[PR #191] fix: harden GitHub Actions workflows #2391

Open
opened 2026-06-08 22:05:59 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/Hack-with-Github/Awesome-Hacking/pull/191
Author: @dagecko
Created: 3/30/2026
Status: 🔄 Open

Base: masterHead: runner-guard/fix-ci-security


📝 Commits (2)

  • 33bba3d fix: harden GitHub Actions workflows
  • fd22b4b fix: bump dessant/lock-threads to v6 and pin to SHA

📊 Changes

1 file changed (+1 additions, -1 deletions)

View changed files

📝 .github/workflows/lock-threads.yml (+1 -1)

📄 Description

Re-submission of #190. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.

Summary

This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags and extracts any unsafe expressions from run blocks into env mappings.

How to verify

Review the diff, each change is mechanical and preserves workflow behavior:

  • SHA pinning: action@v3 becomes action@abc123 # v3, original version preserved as comment
  • No workflow logic, triggers, or permissions are modified

I've been researching CI/CD supply chain attack vectors and submitting fixes to affected repos. Based on that research I built a scanner called Runner Guard and open sourced it here so you can scan yourself if you want to. I'll be posting more advisories over the next few weeks on Twitter if you want to stay in the loop.

If you have any questions, reach out. I'll be monitoring comms.

- Chris (dagecko)


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/Hack-with-Github/Awesome-Hacking/pull/191 **Author:** [@dagecko](https://github.com/dagecko) **Created:** 3/30/2026 **Status:** 🔄 Open **Base:** `master` ← **Head:** `runner-guard/fix-ci-security` --- ### 📝 Commits (2) - [`33bba3d`](https://github.com/Hack-with-Github/Awesome-Hacking/commit/33bba3d806f64ba47f99db954c835a84dc5a2d49) fix: harden GitHub Actions workflows - [`fd22b4b`](https://github.com/Hack-with-Github/Awesome-Hacking/commit/fd22b4ba09447b4f72db49d51a85d95d0296bb59) fix: bump dessant/lock-threads to v6 and pin to SHA ### 📊 Changes **1 file changed** (+1 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/lock-threads.yml` (+1 -1) </details> ### 📄 Description Re-submission of #190. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise. ## Summary This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags and extracts any unsafe expressions from run blocks into env mappings. ## How to verify Review the diff, each change is mechanical and preserves workflow behavior: - **SHA pinning**: `action@v3` becomes `action@abc123 # v3`, original version preserved as comment - No workflow logic, triggers, or permissions are modified I've been researching CI/CD supply chain attack vectors and submitting fixes to affected repos. Based on that research I built a scanner called Runner Guard and open sourced it [here](https://github.com/Vigilant-LLC/runner-guard) so you can scan yourself if you want to. I'll be posting more advisories over the next few weeks [on Twitter](https://x.com/vigilance_one) if you want to stay in the loop. If you have any questions, reach out. I'll be monitoring comms. \- Chris (dagecko) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-06-08 22:05:59 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/Awesome-Hacking#2391