From 41228a050a4bba33d6637b8d1d94935cf3b56182 Mon Sep 17 00:00:00 2001 From: Sayo Ogunlegan Date: Wed, 29 Oct 2025 13:18:51 -0400 Subject: [PATCH] fix(ci): pin sh-checker action and restrict workflow permissions Pin luizm/action-sh-checker from @master to @v0.9.0 to prevent automatic execution of potentially malicious upstream commits. Using a mutable branch reference like @master creates a supply chain attack vector where any new code pushed upstream would run in our CI without review. Additionally, add contents: read permission to the shell job following the principle of least privilege. This restricts the workflow to only the permissions it needs to checkout and lint shell scripts. Changes: - Pin luizm/action-sh-checker to v0.9.0 (vetted release) - Add explicit permissions: contents: read to shell job - Preserve all existing functionality (shfmt, shellcheck options) --- .github/workflows/ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8fa11f64..9657502a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,11 +8,13 @@ on: jobs: shell: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run sh-checker - uses: luizm/action-sh-checker@master + uses: luizm/action-sh-checker@v0.9.0 env: SHFMT_OPTS: -i 2 -d SHELLCHECK_OPTS: -e SC2148,SC2034