Replace GitHub Action runners with WarpBuild runners #7597
Merged
probelabs / Visor: security
succeeded
Dec 5, 2025 in 39s
✅ Check Passed (Warnings Found)
security check passed. Found 1 warning, but fail_if condition was not met.
Details
📊 Summary
- Total Issues: 1
- Warning Issues: 1
🔍 Failure Condition Results
Passed Conditions
- global_fail_if: Condition passed
Issues by Category
Security (1)
⚠️ .github/workflows/release.yml:96 - The workflow uses a third-party GitHub Action (WarpBuilds/cache@v1) referenced by a mutable tag (v1). If an attacker compromises the action's repository and updates thev1tag to point to a malicious commit, the workflow could execute arbitrary code. This could lead to credential theft, code injection, or other supply chain attacks within the CI/CD pipeline. The same issue exists on line 530.
Powered by Visor from Probelabs
💡 TIP: You can chat with Visor using /visor ask <your question>
Annotations
Check warning on line 96 in .github/workflows/release.yml
probelabs / Visor: security
security Issue
The workflow uses a third-party GitHub Action (`WarpBuilds/cache@v1`) referenced by a mutable tag (`v1`). If an attacker compromises the action's repository and updates the `v1` tag to point to a malicious commit, the workflow could execute arbitrary code. This could lead to credential theft, code injection, or other supply chain attacks within the CI/CD pipeline. The same issue exists on line 530.
Raw output
Pin the action to a specific, immutable commit SHA instead of a tag. Replace `uses: WarpBuilds/cache@v1` with `uses: WarpBuilds/cache@<full-commit-hash>` after verifying the commit hash for the desired version in the source repository. This ensures the workflow always executes a specific, vetted version of the action.
Loading