Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/auto-merge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,10 @@ jobs:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
with:
ref: ${{ github.event.pull_request.head.sha }}
Comment on lines +11 to 13

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 HIGH RISK

This workflow block presents two significant security issues:

  1. Incomplete SHA Pinning: The action ahmadnassri/action-dependabot-auto-merge@v2 (line 14) is still using a mutable version tag, which contradicts the security goals of this PR. It should be updated to a specific commit SHA.
  2. Privileged Execution Risk: Using pull_request_target while checking out the pull request's head branch (lines 11-13) is a high-severity vulnerability. It allows potentially untrusted code from a fork to run with write permissions and access to repository secrets.

Actionable Suggestions:

  • Update the auto-merge action to a SHA hash. Prompt for coding agent: Find the latest commit SHA for ahmadnassri/action-dependabot-auto-merge@v2 and update the uses statement in .github/workflows/auto-merge.yml to use that SHA, including the version as a comment (e.g., # v2).
  • Verify if actions/checkout is necessary. If the action only needs GITHUB_TOKEN for API calls, remove the checkout step and the ref parameter to eliminate the risk of executing untrusted code.

- uses: ahmadnassri/action-dependabot-auto-merge@v2
- uses: ahmadnassri/action-dependabot-auto-merge@45fc124d949b19b6b8bf6645b6c9d55f4f9ac61a # v2
with:
target: major
github-token: ${{ secrets.GITHUB_TOKEN }}
10 changes: 5 additions & 5 deletions .github/workflows/comment_issue.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
- name: Check GitHub Issue type
if: env.JIRA_CREATE_COMMENT_AUTO == 'true'
id: github_issue_type
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
with:
result-encoding: string
script: |
Expand All @@ -33,7 +33,7 @@ jobs:
- name: Check if GitHub Issue has JIRA_ISSUE_LABEL
if: env.JIRA_CREATE_COMMENT_AUTO == 'true'
id: github_issue_has_jira_issue_label
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
env:
JIRA_ISSUE_LABEL: ${{ secrets.JIRA_ISSUE_LABEL }}
with:
Expand All @@ -56,7 +56,7 @@ jobs:
- name: Jira Login
if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true'
id: login
uses: atlassian/gajira-login@v2.0.0
uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0
env:
GITHUB_ISSUE_TYPE: ${{ steps.github_issue_type.outputs.result }}
GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL: ${{ steps.github_issue_has_jira_issue_label.outputs.result }}
Expand All @@ -67,7 +67,7 @@ jobs:
- name: Extract Jira number
if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true'
id: extract_jira_number
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
env:
GITHUB_ISSUE_TYPE: ${{ steps.github_issue_type.outputs.result }}
GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL: ${{ steps.github_issue_has_jira_issue_label.outputs.result }}
Expand All @@ -82,7 +82,7 @@ jobs:
- name: Jira Add comment on issue
if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true'
id: add_comment_jira_issue
uses: atlassian/gajira-comment@v2.0.2
uses: atlassian/gajira-comment@8ec356b5df49f1325653db7ee2da2b59a1d78203 # v2.0.2
env:
GITHUB_ISSUE_TYPE: ${{ steps.github_issue_type.outputs.result }}
GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL: ${{ steps.github_issue_has_jira_issue_label.outputs.result }}
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/create_issue.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
- name: Jira Login
if: env.JIRA_CREATE_ISSUE_AUTO == 'true'
id: login
uses: atlassian/gajira-login@v2.0.0
uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0
env:
JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
Expand All @@ -27,7 +27,7 @@ jobs:
- name: Jira Create issue
if: env.JIRA_CREATE_ISSUE_AUTO == 'true'
id: create_jira_issue
uses: atlassian/gajira-create@v2.0.1
uses: atlassian/gajira-create@c0a9c69ac9d6aa063fed57201e55336ada860183 # v2.0.1
with:
project: ${{ secrets.JIRA_PROJECT }}
issuetype: ${{ secrets.JIRA_ISSUE_TYPE }}
Expand All @@ -53,7 +53,7 @@ jobs:

- name: Update GitHub issue
if: env.JIRA_CREATE_ISSUE_AUTO == 'true'
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
env:
JIRA_ISSUE_NUMBER: ${{ steps.create_jira_issue.outputs.issue }}
GITHUB_ORIGINAL_TITLE: ${{ github.event.issue.title }}
Expand All @@ -78,7 +78,7 @@ jobs:

- name: Add comment after sync
if: env.JIRA_CREATE_ISSUE_AUTO == 'true'
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/create_issue_on_label.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
- name: Jira Login
if: github.event.label.name == env.JIRA_ISSUE_LABEL
id: login
uses: atlassian/gajira-login@v2.0.0
uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0
env:
JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
Expand All @@ -27,7 +27,7 @@ jobs:
- name: Jira Create issue
if: github.event.label.name == env.JIRA_ISSUE_LABEL
id: create_jira_issue
uses: atlassian/gajira-create@v2.0.1
uses: atlassian/gajira-create@c0a9c69ac9d6aa063fed57201e55336ada860183 # v2.0.1
with:
project: ${{ secrets.JIRA_PROJECT }}
issuetype: ${{ secrets.JIRA_ISSUE_TYPE }}
Expand All @@ -53,7 +53,7 @@ jobs:

- name: Change Title
if: github.event.label.name == env.JIRA_ISSUE_LABEL
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
env:
JIRA_ISSUE_NUMBER: ${{ steps.create_jira_issue.outputs.issue }}
GITHUB_ORIGINAL_TITLE: ${{ github.event.issue.title }}
Expand All @@ -70,7 +70,7 @@ jobs:

- name: Add comment after sync
if: github.event.label.name == env.JIRA_ISSUE_LABEL
uses: actions/github-script@v2.0.0
uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
Expand Down