fix: pin 7 unpinned action(s), extract 1 inline secret to env var#5439
Merged
stefanhaller merged 3 commits intoMar 31, 2026
Merged
Conversation
Collaborator
|
@dagecko Thanks. The env var change looks obviously good (would have been nice to have this in a separate commit). For the action pinning I'm not so sure it's worth it. It feels like I would have to look up every one of these hashes to make sure they actually point to their respective tag, and then probably also audit the code of each action to convince myself it's not already tampered with. There's no way I can afford the latter, but without that I'm not too convinced it's worth doing the former. |
Contributor
|
@stefanhaller @dagecko It just replaces a code like https://github.com/suzuki-shunsuke/pinact If you incorporate it into lazygit's GitHub Actions workflow, it will report an error if any action is not pinned. This is a working example from my repo: https://github.com/kyu08/fzf-make/blob/0e14e75a36eb4dc25116b23292270f1694e43a39/.github/workflows/pinact.yml#L2. |
3a8c12e to
70cd9a3
Compare
Contributor
Author
|
@stefanhaller split the commits as you suggested. First commit is just the env var extraction for the Codacy token, second is the action pins. You can take either or both. On the pinning, @kyu08's suggestion of pinact is solid for ongoing maintenance. The core concern is that mutable tags can be force-pushed to malicious commits without notification, which is how the tj-actions attack worked last year. But I understand if it's not a priority right now. - Chris (dagecko) |
70cd9a3 to
5995c6d
Compare
Collaborator
Uhm, this didn't work out well; your first commit deleted the entire ci.yml, the second added it back in. Not sure what happened there, but I took the liberty of fixing this and force-pushing.
Ok, understood. I have more questions if I may:
|
Contributor
Author
|
Thanks for fixing the commit split, Stefan. Appreciate you taking care of that. On your two questions:
Want me to add the first-party pins, or would you prefer to handle it in your WIP commit since you're already in there? |
5995c6d to
82ff949
Compare
Collaborator
|
I'm happy to leave the first-party actions as is then. Thanks for getting this going! |
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Apr 8, 2026
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [jesseduffield/lazygit](https://github.com/jesseduffield/lazygit) | minor | `v0.60.0` → `v0.61.0` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>jesseduffield/lazygit (jesseduffield/lazygit)</summary> ### [`v0.61.0`](https://github.com/jesseduffield/lazygit/releases/tag/v0.61.0) [Compare Source](jesseduffield/lazygit@v0.60.0...v0.61.0) <!-- Release notes generated using configuration in .github/release.yml at v0.61.0 --> The big one in this release is support for GitHub pull requests. They are shown as little GitHub icons next to each branch that has one, and you can open a MR in the browser by pressing shift-G. To enable this, all you need to do is install the [`gh`](https://cli.github.com/) tool if you haven't already, and log in using `gh auth login`. #### What's Changed ##### Features ✨ - Show pull requests against branches by [@​jesseduffield](https://github.com/jesseduffield) in [#​2781](jesseduffield/lazygit#2781) ##### Enhancements 🔥 - Add support for clicking on arrows in the file list to expand/collapse directories by [@​blakemckeany](https://github.com/blakemckeany) in [#​5365](jesseduffield/lazygit#5365) - Remove empty directories after discarding untracked files by [@​stefanhaller](https://github.com/stefanhaller) in [#​5408](jesseduffield/lazygit#5408) - Make file sort order and case sensitivity configurable, and default to mix files and folders by [@​stefanhaller](https://github.com/stefanhaller) in [#​5427](jesseduffield/lazygit#5427) - Allow customizing the window width/height thresholds for when to use portrait mode by [@​stefanhaller](https://github.com/stefanhaller) in [#​5452](jesseduffield/lazygit#5452) - Log hashes of local branches when deleting them by [@​stefanhaller](https://github.com/stefanhaller) in [#​5441](jesseduffield/lazygit#5441) - Add condition field to custom command prompts by [@​mrt181](https://github.com/mrt181) in [#​5364](jesseduffield/lazygit#5364) ##### Fixes 🔧 - Fix staging only some lines of a block of consecutive changes by [@​stefanhaller](https://github.com/stefanhaller) in [#​5396](jesseduffield/lazygit#5396) - Fix the expanded layout of the branches panel (half and full screen modes) by [@​stefanhaller](https://github.com/stefanhaller) in [#​5413](jesseduffield/lazygit#5413) - Fix searching commits or main view after switching repos by [@​stefanhaller](https://github.com/stefanhaller) in [#​5424](jesseduffield/lazygit#5424) - Scroll to top when showing subcommits by [@​stefanhaller](https://github.com/stefanhaller) in [#​5425](jesseduffield/lazygit#5425) - Fix patch commands when git config has color=always by [@​matthijskooijman](https://github.com/matthijskooijman) in [#​5405](jesseduffield/lazygit#5405) - Don't stage out-of-date submodules when asking user to auto-stage after resolving conflicts by [@​stefanhaller](https://github.com/stefanhaller) in [#​5440](jesseduffield/lazygit#5440) ##### Maintenance ⚙️ - Remove go-git dependency by [@​stefanhaller](https://github.com/stefanhaller) in [#​5420](jesseduffield/lazygit#5420) - Make Debian/Ubuntu install command architecture-independent by [@​discapes](https://github.com/discapes) in [#​5386](jesseduffield/lazygit#5386) - Bump github.com/buger/jsonparser from 1.1.1 to 1.1.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5423](jesseduffield/lazygit#5423) - fix: pin 7 unpinned action(s), extract 1 inline secret to env var by [@​dagecko](https://github.com/dagecko) in [#​5439](jesseduffield/lazygit#5439) - Fix dependabot config file by [@​stefanhaller](https://github.com/stefanhaller) in [#​5443](jesseduffield/lazygit#5443) - Bump actions/cache from 4 to 5 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5444](jesseduffield/lazygit#5444) - Bump actions/download-artifact from 7 to 8 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5445](jesseduffield/lazygit#5445) - Bump actions/upload-artifact from 6 to 7 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5446](jesseduffield/lazygit#5446) - Bump github.com/lucasb-eyer/go-colorful from 1.3.0 to 1.4.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5447](jesseduffield/lazygit#5447) - Bump github.com/spf13/afero from 1.9.5 to 1.15.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5448](jesseduffield/lazygit#5448) - Bump github.com/creack/pty from 1.1.11 to 1.1.24 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5449](jesseduffield/lazygit#5449) - Bump github.com/stretchr/testify from 1.10.0 to 1.11.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5450](jesseduffield/lazygit#5450) - Bump github.com/sanity-io/litter from 1.5.2 to 1.5.8 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5451](jesseduffield/lazygit#5451) - Bump github.com/adrg/xdg from 0.4.0 to 0.5.3 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5456](jesseduffield/lazygit#5456) - Bump github.com/spkg/bom from 0.0.0-20160624110644-59b7046e48ad to 1.0.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5457](jesseduffield/lazygit#5457) - Bump github.com/integrii/flaggy from 1.4.0 to 1.8.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5458](jesseduffield/lazygit#5458) - Bump github.com/sahilm/fuzzy from 0.1.0 to 0.1.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5459](jesseduffield/lazygit#5459) - Bump github.com/sasha-s/go-deadlock from 0.3.6 to 0.3.9 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5460](jesseduffield/lazygit#5460) ##### Docs 📖 - Add a note about AI to CONTRIBUTING.md by [@​stefanhaller](https://github.com/stefanhaller) in [#​5404](jesseduffield/lazygit#5404) - Update redo keybinding in README.md by [@​unikitty37](https://github.com/unikitty37) in [#​5387](jesseduffield/lazygit#5387) - Fix grammar in the contributor guide by [@​Rohan5commit](https://github.com/Rohan5commit) in [#​5392](jesseduffield/lazygit#5392) ##### I18n 🌎 - Update translations from Crowdin by [@​stefanhaller](https://github.com/stefanhaller) in [#​5476](jesseduffield/lazygit#5476) ##### Performance Improvements 📊 - Improve performance of discarding many files by [@​stefanhaller](https://github.com/stefanhaller) in [#​5407](jesseduffield/lazygit#5407) #### New Contributors - [@​blakemckeany](https://github.com/blakemckeany) made their first contribution in [#​5365](jesseduffield/lazygit#5365) - [@​discapes](https://github.com/discapes) made their first contribution in [#​5386](jesseduffield/lazygit#5386) - [@​unikitty37](https://github.com/unikitty37) made their first contribution in [#​5387](jesseduffield/lazygit#5387) - [@​Rohan5commit](https://github.com/Rohan5commit) made their first contribution in [#​5392](jesseduffield/lazygit#5392) - [@​matthijskooijman](https://github.com/matthijskooijman) made their first contribution in [#​5405](jesseduffield/lazygit#5405) - [@​dagecko](https://github.com/dagecko) made their first contribution in [#​5439](jesseduffield/lazygit#5439) - [@​mrt181](https://github.com/mrt181) made their first contribution in [#​5364](jesseduffield/lazygit#5364) **Full Changelog**: <jesseduffield/lazygit@v0.60.0...v0.61.0> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDQuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEwNC44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiLCJhdXRvbWF0aW9uOmJvdC1hdXRob3JlZCIsImRlcGVuZGVuY3ktdHlwZTo6bWlub3IiXX0=-->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Re-submission of #5422. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.
Summary
This PR pins all GitHub Actions to immutable commit SHAs and extracts an inline secret from a
run:block into anenv:mapping.How to verify
Review the diff, each change is mechanical and preserves workflow behavior:
action@v3becomesaction@abc123 # v3, original version preserved as comment${{ secrets.* }}inrun:moves toenv:block, referenced as"${ENV_VAR}"in the scriptI've been researching CI/CD supply chain attack vectors and submitting fixes to affected repos. Based on that research I built a scanner called Runner Guard and open sourced it here so you can scan yourself if you want to. I'll be posting more advisories over the next few weeks on Twitter if you want to stay in the loop.
If you have any questions, reach out. I'll be monitoring comms.
- Chris (dagecko)