mirror of
https://github.com/Hack-with-Github/Awesome-Hacking.git
synced 2026-07-11 14:47:12 -05:00
[PR #191] fix: harden GitHub Actions workflows #529
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/Hack-with-Github/Awesome-Hacking/pull/191
Author: @dagecko
Created: 3/30/2026
Status: 🔄 Open
Base:
master← Head:runner-guard/fix-ci-security📝 Commits (2)
33bba3dfix: harden GitHub Actions workflowsfd22b4bfix: bump dessant/lock-threads to v6 and pin to SHA📊 Changes
1 file changed (+1 additions, -1 deletions)
View changed files
📝
.github/workflows/lock-threads.yml(+1 -1)📄 Description
Re-submission of #190. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.
Summary
This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags and extracts any unsafe expressions from run blocks into env mappings.
How to verify
Review the diff, each change is mechanical and preserves workflow behavior:
action@v3becomesaction@abc123 # v3, original version preserved as commentI've been researching CI/CD supply chain attack vectors and submitting fixes to affected repos. Based on that research I built a scanner called Runner Guard and open sourced it here so you can scan yourself if you want to. I'll be posting more advisories over the next few weeks on Twitter if you want to stay in the loop.
If you have any questions, reach out. I'll be monitoring comms.
- Chris (dagecko)
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.