From 99034cac307668dedbf88ca32faca66207b15620 Mon Sep 17 00:00:00 2001 From: Chris Nyhuis Date: Thu, 26 Mar 2026 11:51:39 -0400 Subject: [PATCH] fix: pin 5 unpinned action(s),extract 1 unsafe expression(s) to env vars Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard). Changes: .github/workflows/azure-static-web-apps-ashy-river-0debb7803.yml | 4 ++-- .github/workflows/daily-repo-status.lock.yml | 3 ++- .github/workflows/links.yml | 4 ++-- .github/workflows/lock.yml | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) --- .../workflows/azure-static-web-apps-ashy-river-0debb7803.yml | 4 ++-- .github/workflows/daily-repo-status.lock.yml | 3 ++- .github/workflows/links.yml | 4 ++-- .github/workflows/lock.yml | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/azure-static-web-apps-ashy-river-0debb7803.yml b/.github/workflows/azure-static-web-apps-ashy-river-0debb7803.yml index d528a5dac..f16c773c4 100644 --- a/.github/workflows/azure-static-web-apps-ashy-river-0debb7803.yml +++ b/.github/workflows/azure-static-web-apps-ashy-river-0debb7803.yml @@ -13,7 +13,7 @@ jobs: submodules: true - name: Build And Deploy id: builddeploy - uses: Azure/static-web-apps-deploy@v1 + uses: Azure/static-web-apps-deploy@1a947af9992250f3bc2e68ad0754c0b0c11566c9 # v1 with: azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_ASHY_RIVER_0DEBB7803 }} repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments) @@ -32,7 +32,7 @@ jobs: steps: - name: Close Pull Request id: closepullrequest - uses: Azure/static-web-apps-deploy@v1 + uses: Azure/static-web-apps-deploy@1a947af9992250f3bc2e68ad0754c0b0c11566c9 # v1 with: azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_ASHY_RIVER_0DEBB7803 }} action: "close" diff --git a/.github/workflows/daily-repo-status.lock.yml b/.github/workflows/daily-repo-status.lock.yml index 1d1bcc5c8..95d758b25 100644 --- a/.github/workflows/daily-repo-status.lock.yml +++ b/.github/workflows/daily-repo-status.lock.yml @@ -108,12 +108,13 @@ jobs: env: REPO_NAME: ${{ github.repository }} SERVER_URL: ${{ github.server_url }} + GITHUB_TOKEN: ${{ github.token }} run: | git config --global user.email "github-actions[bot]@users.noreply.github.com" git config --global user.name "github-actions[bot]" # Re-authenticate git with GitHub token SERVER_URL_STRIPPED="${SERVER_URL#https://}" - git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" + git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" echo "Git configured with standard GitHub Actions identity" - name: Checkout PR branch id: checkout-pr diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml index b952ad8a8..c1bbbbb79 100644 --- a/.github/workflows/links.yml +++ b/.github/workflows/links.yml @@ -16,13 +16,13 @@ jobs: - name: Link Checker id: lychee - uses: lycheeverse/lychee-action@v2 + uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2 with: fail: false - name: Create Issue From File if: steps.lychee.outputs.exit_code != 0 - uses: peter-evans/create-issue-from-file@v5 + uses: peter-evans/create-issue-from-file@e8ef132d6df98ed982188e460ebb3b5d4ef3a9cd # v5 with: title: Link Checker Report content-filepath: ./lychee/out.md diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 6984af78f..3dd6bea14 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -8,6 +8,6 @@ jobs: lock: runs-on: ubuntu-latest steps: - - uses: OSDKDev/lock-issues@v1.1 + - uses: OSDKDev/lock-issues@2372e7b39b61a49bb1980dbd3544837d7d40f01d # v1.1 with: repo-token: "${{ secrets.GITHUB_TOKEN }}"