From dc7d9661e3f32443088f7ebe646a72615372edf1 Mon Sep 17 00:00:00 2001 From: Chris Nyhuis Date: Fri, 3 Apr 2026 18:17:40 -0400 Subject: [PATCH] fix: pin 27 unpinned action(s),extract 2 unsafe expression(s) to env vars Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard). Changes: .github/workflows/azure-login-canary.yml | 12 ++++++---- .../workflows/azure-login-integration-tests.yml | 28 ++++++++++++---------- .github/workflows/azure-login-negative.yml | 6 ++--- .github/workflows/azure-login-positive.yml | 16 ++++++------- 4 files changed, 33 insertions(+), 29 deletions(-) --- .github/workflows/azure-login-canary.yml | 12 ++++---- .../azure-login-integration-tests.yml | 28 ++++++++++--------- .github/workflows/azure-login-negative.yml | 6 ++-- .github/workflows/azure-login-positive.yml | 16 +++++------ 4 files changed, 33 insertions(+), 29 deletions(-) diff --git a/.github/workflows/azure-login-canary.yml b/.github/workflows/azure-login-canary.yml index eb4ef84de..525ab42cf 100644 --- a/.github/workflows/azure-login-canary.yml +++ b/.github/workflows/azure-login-canary.yml @@ -33,7 +33,7 @@ jobs: uses: actions/checkout@v6 - name: 'Az CLI login with subscription' - uses: azure/login@v1 + uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} @@ -41,7 +41,7 @@ jobs: az account show --output none - name: 'Az CLI login without subscription' - uses: azure/login@v1 + uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} allow-no-subscriptions: true @@ -50,7 +50,7 @@ jobs: az account show --output none - name: 'Az CLI login with subscription OIDC' - uses: azure/login@v1 + uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1 with: client-id: ${{ secrets.AZURE_CLIENTID }} tenant-id: ${{ secrets.AZURE_TENANTID }} @@ -60,7 +60,7 @@ jobs: az account show --output none - name: 'Az CLI login without subscription OIDC' - uses: azure/login@v1 + uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1 with: client-id: ${{ secrets.AZURE_CLIENTID }} tenant-id: ${{ secrets.AZURE_TENANTID }} @@ -88,4 +88,6 @@ jobs: echo "report=$REPORT" >> $GITHUB_OUTPUT - name: Post to slack shell: bash - run: curl -X POST -H 'Content-type:application/json' --data '{"blocks":[{"type":"section","text":{"type":"mrkdwn","text":"${{steps.slack_report.outputs.report}}"}}]}' https://hooks.slack.com/services/${{SECRETS.SLACK_CHANNEL_SECRET}} + run: curl -X POST -H 'Content-type:application/json' --data '{"blocks":[{"type":"section","text":{"type":"mrkdwn","text":"${{steps.slack_report.outputs.report}}"}}]}' https://hooks.slack.com/services/${SLACK_CHANNEL_SECRET} + env: + SLACK_CHANNEL_SECRET: ${{SECRETS.SLACK_CHANNEL_SECRET}} diff --git a/.github/workflows/azure-login-integration-tests.yml b/.github/workflows/azure-login-integration-tests.yml index a746e74f0..e3d50712f 100644 --- a/.github/workflows/azure-login-integration-tests.yml +++ b/.github/workflows/azure-login-integration-tests.yml @@ -14,7 +14,7 @@ jobs: # continue-on-error: true steps: - name: 'Az CLI login with subscription' - uses: azure/login@v1 + uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} @@ -23,7 +23,7 @@ jobs: az vm list --output none - name: 'Az CLI login without subscription' - uses: azure/login@v1 + uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} allow-no-subscriptions: true @@ -32,24 +32,24 @@ jobs: az account show --output none - name: 'Azure PowerShell login with subscription' - uses: azure/login@v1 + uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} enable-AzPSSession: true - - uses: azure/powershell@v3 + - uses: azure/powershell@f5b8adcfff1904872c7b98d4012d4914d74b1a82 # v3 with: inlineScript: "(Get-AzContext).Environment.Name" azPSVersion: "latest" - name: 'Azure PowerShell login without subscription' - uses: azure/login@v1 + uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1 with: creds: ${{secrets.AZURE_CREDENTIALS}} enable-AzPSSession: true allow-no-subscriptions: true - - uses: azure/powershell@v3 + - uses: azure/powershell@f5b8adcfff1904872c7b98d4012d4914d74b1a82 # v3 with: inlineScript: "(Get-AzContext).Environment.Name" azPSVersion: "latest" @@ -59,7 +59,7 @@ jobs: # continue-on-error: true steps: - name: 'Az CLI login with subscription' - uses: azure/login@v1 + uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1 with: client-id: ${{ secrets.AZURE_CLIENTID }} tenant-id: ${{ secrets.AZURE_TENANTID }} @@ -70,7 +70,7 @@ jobs: az vm list --output none - name: 'Az CLI login without subscription' - uses: azure/login@v1 + uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1 with: client-id: ${{ secrets.AZURE_CLIENTID }} tenant-id: ${{ secrets.AZURE_TENANTID }} @@ -80,27 +80,27 @@ jobs: az account show --output none - name: 'Azure PowerShell login with subscription' - uses: azure/login@v1 + uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1 with: client-id: ${{ secrets.AZURE_CLIENTID }} tenant-id: ${{ secrets.AZURE_TENANTID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID }} enable-AzPSSession: true - - uses: azure/powershell@v3 + - uses: azure/powershell@f5b8adcfff1904872c7b98d4012d4914d74b1a82 # v3 with: inlineScript: "(Get-AzContext).Environment.Name" azPSVersion: "latest" - name: 'Azure PowerShell login without subscription' - uses: azure/login@v1 + uses: azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1 with: client-id: ${{ secrets.AZURE_CLIENTID }} tenant-id: ${{ secrets.AZURE_TENANTID }} enable-AzPSSession: true allow-no-subscriptions: true - - uses: azure/powershell@v3 + - uses: azure/powershell@f5b8adcfff1904872c7b98d4012d4914d74b1a82 # v3 with: inlineScript: "(Get-AzContext).Environment.Name" azPSVersion: "latest" @@ -126,4 +126,6 @@ jobs: - name: Post to slack shell: bash - run: curl -X POST -H 'Content-type:application/json' --data '{"blocks":[{"type":"section","text":{"type":"mrkdwn","text":"${{steps.slack_report.outputs.report}}"}}]}' https://hooks.slack.com/services/${{SECRETS.SLACK_CHANNEL_SECRET}} + run: curl -X POST -H 'Content-type:application/json' --data '{"blocks":[{"type":"section","text":{"type":"mrkdwn","text":"${{steps.slack_report.outputs.report}}"}}]}' https://hooks.slack.com/services/${SLACK_CHANNEL_SECRET} + env: + SLACK_CHANNEL_SECRET: ${{SECRETS.SLACK_CHANNEL_SECRET}} diff --git a/.github/workflows/azure-login-negative.yml b/.github/workflows/azure-login-negative.yml index 37c39faed..4e445fe27 100644 --- a/.github/workflows/azure-login-negative.yml +++ b/.github/workflows/azure-login-negative.yml @@ -58,7 +58,7 @@ jobs: - name: Run Azure PowerShell id: ps_3 continue-on-error: true - uses: azure/powershell@v3 + uses: azure/powershell@f5b8adcfff1904872c7b98d4012d4914d74b1a82 # v3 with: azPSVersion: "latest" inlineScript: | @@ -186,7 +186,7 @@ jobs: - name: Run Azure PowerShell id: ps_8 continue-on-error: true - uses: azure/powershell@v3 + uses: azure/powershell@f5b8adcfff1904872c7b98d4012d4914d74b1a82 # v3 with: azPSVersion: "latest" inlineScript: | @@ -216,7 +216,7 @@ jobs: - name: Run Azure PowerShell id: ps_9 continue-on-error: true - uses: azure/powershell@v3 + uses: azure/powershell@f5b8adcfff1904872c7b98d4012d4914d74b1a82 # v3 with: azPSVersion: "latest" inlineScript: | diff --git a/.github/workflows/azure-login-positive.yml b/.github/workflows/azure-login-positive.yml index 340d3b828..d9e7e1d8e 100644 --- a/.github/workflows/azure-login-positive.yml +++ b/.github/workflows/azure-login-positive.yml @@ -47,7 +47,7 @@ jobs: az vm list --output none - name: Run Azure PowerShell - uses: azure/powershell@v3 + uses: azure/powershell@f5b8adcfff1904872c7b98d4012d4914d74b1a82 # v3 with: azPSVersion: "latest" inlineScript: | @@ -69,7 +69,7 @@ jobs: az account show --output none - name: Run Azure PowerShell again - uses: azure/powershell@v3 + uses: azure/powershell@f5b8adcfff1904872c7b98d4012d4914d74b1a82 # v3 with: azPSVersion: "latest" inlineScript: | @@ -92,7 +92,7 @@ jobs: az vm list --output none - name: Run Azure PowerShell - uses: azure/powershell@v3 + uses: azure/powershell@f5b8adcfff1904872c7b98d4012d4914d74b1a82 # v3 with: azPSVersion: "latest" inlineScript: | @@ -160,7 +160,7 @@ jobs: az vm list --output none - name: Run Azure PowerShell - uses: azure/powershell@v3 + uses: azure/powershell@f5b8adcfff1904872c7b98d4012d4914d74b1a82 # v3 with: azPSVersion: "latest" inlineScript: | @@ -183,7 +183,7 @@ jobs: az account show --output none - name: Run Azure PowerShell again - uses: azure/powershell@v3 + uses: azure/powershell@f5b8adcfff1904872c7b98d4012d4914d74b1a82 # v3 with: azPSVersion: "latest" inlineScript: | @@ -209,7 +209,7 @@ jobs: } - name: Run Azure PowerShell - uses: azure/powershell@v3 + uses: azure/powershell@f5b8adcfff1904872c7b98d4012d4914d74b1a82 # v3 with: azPSVersion: "latest" inlineScript: | @@ -230,7 +230,7 @@ jobs: az account show --output none - name: Run Azure PowerShell - uses: azure/powershell@v3 + uses: azure/powershell@f5b8adcfff1904872c7b98d4012d4914d74b1a82 # v3 with: azPSVersion: "latest" inlineScript: | @@ -309,7 +309,7 @@ jobs: az group list --output none - name: Run Azure PowerShell again - uses: azure/powershell@v3 + uses: azure/powershell@f5b8adcfff1904872c7b98d4012d4914d74b1a82 # v3 with: azPSVersion: "latest" inlineScript: |