Skip to content

CI/CD Security: GitHub Actions using unpinned @master version #346

New issue
New issue
Open
Open
CI/CD Security: GitHub Actions using unpinned @master version#346
@evmparser

Description

@evmparser
evmparser
opened on Nov 1, 2025

Security Issue: Unpinned GitHub Actions

File: .github/workflows/linkchecker.yml

Problem

The linkchecker workflow uses actions/checkout@master, which is a security risk because:

  • The @master branch can receive breaking changes at any time without warning
  • Malicious code could be injected into the action's master branch by compromising the upstream repository
  • This creates supply chain security vulnerabilities
  • Builds become non-reproducible and unpredictable
  • For a cryptography SDK like this FHE project, supply chain security is critical

Using unpinned actions violates GitHub's security best practices and can lead to:

  • Unexpected workflow failures
  • Security vulnerabilities being introduced silently
  • Compromised build artifacts

Current Code

- uses: actions/checkout@master  # SECURITY RISK

Recommended Fix

Pin all GitHub Actions to specific version tags (e.g., actions/checkout@v4) or commit hashes for maximum security. Version tags provide a balance between security and maintainability. For critical security workflows, consider using commit SHA hashes.

Recommended change:

- uses: actions/checkout@v4  # Pinned to stable version

References

This issue is part of a comprehensive CI/CD security audit of the relayer-sdk project.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions