/workflows/audit-wf-perms-sec.yml b/.github/workflows/audit-wf-perms-sec.yml
@@ -12,5 +12,6 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check Permissions
+        shell: bash
         run: |
-          ! grep 'permissions: write-all' .github/workflows/*.yml
+          ! grep 'permissions: write-all' .github/workflows/*.yml | grep -v "audit-wf-perms-sec.yml"
diff --git a/.github/workflows/audit-workflow-concurrency-group-collisions.yml b/.github/workflows/audit-workflow-concurrency-group-collisions.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check Groups
         run: |
           grep -r "concurrency:" .github/workflows/ | grep -v "group:.*github\.workflow" && (echo "Concurrency groups should include github.workflow" && exit 1) || echo "All groups are good"
diff --git a/.github/workflows/audit-workflow-concurrency.yml b/.github/workflows/audit-workflow-concurrency.yml
@@ -12,6 +12,6 @@ jobs:
   check-concurrency:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Scan
         run: grep -L "concurrency:" .github/workflows/*.yml
diff --git a/.github/workflows/audit-workflow-dispatch-input-descriptions.yml b/.github/workflows/audit-workflow-dispatch-input-descriptions.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check Inputs
         run: |
           # Use python for more robust parsing than grep
diff --git a/.github/workflows/audit-workflow-env-variable-shadowing.yml b/.github/workflows/audit-workflow-env-variable-shadowing.yml
@@ -12,7 +12,7 @@ jobs:
   audit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check Env
         run: |
           grep -rE "^[[:space:]]+env:" .github/workflows/ -A 10 | grep -v "env:" | sort | uniq -d | grep -v "\-\-" && (echo "Potential environment variable shadowing detected" && exit 1) || echo "No shadowing found"
diff --git a/.github/workflows/audit-workflow-job-needs-circularity.yml b/.github/workflows/audit-workflow-job-needs-circularity.yml
@@ -12,7 +12,7 @@ jobs:
   audit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check Needs
         run: |
           grep -r "needs:" .github/workflows/ | while read -r line; do
diff --git a/.github/workflows/audit-workflow-permissions.yml b/.github/workflows/audit-workflow-permissions.yml
@@ -12,6 +12,6 @@ jobs:
   audit-permissions:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Scan
         run: grep -r "permissions:" .github/workflows/
diff --git a/.github/workflows/audit-workflow-run-step-injection.yml b/.github/workflows/audit-workflow-run-step-injection.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check for Direct Expansion
         run: |
           grep -r "run:.*\${{.*github\.event\.pull_request\.body.*}}" .github/workflows/ && (echo "Direct expansion of PR body detected - use env variables instead" && exit 1) || echo "No direct expansion of PR body found"
diff --git a/.github/workflows/audit-zenity-standard-dimensions.yml b/.github/workflows/audit-zenity-standard-dimensions.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check Width and Height
         run: |
           grep -E "\-\-width=450 \-\-height=500" .github/workflows/kiba.yml
diff --git a/.github/workflows/detect-duplicate-package-intent.yml b/.github/workflows/detect-duplicate-package-intent.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check for Conflicts
         run: |
           PACKAGES=$(grep -A 200 "PACKAGES" .github/workflows/kiba.yml | grep -v "PACKAGES" | sed '/^$/q')
diff --git a/.github/workflows/docs-broken-anchor-checker.yml b/.github/workflows/docs-broken-anchor-checker.yml
@@ -10,9 +10,12 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Find broken anchors
+        shell: bash
         run: |
           grep -roE '#[a-z0-9-]+' docs/*.md | while read -r line; do
             anchor=$(echo "$line" | cut -d: -f2 | sed 's/#//')
             file=$(echo "$line" | cut -d: -f1)
-            grep -qi "^##.*$anchor" "$file" || { echo "Broken anchor $anchor in $file"; exit 1; }
+            # Replace hyphens with dots for flexible regex matching
+            search_pattern=$(echo "$anchor" | sed 's/-/./g')
+            grep -qi "^#\{1,6\}.*$search_pattern" "$file" || { echo "Broken anchor $anchor in $file"; exit 1; }
           done
diff --git a/.github/workflows/enforce-job-id-kebab-case.yml b/.github/workflows/enforce-job-id-kebab-case.yml
@@ -12,6 +12,6 @@ jobs:
   enforce-kebab:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Audit
         run: grep -B 1 "runs-on:" .github/workflows/*.yml | grep "_" && false || echo "All good"
diff --git a/.github/workflows/enforce-shell-modernization.yml b/.github/workflows/enforce-shell-modernization.yml
@@ -12,7 +12,7 @@ jobs:
   enforce-tools:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Verify Tools
         run: |
           grep "alias ls='eza" .github/workflows/kiba.yml
diff --git a/.github/workflows/iso-manifest-sync.yml b/.github/workflows/iso-manifest-sync.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Sync Manifest
         run: |
           mkdir -p manifests
diff --git a/.github/workflows/iso-reproducibility-audit.yml b/.github/workflows/iso-reproducibility-audit.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check Reproducibility Flags
         run: |
           grep -E "SOURCE_DATE_EPOCH|reproducible" .github/workflows/kiba.yml || echo "Reproducibility flags not found"
diff --git a/.github/workflows/kiba.yml b/.github/workflows/kiba.yml
@@ -10,7 +10,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Create build script
         run: |
diff --git a/.github/workflows/markdown-link-format-audit.yml b/.github/workflows/markdown-link-format-audit.yml
@@ -11,4 +11,4 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
       - name: Check for bare URLs
         run: |
-          grep -rnE "http[s]?://[a-zA-Z0-9./?-]+" . | grep -vE "\[.*\]\(http|src=|href=" && { echo "Error: Use Markdown link format for URLs"; exit 1; } || echo "Links are properly formatted"
+          grep -rnE "http[s]?://[a-zA-Z0-9./?-]+" . --exclude-dir=.git | grep -vE "\[.*\]\(http|src=|href=" && { echo "Error: Use Markdown link format for URLs"; exit 1; } || echo "Links are properly formatted"
diff --git a/.github/workflows/monitor-cachyos-kernel.yml b/.github/workflows/monitor-cachyos-kernel.yml
diff --git a/.github/workflows/pr-package-impact-report.yml b/.github/workflows/pr-package-impact-report.yml
diff --git a/.github/workflows/scan-pr-secrets-proactive.yml b/.github/workflows/scan-pr-secrets-proactive.yml
diff --git a/.github/workflows/suggest-acknowledgment-updates.yml b/.github/workflows/suggest-acknowledgment-updates.yml
diff --git a/.github/workflows/update-contributors-from-prs.yml b/.github/workflows/update-contributors-from-prs.yml
diff --git a/.github/workflows/update-roadmap-from-milestones.yml b/.github/workflows/update-roadmap-from-milestones.yml
diff --git a/.github/workflows/verify-readme-hero-accessibility.yml b/.github/workflows/verify-readme-hero-accessibility.yml
diff --git a/.github/workflows/visualize-workflow-trigger-dependencies.yml b/.github/workflows/visualize-workflow-trigger-dependencies.yml
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
diff --git a/README.md b/README.md
diff --git a/WORKFLOWS.md b/WORKFLOWS.md
diff --git a/docs/contributing.md b/docs/contributing.md
diff --git a/docs/ux-design.md b/docs/ux-design.md
