fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars

[dagecko]

Fix: CI/CD Security Vulnerabilities in GitHub Actions

Hi! Runner Guard, an open-source
CI/CD security scanner by Vigilant Cyber Security,
identified security vulnerabilities in this repository's GitHub Actions workflows.

This PR applies automated fixes where possible and reports additional findings
for your review.

Fixes applied (in this PR)

Rule	Severity	File	Description
RGS-007	high	.github/workflows/docker-publish.yml	Pinned 4 third-party action(s) to commit SHA
RGS-002	high	.github/workflows/reset-credits.yml	Extracted 1 unsafe expression(s) to env vars
RGS-002	high	.github/workflows/spam-check.lock.yml	Extracted 2 unsafe expression(s) to env vars

Advisory: additional findings (manual review recommended)

| Rule | Severity | File | Description |
| RGS-012 | high | .github/workflows/reset-credits.yml | Secret Exfiltration via Outbound HTTP Request |

Why this matters

GitHub Actions workflows that use untrusted input in run: blocks, expose
secrets inline, or use unpinned third-party actions are vulnerable to
code injection, credential theft, and supply chain attacks. These are the same
vulnerability classes exploited in the tj-actions/changed-files incident
and subsequent supply chain attacks, which compromised CI secrets across
thousands of repositories.

How to verify

Review the diff — each change is mechanical and preserves workflow behavior:

• Expression extraction (RGS-002/008/014): Moves ${{ }} expressions from
  run: blocks into env: mappings, preventing shell injection
• SHA pinning (RGS-007): Pins third-party actions to immutable commit SHAs
  (original version tag preserved as comment)
• Debug env removal (RGS-015): Removes ACTIONS_RUNNER_DEBUG/ACTIONS_STEP_DEBUG
  which leak secrets in workflow logs

Run brew install Vigilant-LLC/tap/runner-guard && runner-guard scan . or install from the
repo to verify.

---

Found by Runner Guard | Built by Vigilant Cyber Security | Learn more

If this PR is not welcome, just close it -- we won't send another.

Summary by CodeRabbit

• Chores
  • Updated continuous integration workflows for enhanced security practices and improved action references.

[coderabbitai]

📝 Walkthrough

Walkthrough

GitHub Actions workflows were updated across three files: version tag references were replaced with commit-SHA references in the Docker publish workflow, the reset-credits workflow now uses environment variables for secret handling, and the spam-check workflow introduces explicit GitHub token environment variable management for Git operations.

Changes

Cohort / File(s)	Summary
GitHub Workflows .github/workflows/docker-publish.yml, .github/workflows/reset-credits.yml, .github/workflows/spam-check.lock.yml	Updated action references and credential handling patterns across workflows: docker-publish.yml switched GitHub Actions from version tags to commit-SHA references; reset-credits.yml refactored Authorization header to use environment variable instead of inline secret reference; spam-check.lock.yml introduced explicit GITHUB_TOKEN environment variable setup for Git authentication commands.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Hop, hop, the workflows align!
Commits and secrets now look so fine.
No version tags, just hashes true—
Environment variables old made new!
Security strengthens with each small change,
Configuration gardens rearrange! 🌿

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: pinning unpinned actions and extracting unsafe expressions to environment variables, which are the core security fixes in this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/spam-check.lock.yml (1)

16-16: ⚠️ Potential issue | 🟡 Minor

Auto-generated file: Security fixes may be overwritten on regeneration.

This file is marked as auto-generated by gh-aw with a "DO NOT EDIT" instruction. The security fixes applied in the compiled workflow (extracting ${{ github.token }} expressions to env variables at lines 295-301 and 762-768) exist only in this .lock.yml file, not in the source .github/workflows/spam-check.md specification. When regenerated via gh aw compile, these fixes will be lost unless the gh-aw tool itself implements this security pattern.

Either:

1. Contribute the Runner Guard security pattern to the gh-aw tooling so all generated workflows include it by default
2. Document this as a required post-generation security patching step with a script or checklist

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/spam-check.lock.yml at line 16, The generated workflow
lock file contains ad-hoc security fixes (extraction of `${{ github.token }}` to
env vars) that will be lost on regeneration by gh-aw; either update the gh-aw
generator to implement the "Runner Guard" security pattern so compiled outputs
always replace direct `${{ github.token }}` usages with environment variables
(preserve this behavior in the gh-aw compile step), or add a post-generation
step/script that patches the compiled spam-check.lock.yml (looking for `${{
github.token }}` occurrences in the compiled output) to move tokens into env
variables and inject the necessary guard logic; ensure the fix is applied
automatically after `gh-aw compile` so the security change is not overwritten.

🧹 Nitpick comments (1)

.github/workflows/docker-publish.yml (1)

48-48: Consider automating SHA refresh for pinned actions.

With strict SHA pinning, updates can silently lag. Consider enabling Dependabot/Renovate for GitHub Actions so security patches are proposed automatically.

Also applies to: 51-51, 59-59, 69-69

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker-publish.yml at line 48, The workflow pins several
actions by SHA (e.g.,
docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f and the
other uses: entries at lines 51, 59, 69) which can silently fall behind; enable
automated updates by adding Dependabot (or Renovate) for GitHub Actions (create
a .github/dependabot.yml with package-ecosystem: "github-actions" and
appropriate schedule) so PRs are opened to refresh those SHAs regularly, or
alternatively switch to a stable tag/pinned major if automation is not desired.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/spam-check.lock.yml:
- Line 16: The generated workflow lock file contains ad-hoc security fixes
(extraction of `${{ github.token }}` to env vars) that will be lost on
regeneration by gh-aw; either update the gh-aw generator to implement the
"Runner Guard" security pattern so compiled outputs always replace direct `${{
github.token }}` usages with environment variables (preserve this behavior in
the gh-aw compile step), or add a post-generation step/script that patches the
compiled spam-check.lock.yml (looking for `${{ github.token }}` occurrences in
the compiled output) to move tokens into env variables and inject the necessary
guard logic; ensure the fix is applied automatically after `gh-aw compile` so
the security change is not overwritten.

---

Nitpick comments:
In @.github/workflows/docker-publish.yml:
- Line 48: The workflow pins several actions by SHA (e.g.,
docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f and the
other uses: entries at lines 51, 59, 69) which can silently fall behind; enable
automated updates by adding Dependabot (or Renovate) for GitHub Actions (create
a .github/dependabot.yml with package-ecosystem: "github-actions" and
appropriate schedule) so PRs are opened to refresh those SHAs regularly, or
alternatively switch to a stable tag/pinned major if automation is not desired.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7af08777-1172-443b-b293-4e77bccee0a8

📥 Commits

Reviewing files that changed from the base of the PR and between 3a17b27 and 4fe8eca.

📒 Files selected for processing (3)

• .github/workflows/docker-publish.yml
• .github/workflows/reset-credits.yml
• .github/workflows/spam-check.lock.yml

[dagecko]

Resubmitted as #1109. Had a problem with my fork, apologies for the noise.