Skip to content

chore(deps): update renovatebot/github-action action to v46.1.17#239

Merged
open-turo-bot merged 1 commit into
mainfrom
c/renovate_all-ci-minor-patch
Jul 1, 2026
Merged

chore(deps): update renovatebot/github-action action to v46.1.17#239
open-turo-bot merged 1 commit into
mainfrom
c/renovate_all-ci-minor-patch

Conversation

@open-turo-bot

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
renovatebot/github-action action patch v46.1.16 -> v46.1.17

Release Notes

renovatebot/github-action (renovatebot/github-action)

v46.1.17

Compare Source

Documentation
  • update references to renovatebot/github-action to v46.1.16 (fe5fe9b)
Miscellaneous Chores
  • deps: update actions/cache action to v5.1.0 (68d0678)
  • deps: update dependency lint-staged to v17.0.8 (3596cfc)
  • deps: update linters (db46956)
  • deps: update node.js to v24.18.0 (8e54d20)
  • deps: update pnpm to v10.34.4 (d1252f8)
Build System
  • deps: lock file maintenance (732b1ba)
Continuous Integration
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.234.1 (9eec991)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.235.0 (25a2109)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.235.1 (0b81c4e)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.235.2 (b9dd808)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.236.0 (a637622)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.237.0 (27d53a3)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.237.1 (a51e52e)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.239.0 (d472559)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.240.0 (2738a4c)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.241.1 (61f9c07)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.241.5 (fc1a7e3)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.242.0 (279d0b5)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.242.1 (aca194e)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.242.2 (747d234)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.243.0 (cd474ba)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.243.1 (90faa1a)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.243.2 (16cb7c4)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.244.1 (6edf840)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.244.3 (f463e40)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.244.4 (759a191)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.245.0 (7625a0a)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.246.0 (0400fab)
  • deps: update ghcr.io/renovatebot/renovate docker tag to v43.246.1 (1837166)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@github-actions

Copy link
Copy Markdown

Release notes preview

No new release will be created.

If you are expecting a release, you will need to either fix a bug or add a feature.
Chores, CI, docs, refactoring, style and other changes will not trigger a release.

Comment thread action.yaml
if: inputs.checkout-repo == 'true'
- name: Renovatebot
uses: renovatebot/github-action@v46.1.16
uses: renovatebot/github-action@v46.1.17

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

renovatebot/github-action@v46.1.17 is a mutable third-party tag, so a retagged release could run attacker code with your GitHub, npm, Artifactory, and Terraform tokens.

More details about this

Renovatebot runs renovatebot/github-action@v46.1.17, which is a mutable tag in a third-party repository, not an immutable commit. If someone who can push to renovatebot/github-action retags v46.1.17 to a different commit, this workflow will start executing that new code with your provided secrets such as inputs.github-token, inputs.npm-token, inputs.npm-password, inputs.artifactory-password, and inputs.terraform-token.

Plausible exploit path:

  1. An attacker compromises the renovatebot/github-action repository or its release process.
  2. They move the v46.1.17 tag to a commit that adds a few lines inside the action to read the env vars passed here, such as RENOVATE_NPM_AUTH_TOKEN, RENOVATE_ARTIFACTORY_PASSWORD, and the token input.
  3. When this composite action runs the Renovatebot step, GitHub fetches the action by the tag v46.1.17, so it executes the attacker-controlled commit instead of the code you originally reviewed.
  4. The modified action can exfiltrate those values, for example by sending them in an HTTP request, and the attacker can then use the stolen github-token to modify repositories or the registry tokens to publish, read, or tamper with private packages and infrastructure modules.

To resolve this comment:

✨ Commit fix suggestion

Suggested change
uses: renovatebot/github-action@v46.1.17
uses: renovatebot/github-action@<full-commit-sha> # TODO: replace with the exact 40-character commit SHA for renovatebot/github-action v46.1.17
View step-by-step instructions
  1. Replace the third-party action reference so it is pinned to a full 40-character commit SHA instead of a version tag.
    Change uses: renovatebot/github-action@v46.1.17 to uses: renovatebot/github-action@<full-commit-sha>.

  2. Resolve the SHA from the exact action release you want to keep, such as the commit behind v46.1.17, and use that value in the uses line.
    A common pattern is uses: renovatebot/github-action@<40-char-sha> # v46.1.17 so the workflow stays immutable while still showing the intended release.

  3. Prefer pinning actions/checkout the same way if your repository policy requires all third-party actions to be immutable.
    GitHub tags can move, but a full commit SHA points to one exact action revision.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by third-party-action-not-pinned-to-commit-sha.

You can view more details about this finding in the Semgrep AppSec Platform.

@open-turo-bot open-turo-bot merged commit c0a4cbc into main Jul 1, 2026
3 checks passed
@open-turo-bot open-turo-bot deleted the c/renovate_all-ci-minor-patch branch July 1, 2026 01:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants