Skip to content

ci: fix 3 security HIGHs (govern audit row 3)#21

Merged
m9751 merged 2 commits into
mainfrom
fix/ci-security-highs-govern-row3
Jun 18, 2026
Merged

ci: fix 3 security HIGHs (govern audit row 3)#21
m9751 merged 2 commits into
mainfrom
fix/ci-security-highs-govern-row3

Conversation

@m9751

@m9751 m9751 commented Jun 18, 2026

Copy link
Copy Markdown
Owner

Closes the 3 HIGH findings from the govern portfolio audit (2026-06-18) against this repo's .github/workflows/:

doc-link-check.yml

  • SHA-pin lycheeverse/lychee-action@v2@8646ba3… # v2.8.0 (github platform HR#2: third-party actions must be SHA-pinned, not on a mutable tag).

rules-lint.yml

  • Extract ${{ github.event.pull_request.base.sha || github.event.before }} out of two run: blocks into a step-level env: BASE_SHA: and reference "$BASE_SHA" (github platform HR#4: no github.event.* interpolated directly into shell). These are GitHub-generated SHA fields (low practical injection risk), but the rule has no SHA carve-out and env-extraction is the standard fix.

No behavior change — same SHAs, same lychee version (v2.8.0 is the current v2 tag). CI on this PR (rules-lint, doc-link-check) validates the workflows still run.

🤖 Generated with Claude Code

@m9751
m9751 merged commit d7b3237 into main Jun 18, 2026
2 checks passed
@m9751
m9751 deleted the fix/ci-security-highs-govern-row3 branch June 18, 2026 21:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant