chore(deps): update renovatebot/github-action action to v46.1.17#239
Conversation
Release notes previewNo new release will be created. If you are expecting a release, you will need to either fix a bug or add a feature. |
| if: inputs.checkout-repo == 'true' | ||
| - name: Renovatebot | ||
| uses: renovatebot/github-action@v46.1.16 | ||
| uses: renovatebot/github-action@v46.1.17 |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
renovatebot/github-action@v46.1.17 is a mutable third-party tag, so a retagged release could run attacker code with your GitHub, npm, Artifactory, and Terraform tokens.
More details about this
Renovatebot runs renovatebot/github-action@v46.1.17, which is a mutable tag in a third-party repository, not an immutable commit. If someone who can push to renovatebot/github-action retags v46.1.17 to a different commit, this workflow will start executing that new code with your provided secrets such as inputs.github-token, inputs.npm-token, inputs.npm-password, inputs.artifactory-password, and inputs.terraform-token.
Plausible exploit path:
- An attacker compromises the
renovatebot/github-actionrepository or its release process. - They move the
v46.1.17tag to a commit that adds a few lines inside the action to read the env vars passed here, such asRENOVATE_NPM_AUTH_TOKEN,RENOVATE_ARTIFACTORY_PASSWORD, and thetokeninput. - When this composite action runs the
Renovatebotstep, GitHub fetches the action by the tagv46.1.17, so it executes the attacker-controlled commit instead of the code you originally reviewed. - The modified action can exfiltrate those values, for example by sending them in an HTTP request, and the attacker can then use the stolen
github-tokento modify repositories or the registry tokens to publish, read, or tamper with private packages and infrastructure modules.
To resolve this comment:
✨ Commit fix suggestion
| uses: renovatebot/github-action@v46.1.17 | |
| uses: renovatebot/github-action@<full-commit-sha> # TODO: replace with the exact 40-character commit SHA for renovatebot/github-action v46.1.17 |
View step-by-step instructions
-
Replace the third-party action reference so it is pinned to a full 40-character commit SHA instead of a version tag.
Changeuses: renovatebot/github-action@v46.1.17touses: renovatebot/github-action@<full-commit-sha>. -
Resolve the SHA from the exact action release you want to keep, such as the commit behind
v46.1.17, and use that value in theusesline.
A common pattern isuses: renovatebot/github-action@<40-char-sha> # v46.1.17so the workflow stays immutable while still showing the intended release. -
Prefer pinning
actions/checkoutthe same way if your repository policy requires all third-party actions to be immutable.
GitHub tags can move, but a full commit SHA points to one exact action revision.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by third-party-action-not-pinned-to-commit-sha.
You can view more details about this finding in the Semgrep AppSec Platform.
This PR contains the following updates:
v46.1.16->v46.1.17Release Notes
renovatebot/github-action (renovatebot/github-action)
v46.1.17Compare Source
Documentation
Miscellaneous Chores
Build System
Continuous Integration
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.