Skip to content

fix: pin 69 unpinned action(s),extract 2 unsafe expression(s) to env vars#45010

Closed
dagecko wants to merge 1 commit intohuggingface:mainfrom
dagecko:runner-guard/fix-ci-security
Closed

fix: pin 69 unpinned action(s),extract 2 unsafe expression(s) to env vars#45010
dagecko wants to merge 1 commit intohuggingface:mainfrom
dagecko:runner-guard/fix-ci-security

Conversation

@dagecko
Copy link
Copy Markdown

@dagecko dagecko commented Mar 26, 2026

Fix: CI/CD Security Vulnerabilities in GitHub Actions

Hi! Runner Guard, an open-source
CI/CD security scanner by Vigilant Cyber Security,
identified security vulnerabilities in this repository's GitHub Actions workflows.

This PR applies automated fixes where possible and reports additional findings
for your review.

Fixes applied (in this PR)

Rule Severity File Description
RGS-002 high .github/workflows/benchmark.yml Extracted 1 unsafe expression(s) to env vars
RGS-007 high .github/workflows/build-ci-docker-images.yml Pinned 4 third-party action(s) to commit SHA
RGS-007 high .github/workflows/build-docker-images.yml Pinned 29 third-party action(s) to commit SHA
RGS-007 high .github/workflows/build-nightly-ci-docker-images.yml Pinned 6 third-party action(s) to commit SHA
RGS-007 high .github/workflows/build-past-ci-docker-images.yml Pinned 6 third-party action(s) to commit SHA
RGS-007 high .github/workflows/build_documentation.yml Pinned 2 third-party action(s) to commit SHA
RGS-007 high .github/workflows/build_pr_documentation.yml Pinned 1 third-party action(s) to commit SHA
RGS-007 high .github/workflows/check-workflow-permissions.yml Pinned 1 third-party action(s) to commit SHA
RGS-007 high .github/workflows/codeql.yml Pinned 1 third-party action(s) to commit SHA
RGS-007 high .github/workflows/model_jobs.yml Pinned 1 third-party action(s) to commit SHA
RGS-007 high .github/workflows/pr_build_doc_with_comment.yml Pinned 1 third-party action(s) to commit SHA
RGS-007 high .github/workflows/release-conda.yml Pinned 1 third-party action(s) to commit SHA
RGS-007 high .github/workflows/release.yml Pinned 1 third-party action(s) to commit SHA
RGS-007 high .github/workflows/self-scheduled-amd-mi250-caller.yml Pinned 4 third-party action(s) to commit SHA
RGS-007 high .github/workflows/self-scheduled-amd-mi325-caller.yml Pinned 4 third-party action(s) to commit SHA
RGS-007 high .github/workflows/self-scheduled-amd-mi355-caller.yml Pinned 4 third-party action(s) to commit SHA
RGS-007 high .github/workflows/ssh-runner.yml Pinned 1 third-party action(s) to commit SHA
RGS-007 high .github/workflows/trufflehog.yml Pinned 1 third-party action(s) to commit SHA
RGS-002 high .github/workflows/update_metdata.yml Extracted 1 unsafe expression(s) to env vars
RGS-007 high .github/workflows/upload_pr_documentation.yml Pinned 1 third-party action(s) to commit SHA

Advisory: additional findings (manual review recommended)

| Rule | Severity | File | Description |
| RGS-008 | high | .github/workflows/benchmark_v2.yml | Secret Directly Interpolated in run Block |
| RGS-012 | high | .github/workflows/circleci-failure-summary-comment.yml | Secret Exfiltration via Outbound HTTP Request |
| RGS-004 | high | .github/workflows/pr-repo-consistency-bot.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/pr-repo-consistency-bot.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/pr-repo-consistency-bot.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/pr-repo-consistency-bot.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/pr_build_doc_with_comment.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/pr_build_doc_with_comment.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/pr_build_doc_with_comment.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/pr_build_doc_with_comment.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/self-comment-ci.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/self-comment-ci.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/self-comment-ci.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/self-comment-ci.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/self-comment-ci.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/self-comment-ci.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/self-comment-ci.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/self-comment-ci.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/self-comment-ci.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/trl-ci-bot.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/trl-ci-bot.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/trl-ci-bot.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/trl-ci-bot.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/trl-ci-bot.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/trl-ci-bot.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-005 | medium | .github/workflows/assign-reviewers.yml | Excessive Permissions on Untrusted Trigger |
| RGS-005 | medium | .github/workflows/circleci-failure-summary-comment.yml | Excessive Permissions on Untrusted Trigger |
| RGS-005 | medium | .github/workflows/pr-repo-consistency-bot.yml | Excessive Permissions on Untrusted Trigger |
| RGS-005 | medium | .github/workflows/pr-repo-consistency-bot.yml | Excessive Permissions on Untrusted Trigger |
| RGS-005 | medium | .github/workflows/pr_build_doc_with_comment.yml | Excessive Permissions on Untrusted Trigger |
| RGS-005 | medium | .github/workflows/pr_build_doc_with_comment.yml | Excessive Permissions on Untrusted Trigger |
| RGS-005 | medium | .github/workflows/pr_build_doc_with_comment.yml | Excessive Permissions on Untrusted Trigger |
| RGS-005 | medium | .github/workflows/pr_slow_ci_suggestion.yml | Excessive Permissions on Untrusted Trigger |
| RGS-005 | medium | .github/workflows/self-comment-ci.yml | Excessive Permissions on Untrusted Trigger |
| RGS-005 | medium | .github/workflows/self-comment-ci.yml | Excessive Permissions on Untrusted Trigger |
| RGS-005 | medium | .github/workflows/self-comment-ci.yml | Excessive Permissions on Untrusted Trigger |
| RGS-005 | medium | .github/workflows/self-comment-ci.yml | Excessive Permissions on Untrusted Trigger |

Why this matters

GitHub Actions workflows that use untrusted input in run: blocks, expose
secrets inline, or use unpinned third-party actions are vulnerable to
code injection, credential theft, and supply chain attacks. These are the same
vulnerability classes exploited in the tj-actions/changed-files incident
and subsequent supply chain attacks, which compromised CI secrets across
thousands of repositories.

How to verify

Review the diff — each change is mechanical and preserves workflow behavior:

  • Expression extraction (RGS-002/008/014): Moves ${{ }} expressions from
    run: blocks into env: mappings, preventing shell injection
  • SHA pinning (RGS-007): Pins third-party actions to immutable commit SHAs
    (original version tag preserved as comment)
  • Debug env removal (RGS-015): Removes ACTIONS_RUNNER_DEBUG/ACTIONS_STEP_DEBUG
    which leak secrets in workflow logs

Run brew install Vigilant-LLC/tap/runner-guard && runner-guard scan . or install from the
repo to verify.

Found by Runner Guard | Built by Vigilant Cyber Security | Learn more

If this PR is not welcome, just close it -- we won't send another.

@dagecko
fix: pin 69 unpinned action(s),extract 2 unsafe expression(s) to env …
fbf7391 
…vars

Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard).

Changes:
 .github/workflows/benchmark.yml                    |  3 +-
 .github/workflows/build-ci-docker-images.yml       |  8 +--
 .github/workflows/build-docker-images.yml          | 58 +++++++++++-----------
 .../workflows/build-nightly-ci-docker-images.yml   | 12 ++---
 .github/workflows/build-past-ci-docker-images.yml  | 12 ++---
 .github/workflows/build_documentation.yml          |  4 +-
 .github/workflows/build_pr_documentation.yml       |  2 +-
 .github/workflows/check-workflow-permissions.yml   |  2 +-
 .github/workflows/codeql.yml                       |  2 +-
 .github/workflows/model_jobs.yml                   |  2 +-
 .github/workflows/pr_build_doc_with_comment.yml    |  2 +-
 .github/workflows/release-conda.yml                |  2 +-
 .github/workflows/release.yml                      |  2 +-
 .../workflows/self-scheduled-amd-mi250-caller.yml  |  8 +--
 .../workflows/self-scheduled-amd-mi325-caller.yml  |  8 +--
 .../workflows/self-scheduled-amd-mi355-caller.yml  |  8 +--
 .github/workflows/ssh-runner.yml                   |  2 +-
 .github/workflows/trufflehog.yml                   |  2 +-
 .github/workflows/update_metdata.yml               |  5 +-
 .github/workflows/upload_pr_documentation.yml      |  2 +-
 20 files changed, 75 insertions(+), 71 deletions(-)
@Rocketknight1
Copy link
Copy Markdown
Member

Rocketknight1 commented Mar 26, 2026

cc @tarekziade @ydshieh, feel free to close it if you're not interested

@dagecko
Copy link
Copy Markdown
Author

dagecko commented Mar 26, 2026

Hey @tarekziade @ydshieh — this PR pins third-party actions to commit SHAs and extracts expressions from run blocks to prevent shell injection. These are the same vulnerability classes being actively exploited in the tj-actions, Trivy, LiteLLM supply chain attack chain. We scanned the top 50K repos on GitHub and over 20,000 have the same vulns that TeamPCP used. The blast radius potential is pretty crazy. We're submitting PRs on as many of them as we can. More context on what we're finding: https://x.com/vigilance_one/status/2036581210663616729

Happy to answer any questions.

— Chris Nyhuis, Vigilant

@dagecko dagecko closed this by deleting the head repository Mar 26, 2026
@dagecko
Copy link
Copy Markdown
Author

dagecko commented Mar 27, 2026

Resubmitted as #45077. Had a problem with my fork, apologies for the noise.

@dagecko dagecko mentioned this pull request Mar 27, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dagecko @Rocketknight1