Skip to content

nightly.yml: deprecated actions/checkout@v2 + mutable EndBug/latest-tag@latest #4512

Description

@chirag127

Problem

.github/workflows/nightly.yml uses two unsafe action references on main.

File cites

  • .github/workflows/nightly.yml:12uses: actions/checkout@v2
  • .github/workflows/nightly.yml:16uses: EndBug/latest-tag@latest

Actual

  1. actions/checkout@v2 runs on Node 16 (EOL April 2024); GitHub-scheduled brownouts fail v2 workflows. This scheduled job (cron: '0 20 */1 * *') will silently break.
  2. EndBug/latest-tag@latest is a mutable ref. The step has ssh-key: ${{ secrets.COMMIT_KEY }}; a compromise of EndBug/latest-tag would expose that secret.

Expected

  • Pin actions/checkout@v4 (matches ast-grep-lint.yml, docker.yml, gpt-translate.yml, release-vscode.yml on the same repo).
  • Pin EndBug/latest-tag to a SHA (per GitHub-hardening guidance) — the repo already pins autofix-ci/action@551dded8c6cc8a1054039c8bc0b8b48c51dfc6ef in autofix-pnpm.yml.

Environment

Repo default branch main, HEAD as of 2026-07-04. Cross-checked: nightly.yml unchanged since 2023-09-08 (commit 81ef570c). Not covered by #4506 (that issue targets permissions: on release branches only).

Thanks for maintaining TabbyML/tabby!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions