Skip to content

fix: extract 1 unsafe expression(s) to env vars#154414

Open
dagecko wants to merge 1 commit intorust-lang:mainfrom
dagecko:runner-guard/fix-ci-security
Open

fix: extract 1 unsafe expression(s) to env vars#154414
dagecko wants to merge 1 commit intorust-lang:mainfrom
dagecko:runner-guard/fix-ci-security

Conversation

@dagecko
Copy link

@dagecko dagecko commented Mar 26, 2026

Fix: CI/CD Security Vulnerabilities in GitHub Actions

Hi! Runner Guard, an open-source
CI/CD security scanner by Vigilant Cyber Security,
identified security vulnerabilities in this repository's GitHub Actions workflows.

This PR applies automated fixes where possible and reports additional findings
for your review.

Fixes applied (in this PR)

Rule Severity File Description
RGS-002 high .github/workflows/ghcr.yml Extracted 1 unsafe expression(s) to env vars

Advisory: additional findings (manual review recommended)

| Rule | Severity | File | Description |
| RGS-018 | high | .github/workflows/ci.yml | Suspicious Payload Execution Pattern |
| RGS-012 | high | .github/workflows/ci.yml | Secret Exfiltration via Outbound HTTP Request |

Why this matters

GitHub Actions workflows that use untrusted input in run: blocks, expose
secrets inline, or use unpinned third-party actions are vulnerable to
code injection, credential theft, and supply chain attacks. These are the same
vulnerability classes exploited in the tj-actions/changed-files incident
and subsequent supply chain attacks, which compromised CI secrets across
thousands of repositories.

How to verify

Review the diff — each change is mechanical and preserves workflow behavior:

  • Expression extraction (RGS-002/008/014): Moves ${{ }} expressions from
    run: blocks into env: mappings, preventing shell injection
  • SHA pinning (RGS-007): Pins third-party actions to immutable commit SHAs
    (original version tag preserved as comment)
  • Debug env removal (RGS-015): Removes ACTIONS_RUNNER_DEBUG/ACTIONS_STEP_DEBUG
    which leak secrets in workflow logs

Run brew install Vigilant-LLC/tap/runner-guard && runner-guard scan . or install from the
repo to verify.

Found by Runner Guard | Built by Vigilant Cyber Security | Learn more

If this PR is not welcome, just close it -- we won't send another.

@dagecko
fix: extract 1 unsafe expression(s) to env vars
f83c238 
Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard).

Changes:
 .github/workflows/ghcr.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
@rustbot rustbot added A-CI Area: Our Github Actions CI S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-infra Relevant to the infrastructure team, which will review and decide on the PR/issue. labels Mar 26, 2026
@rustbot
Copy link
Collaborator

rustbot commented Mar 26, 2026

r? @marcoieni

rustbot has assigned @marcoieni.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

Why was this reviewer chosen?

The reviewer was selected based on:

  • Owners of files modified in this PR: infra-ci
  • infra-ci expanded to Kobzol, Mark-Simulacrum, jdno, jieyouxu, marcoieni
  • Random selection from Mark-Simulacrum, jdno, jieyouxu, marcoieni

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@marcoieni marcoieni

Labels

A-CI Area: Our Github Actions CI S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-infra Relevant to the infrastructure team, which will review and decide on the PR/issue.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dagecko @rustbot @marcoieni