chore(deps): update actions/checkout action to v7#203
Conversation
Release notes previewNo new release will be created. If you are expecting a release, you will need to either fix a bug or add a feature. |
325a481 to
4b21806
Compare
4b21806 to
1a92539
Compare
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
actions/checkout@v7 uses a movable tag, so a repointed tag could make this workflow run attacker-controlled code.
More details about this
actions/checkout is referenced as @v7, which is a movable tag, not a fixed commit. If the owner of actions/checkout or anyone who compromises that repository repoints v7 to a different commit, this Checkout step will run that new code the next time this workflow executes.
A plausible attack is: 1) an attacker gains control of the actions/checkout repository or its release process and moves the v7 tag to a malicious commit; 2) this workflow reaches the Checkout step and downloads that attacker-controlled code because it uses actions/checkout@v7; 3) the malicious action runs before later steps such as Build and Release, so it can read values passed through the workflow like ${{ inputs.npm-auth-token }}, ${{ inputs.npm-token }}, or other repository-scoped secrets available to the job; 4) it can then exfiltrate those credentials over the network or modify the checked-out repository contents to affect what the later open-turo/actions-node/build@v7 and open-turo/actions-release/semantic-release@v5 steps operate on.
To resolve this comment:
✨ Commit fix suggestion
| uses: actions/checkout@v7 | |
| uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 |
View step-by-step instructions
-
Replace the mutable action reference with a full 40-character commit SHA instead of the version tag.
Changeuses: actions/checkout@v7touses: actions/checkout@<full-commit-sha>. -
Get the SHA for the exact action version you want to keep using.
Open theactions/checkoutrelease for the version you intend to use, find the commit behind that release, and copy the full 40-character SHA. -
Keep the version in a comment so future updates are easier to manage.
For example, useuses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0. -
Repeat the same pinning pattern for any other third-party
uses:entries in this workflow or composite action that currently use a tag or branch.
GitHub resolvesuses:by ref, and only a full commit SHA prevents the referenced code from changing silently.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.
You can view more details about this finding in the Semgrep AppSec Platform.
| echo "sha=$sha" >> $GITHUB_OUTPUT | ||
|
|
||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@v7 |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
actions/checkout@v7 uses a movable tag, so if v7 is repointed, this workflow can run attacker-controlled action code.
More details about this
actions/checkout is referenced with the mutable tag @v7 in - uses: actions/checkout@v7. Because this workflow later checks out ${{ steps.source-vars.outputs.branch }} from push, repository_dispatch, or pull request events, anyone who can repoint what v7 resolves to can change the code that runs before your repository is checked out.
A plausible attack looks like this:
- An attacker compromises the
actions/checkoutrelease process or gains permission to move thev7tag. - They repoint
v7to a new commit that adds malicious logic to the checkout action. - Your workflow runs
uses: actions/checkout@v7, so GitHub fetches the attacker's new action code instead of the version you previously reviewed. - That action runs in this job with access to workflow data such as
${{ github.sha }},${{ github.ref_name }}, and any job token or secrets available to the checkout step. - The malicious action can then exfiltrate the repository contents being checked out from
ref: ${{ steps.source-vars.outputs.branch }}, read CI credentials, or push back changes using the job's token.
Because v7 is only a tag name, this change can happen silently without any diff in your repository.
To resolve this comment:
✨ Commit fix suggestion
| - uses: actions/checkout@v7 | |
| - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # actions/checkout v4 |
View step-by-step instructions
- Replace the mutable action reference
actions/checkout@v7with a full 40-character commit SHA for the exact release you want to trust, for exampleactions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608. - Get the correct SHA from the
actions/checkoutrelease or repository page, and copy the commit hash that corresponds to the version you intended to use. Do not use a tag like@v7,@v4, or a branch name. - Update the workflow step so only the
uses:value changes, while keeping the existingwith:settings such asfetch-depthandref. - If this checkout is supposed to use the exact commit selected earlier in the workflow, change
ref: ${{ steps.source-vars.outputs.branch }}toref: ${{ steps.source-vars.outputs.sha }}. This avoids checking out a branch name that can move to a different commit after the workflow starts.
Alternatively, if you must stay aligned with an upstream release process, pin to the release commit SHA and add a comment beside it noting the human-friendly version, such as uses: actions/checkout@<full-sha> # actions/checkout v4.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.
You can view more details about this finding in the Semgrep AppSec Platform.
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
actions/checkout@v7 uses a mutable tag, so a retagged release could silently run attacker-controlled code in the Checkout step.
More details about this
The Checkout step runs actions/checkout@v7, which is a movable tag instead of a fixed commit. If the owner of actions/checkout ever repoints v7 to a different commit, this workflow will start running that new code automatically before later steps use ${{ github.token }}, read the repository, and restore caches.
A plausible attack looks like this:
- An attacker compromises the
actions/checkoutrelease process or gains permission to retagv7. - They move
v7to a commit that adds malicious code to the action. - When this composite action reaches the
Checkoutstep, GitHub pulls and runs the attacker-controlledactions/checkout@v7code. - That code can use the available
${{ github.token }}and the checked-out repository contents, then exfiltrate source code or modify what later steps likeopen-turo/action-setup-tools@v3and dependency installation operate on. - Because the workflow still says
@v7, the change can happen silently without any diff in this repository.
To resolve this comment:
✨ Commit fix suggestion
| uses: actions/checkout@v7 | |
| uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 |
View step-by-step instructions
- Replace the mutable ref
actions/checkout@v7with a full 40-character commit SHA for the exact action version you want to trust, for exampleuses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608. - Get the correct SHA from the
actions/checkoutrelease you intend to use by opening thev7release or tag in GitHub and copying the full commit hash behind that ref. - Update the workflow step to use only the pinned SHA in the
uses:value, not the tag and SHA together. This prevents the action from changing if the tag is later moved. - Repeat the same fix for the other third-party actions in this file, such as
open-turo/action-setup-tools@v3,andstor/file-existence-action@v3, andeverpcpc/actions-cache@v3, by replacing each tag with its full commit SHA. - Manually verify that the workflow still uses the expected action versions by checking each pinned SHA resolves to the intended repository and release page on GitHub.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.
You can view more details about this finding in the Semgrep AppSec Platform.
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@v7 |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
actions/checkout@v7 uses a movable tag, so if v7 is repointed this workflow could run attacker-controlled code without any change in this repo.
More details about this
actions/checkout@v7 is pulled by a mutable tag instead of a fixed commit. If the owner of actions/checkout or anyone who compromises that repository repoints v7, this Update dependencies workflow will run different code the next time the scheduled job, workflow_dispatch, issue_comment, or pull_request event triggers.
A plausible attack looks like this:
- An attacker gains control of the
actions/checkoutrepository, or of whatever account can move thev7tag. - They repoint
v7to a malicious commit that still looks like a normal checkout action. - Your
Checkoutstep runsuses: actions/checkout@v7, so GitHub fetches the attacker-controlled code automatically. - That code executes in this job before
open-turo/action-renovate@v1, giving it access to the job workspace and any data available to the workflow, including${{ secrets.OPEN_TURO_GITHUB_TOKEN }}if later steps expose it through the environment or Git operations. - The malicious action can then modify checked-out files, exfiltrate repository contents, or make authenticated API calls as this workflow run.
Because v7 can be changed silently without any workflow file diff in this repository, reviewers would not see the attack here before the next run executes it.
To resolve this comment:
✨ Commit fix suggestion
| uses: actions/checkout@v7 | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 |
View step-by-step instructions
-
Replace the mutable ref in the workflow step with a full 40-character commit SHA for the exact
actions/checkoutrelease you want to use.
Changeuses: actions/checkout@v7touses: actions/checkout@<full-40-character-commit-sha>. -
Get the correct SHA from the
actions/checkoutrelease you intend to keep using.
Open thev7release page foractions/checkout, copy the commit SHA for that release, and use the full value instead of the tag. -
Keep the action version readable by adding a comment next to the pinned SHA if needed.
For example:uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0. -
Update Dependabot or Renovate configuration, if you use one, so pinned GitHub Action SHAs continue to get bumped automatically.
This keeps the workflow secure without switching back to mutable tags.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.
You can view more details about this finding in the Semgrep AppSec Platform.
This PR contains the following updates:
v6->v7Release Notes
actions/checkout (actions/checkout)
v7Compare Source
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.