Problem
.github/workflows/nightly.yml uses two unsafe action references on main.
File cites
.github/workflows/nightly.yml:12 — uses: actions/checkout@v2
.github/workflows/nightly.yml:16 — uses: EndBug/latest-tag@latest
Actual
actions/checkout@v2 runs on Node 16 (EOL April 2024); GitHub-scheduled brownouts fail v2 workflows. This scheduled job (cron: '0 20 */1 * *') will silently break.
EndBug/latest-tag@latest is a mutable ref. The step has ssh-key: ${{ secrets.COMMIT_KEY }}; a compromise of EndBug/latest-tag would expose that secret.
Expected
- Pin
actions/checkout@v4 (matches ast-grep-lint.yml, docker.yml, gpt-translate.yml, release-vscode.yml on the same repo).
- Pin
EndBug/latest-tag to a SHA (per GitHub-hardening guidance) — the repo already pins autofix-ci/action@551dded8c6cc8a1054039c8bc0b8b48c51dfc6ef in autofix-pnpm.yml.
Environment
Repo default branch main, HEAD as of 2026-07-04. Cross-checked: nightly.yml unchanged since 2023-09-08 (commit 81ef570c). Not covered by #4506 (that issue targets permissions: on release branches only).
Thanks for maintaining TabbyML/tabby!
Problem
.github/workflows/nightly.ymluses two unsafe action references onmain.File cites
.github/workflows/nightly.yml:12—uses: actions/checkout@v2.github/workflows/nightly.yml:16—uses: EndBug/latest-tag@latestActual
actions/checkout@v2runs on Node 16 (EOL April 2024); GitHub-scheduled brownouts fail v2 workflows. This scheduled job (cron: '0 20 */1 * *') will silently break.EndBug/latest-tag@latestis a mutable ref. The step hasssh-key: ${{ secrets.COMMIT_KEY }}; a compromise ofEndBug/latest-tagwould expose that secret.Expected
actions/checkout@v4(matches ast-grep-lint.yml, docker.yml, gpt-translate.yml, release-vscode.yml on the same repo).EndBug/latest-tagto a SHA (per GitHub-hardening guidance) — the repo already pinsautofix-ci/action@551dded8c6cc8a1054039c8bc0b8b48c51dfc6efin autofix-pnpm.yml.Environment
Repo default branch
main, HEAD as of 2026-07-04. Cross-checked:nightly.ymlunchanged since 2023-09-08 (commit81ef570c). Not covered by #4506 (that issue targetspermissions:on release branches only).Thanks for maintaining TabbyML/tabby!