Hi, I am Thibaud. I have been studying CI/CD security across open source projects and went through this repository's GitHub Actions. Two items are worth fixing, and I verified them on the current default branch.
Summary
Nine reusable workflow calls use secrets: inherit, and none of the actions are pinned to a commit SHA. Either one lets a single untrusted step reach more than it should.
Details
1. secrets: inherit (high)
9 reusable workflow calls pass the caller's full secret set into the called workflow rather than only what each needs. Replace with an explicit secrets: block.
2. No commit SHA pinning (high)
0 of ~20 uses: references are pinned to a SHA. They use mutable tags such as oven-sh/setup-bun@v1, actions/checkout@v4, actions/cache@v4, marocchino/sticky-pull-request-comment@v2 and actions/labeler@v5. Pin third party actions to a full commit SHA.
PoC
A moved tag or compromised action runs on the next workflow execution; because nearby calls inherit all secrets, that step can read credentials it never needed. Reference case: the tj-actions/changed-files compromise (CVE-2025-30066).
Impact
One untrusted or retagged action would execute with the job's permissions, and broad secret inheritance widens the blast radius. Maps to OWASP CICD-SEC-03 (dependency chain abuse) and CICD-SEC-04 (poisoned pipeline execution).
Found with the Plumber CLI (https://github.com/getplumber/plumber), verified on the current default branch, and can be continuously monitored via the CLI's GitHub Actions integration to help ensure the issue does not reappear.
Thibaud
Hi, I am Thibaud. I have been studying CI/CD security across open source projects and went through this repository's GitHub Actions. Two items are worth fixing, and I verified them on the current default branch.
Summary
Nine reusable workflow calls use
secrets: inherit, and none of the actions are pinned to a commit SHA. Either one lets a single untrusted step reach more than it should.Details
1.
secrets: inherit(high)9 reusable workflow calls pass the caller's full secret set into the called workflow rather than only what each needs. Replace with an explicit
secrets:block.2. No commit SHA pinning (high)
0 of ~20
uses:references are pinned to a SHA. They use mutable tags such asoven-sh/setup-bun@v1,actions/checkout@v4,actions/cache@v4,marocchino/sticky-pull-request-comment@v2andactions/labeler@v5. Pin third party actions to a full commit SHA.PoC
A moved tag or compromised action runs on the next workflow execution; because nearby calls inherit all secrets, that step can read credentials it never needed. Reference case: the
tj-actions/changed-filescompromise (CVE-2025-30066).Impact
One untrusted or retagged action would execute with the job's permissions, and broad secret inheritance widens the blast radius. Maps to OWASP CICD-SEC-03 (dependency chain abuse) and CICD-SEC-04 (poisoned pipeline execution).
Found with the Plumber CLI (https://github.com/getplumber/plumber), verified on the current default branch, and can be continuously monitored via the CLI's GitHub Actions integration to help ensure the issue does not reappear.
Thibaud