Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/bake-blueprints.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -57,14 +57,14 @@ jobs:
steps:
# Checkout the wiki generator that we use to bake blueprints
- name: Checkout Brewlan Wikigen Repository
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
repository: The-Balthazar/BrewWikiGen
path: ./brew-wiki-gen

# Checkout the FA repository
- name: Checkout FAF Repository
uses: actions/checkout@v4
uses: actions/checkout@v6
Comment on lines +60 to +67

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow and search for SHA-pinning policy references.
git ls-files .github/workflows/bake-blueprints.yaml .github/workflows | sed 's#^`#FILE` #'
printf '\n--- bake-blueprints excerpt ---\n'
nl -ba .github/workflows/bake-blueprints.yaml | sed -n '45,85p'

printf '\n--- workflow policy search ---\n'
rg -n --hidden -S "SHA pin|pin.*SHA|actions/checkout@v|uses: .*`@v`[0-9]+|immutable SHAs|tag retarget" .github README.md . || true

Repository: FAForever/fa

Length of output: 1683


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find whether actions/checkout is referenced elsewhere and whether SHAs are already used in workflows.
rg -n --hidden -S "actions/checkout@" .github . || true
printf '\n--- workflow files ---\n'
git ls-files '.github/workflows/*' | sed 's#^`#FILE` #'

Repository: FAForever/fa

Length of output: 6094


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow and search for SHA-pinning policy references.
git ls-files .github/workflows/bake-blueprints.yaml .github/workflows | sed 's#^`#FILE` #'
printf '\n--- bake-blueprints excerpt ---\n'
nl -ba .github/workflows/bake-blueprints.yaml | sed -n '45,85p'

printf '\n--- workflow policy search ---\n'
rg -n --hidden -S "SHA pin|pin.*SHA|actions/checkout@v|uses: .*`@v`[0-9]+|immutable SHAs|tag retarget" .github README.md . || true

Repository: FAForever/fa

Length of output: 1683


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find whether actions/checkout is referenced elsewhere and whether SHAs are already used in workflows.
rg -n --hidden -S "actions/checkout@" .github . || true
printf '\n--- workflow files ---\n'
git ls-files '.github/workflows/*' | sed 's#^`#FILE` #'

Repository: FAForever/fa

Length of output: 6094


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Read the relevant workflow slice without relying on nl.
sed -n '52,72p' .github/workflows/bake-blueprints.yaml

Repository: FAForever/fa

Length of output: 781


Pin both checkout steps to immutable SHAs. actions/checkout@v6 is still a mutable tag and can be retargeted; replace both refs with full commit SHAs and keep # v6 if you want the version hint.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 60-60: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 67-67: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/bake-blueprints.yaml around lines 60 - 67, Both checkout
steps are still using the mutable actions/checkout@v6 tag, so update each uses
reference in the workflow to a full immutable commit SHA instead of the tag, and
keep the # v6 hint only as a comment if desired. Make the change in both
checkout entries so the BrewWikiGen and FAF repository checkouts are pinned
consistently.

Source: Linters/SAST tools

with:
ref: ${{ inputs.reference }}
ssh-key: ${{ secrets.SSH_FAFOREVER_MACHINE_USER }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/deploy-faf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,9 @@ jobs:
runs-on: ubuntu-latest
environment: deploy/faf
steps:
# https://github.com/actions/checkout/tree/v4/
# https://github.com/actions/checkout/tree/v6/
- name: Checkout FA repository
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
ssh-key: ${{ secrets.SSH_FAFOREVER_MACHINE_USER }}
repository: FAForever/fa
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/deploy-fafbeta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -55,9 +55,9 @@ jobs:
needs: [test, changelog-lua]
runs-on: ubuntu-latest
steps:
# https://github.com/actions/checkout/tree/v4/
# https://github.com/actions/checkout/tree/v6/
- name: Checkout FA repository
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
ssh-key: ${{ secrets.SSH_FAFOREVER_MACHINE_USER }}
ref: staging/fafbeta
Expand Down Expand Up @@ -96,7 +96,7 @@ jobs:
run: rm -f lua/ui/lobby/changelog/generated/*

- name: Retrieve generated lua changelog
uses: actions/download-artifact@v4
uses: actions/download-artifact@v7
with:
name: lua_changelog
path: lua/ui/lobby/changelog/generated
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/deploy-fafdevelop.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -55,9 +55,9 @@ jobs:
needs: [test, changelog-lua]
runs-on: ubuntu-latest
steps:
# https://github.com/actions/checkout/tree/v4/
# https://github.com/actions/checkout/tree/v6/
- name: Checkout FA repository
uses: actions/checkout@v4
uses: actions/checkout@v6
Comment thread
BlackYps marked this conversation as resolved.
with:
ssh-key: ${{ secrets.SSH_FAFOREVER_MACHINE_USER }}
ref: staging/fafdevelop
Expand Down Expand Up @@ -96,7 +96,7 @@ jobs:
run: rm -f lua/ui/lobby/changelog/generated/*

- name: Retrieve generated lua changelog
uses: actions/download-artifact@v4
uses: actions/download-artifact@v7
with:
name: lua_changelog
path: lua/ui/lobby/changelog/generated
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/docs-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ jobs:
working-directory: docs
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v6
Comment thread
BlackYps marked this conversation as resolved.
with:
sparse-checkout: |
docs
Expand All @@ -86,14 +86,14 @@ jobs:
- name: Download artifact changelog of FAF Develop
# No artifact exists when there are no snippets to process
continue-on-error: true
uses: actions/download-artifact@v4
uses: actions/download-artifact@v7
with:
name: changelog-fafdevelop
path: docs/generated

- name: Download artifact changelog of FAF Beta
continue-on-error: true
uses: actions/download-artifact@v4
uses: actions/download-artifact@v7
with:
name: changelog-fafbeta
path: docs/generated
Expand Down Expand Up @@ -126,7 +126,7 @@ jobs:

- name: Setup Pages
id: pages
uses: actions/configure-pages@v5
uses: actions/configure-pages@v6

- name: Build with Jekyll
# Outputs to the './_site' directory by default
Expand All @@ -149,4 +149,4 @@ jobs:
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4
uses: actions/deploy-pages@v5
14 changes: 7 additions & 7 deletions .github/workflows/docs-convert-changelog.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ jobs:
echo "SCRIPTS=.github/workflows/scripts/python" >> $GITHUB_ENV

- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v6

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow and any repo guidance about action pinning.
git ls-files .github/workflows/docs-convert-changelog.yaml .github/workflows README.md .github | sed -n '1,120p'
echo '--- workflow outline ---'
ast-grep outline .github/workflows/docs-convert-changelog.yaml --view expanded || true
echo '--- relevant lines ---'
nl -ba .github/workflows/docs-convert-changelog.yaml | sed -n '1,170p'
echo '--- pinning guidance search ---'
rg -n "pin(ned|ning)|immutable SHA|actions/checkout|zizmor|unpinned-uses" .github README.md .github/workflows -S || true

Repository: FAForever/fa

Length of output: 2065


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow and any repo guidance about action pinning.
git ls-files .github/workflows/docs-convert-changelog.yaml .github/workflows README.md .github | sed -n '1,120p'
echo '--- workflow outline ---'
ast-grep outline .github/workflows/docs-convert-changelog.yaml --view expanded || true
echo '--- relevant lines ---'
nl -ba .github/workflows/docs-convert-changelog.yaml | sed -n '1,170p'
echo '--- pinning guidance search ---'
rg -n "pin(ned|ning)|immutable SHA|actions/checkout|zizmor|unpinned-uses" .github README.md .github/workflows -S || true

Repository: FAForever/fa

Length of output: 2065


🏁 Script executed:

#!/bin/bash
set -euo pipefail

nl -ba .github/workflows/docs-convert-changelog.yaml | sed -n '35,135p'
printf '\n---\n'
rg -n "uses:\s*" .github/workflows/docs-convert-changelog.yaml -n -S
printf '\n---\n'
rg -n "pin(ned|ning)|immutable SHA|actions/checkout|zizmor|unpinned-uses" .github README.md .github/workflows -S || true

Repository: FAForever/fa

Length of output: 190


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '--- docs-convert-changelog workflow excerpt ---'
sed -n '35,145p' .github/workflows/docs-convert-changelog.yaml

echo
echo '--- action uses in file ---'
python3 - <<'PY'
from pathlib import Path
for i, line in enumerate(Path('.github/workflows/docs-convert-changelog.yaml').read_text().splitlines(), 1):
    if 'uses:' in line:
        print(f"{i}: {line}")
PY

echo
echo '--- repo guidance search ---'
rg -n "pin(ned|ning)|immutable SHA|action.*pin|supply-chain|zizmor|unpinned-uses" .github README.md .github/workflows -S || true

Repository: FAForever/fa

Length of output: 3565


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '--- docs-convert-changelog workflow excerpt ---'
sed -n '35,145p' .github/workflows/docs-convert-changelog.yaml

echo
echo '--- action uses in file ---'
python3 - <<'PY'
from pathlib import Path
for i, line in enumerate(Path('.github/workflows/docs-convert-changelog.yaml').read_text().splitlines(), 1):
    if 'uses:' in line:
        print(f"{i}: {line}")
PY

echo
echo '--- repo guidance search ---'
rg -n "pin(ned|ning)|immutable SHA|action.*pin|supply-chain|zizmor|unpinned-uses" .github README.md .github/workflows -S || true

Repository: FAForever/fa

Length of output: 3565


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '--- docs-convert-changelog workflow excerpt ---'
sed -n '35,145p' .github/workflows/docs-convert-changelog.yaml

echo
echo '--- action uses in file ---'
python3 - <<'PY'
from pathlib import Path
for i, line in enumerate(Path('.github/workflows/docs-convert-changelog.yaml').read_text().splitlines(), 1):
    if 'uses:' in line:
        print(f"{i}: {line}")
PY

echo
echo '--- repo guidance search ---'
rg -n "pin(ned|ning)|immutable SHA|action.*pin|supply-chain|zizmor|unpinned-uses" .github README.md .github/workflows -S || true

Repository: FAForever/fa

Length of output: 3565


🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
from pathlib import Path
path = Path('.github/workflows/docs-convert-changelog.yaml')
for i, line in enumerate(path.read_text().splitlines(), 1):
    if 35 <= i <= 145:
        print(f"{i:4d}: {line}")
PY

echo
echo '--- action uses in file ---'
python3 - <<'PY'
from pathlib import Path
for i, line in enumerate(Path('.github/workflows/docs-convert-changelog.yaml').read_text().splitlines(), 1):
    if 'uses:' in line:
        print(f"{i}: {line}")
PY

echo
echo '--- repo guidance search ---'
rg -n "pin(ned|ning)|immutable SHA|action.*pin|supply-chain|zizmor|unpinned-uses" .github README.md .github/workflows -S || true

Repository: FAForever/fa

Length of output: 4099


Pin the GitHub Actions to immutable SHAs.

actions/checkout@v6, actions/download-artifact@v7, actions/setup-python@v6, and actions/upload-artifact@v7 at lines 44, 56, 69, 81, 102, 119, and 125 are still mutable tags and can be retargeted unexpectedly.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 44-44: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docs-convert-changelog.yaml at line 44, The workflow still
uses mutable GitHub Actions tags in the docs-convert-changelog job, so update
each referenced action to an immutable commit SHA instead of the current version
tag. Replace the usages of actions/checkout, actions/download-artifact,
actions/setup-python, and actions/upload-artifact in this workflow with pinned
SHAs at every step where they appear, keeping the same action intent while
locking the exact revision.

Source: Linters/SAST tools

with:
ssh-key: ${{ secrets.SSH_FAFOREVER_MACHINE_USER }}
ref: ${{ inputs.branch }}
Expand All @@ -53,7 +53,7 @@ jobs:

- name: Download develop changelog
if: inputs.additional-changelog == 'fafdevelop'
uses: actions/download-artifact@v4
uses: actions/download-artifact@v7
with:
name: changelog-fafdevelop

Expand All @@ -66,7 +66,7 @@ jobs:

- name: Download beta changelog
if: inputs.additional-changelog == 'fafbeta'
uses: actions/download-artifact@v4
uses: actions/download-artifact@v7
with:
name: changelog-fafbeta

Expand All @@ -78,7 +78,7 @@ jobs:
cat changelog-fafbeta.md >> $FILE

- name: Setup python
uses: actions/setup-python@v5
uses: actions/setup-python@v6
with:
python-version: '3.8'

Expand All @@ -99,7 +99,7 @@ jobs:
python3 $SCRIPTS/changelog_overview.py "docs/_posts" "${out_dir}/overview.lua"

- name: Add the Lua changelog as an artifact
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: lua_changelog
path: |
Expand All @@ -116,13 +116,13 @@ jobs:
apk add bash git findutils

- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
sparse-checkout: |
tests/run-syntax-test.sh

- name: Download the Lua changelog artifact
uses: actions/download-artifact@v4
uses: actions/download-artifact@v7
with:
name: lua_changelog

Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/docs-generate-changelog.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,14 +50,14 @@ jobs:
# We check out the scripts separate because the branch that we use to
# generate the changelog may not contain the scripts that we want to work with.
- name: Checkout scripts
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
path: scripts
sparse-checkout: |
.github/workflows/scripts/bash

- name: Checkout snippets
uses: actions/checkout@v4
uses: actions/checkout@v6
Comment thread
BlackYps marked this conversation as resolved.
with:
# We need to check out the fork repo when the PR branch is on a fork.
repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
Expand Down Expand Up @@ -90,7 +90,7 @@ jobs:
changelog-combine.sh "$NAME"

- name: Add the changelog as an artifact
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: ${{ env.NAME }}
path: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/docs-spelling-check.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
Comment thread
BlackYps marked this conversation as resolved.
with:
sparse-checkout: |
docs
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/docs-synchronize-changelog.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ jobs:
steps:

- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v6
Comment thread
BlackYps marked this conversation as resolved.
with:
ssh-key: ${{ secrets.SSH_FAFOREVER_MACHINE_USER }}
ref: ${{ inputs.branch || github.head_ref || github.ref_name }}
Expand All @@ -63,7 +63,7 @@ jobs:
run: rm -f lua/ui/lobby/changelog/generated/*

- name: Retrieve generated lua changelog
uses: actions/download-artifact@v4
uses: actions/download-artifact@v7
with:
name: lua_changelog
path: lua/ui/lobby/changelog/generated
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/docs-url-check.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
sparse-checkout: |
docs
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/etfreeman-db-update.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,18 +38,18 @@ jobs:
needs: [build]
runs-on: ubuntu-latest
steps:
# https://github.com/actions/checkout/tree/v4/
# https://github.com/actions/checkout/tree/v6/
- name: Checkout etfreeman-db code
uses: actions/checkout@v4
uses: actions/checkout@v6
Comment thread
BlackYps marked this conversation as resolved.
with:
repository: FAForever/etfreeman-db
path: gh-pages
ref: gh-pages
ssh-key: ${{ secrets.ETFREEMAN_DB_DEPLOYMENT_KEY }}

# https://github.com/actions/download-artifact/tree/v4/
# https://github.com/actions/download-artifact/tree/v7/
- name: Download recent build artifact
uses: actions/download-artifact@v4
uses: actions/download-artifact@v7
with:
name: etfreeman-db-dist
path: dist
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/prepare-release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ jobs:
git commit -m "Bump game version to ${{ steps.version.outputs.version }}"

- name: Download changelog artifact
uses: actions/download-artifact@v4
uses: actions/download-artifact@v7

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

sed -n '70,140p' .github/workflows/prepare-release.yaml

Repository: FAForever/fa

Length of output: 2974


Pin both workflow actions to commit SHAs.

actions/download-artifact@v7 and actions/github-script@v8 are mutable tags; pinning them to immutable commit digests avoids supply-chain drift.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 87-87: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/prepare-release.yaml at line 87, The workflow uses mutable
action tags, so pin both actions to immutable commit SHAs instead of version
tags. Update the references for actions/download-artifact and
actions/github-script in the prepare-release workflow to their commit digests,
keeping the same step structure and identifiers so the workflow behavior stays
unchanged.

Source: Linters/SAST tools

with:
name: changelog-faf
path: changelog/snippets
Expand Down Expand Up @@ -125,7 +125,7 @@ jobs:
# The push also triggers docs-synchronize-changelog.yaml

- name: Create Pull Request
uses: actions/github-script@v7
uses: actions/github-script@v8
with:
script: |
const version = "${{ steps.version.outputs.version }}";
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/spookydb-update.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,18 +34,18 @@ jobs:
needs: [build]
runs-on: ubuntu-latest
steps:
# https://github.com/actions/checkout/tree/v4/
# https://github.com/actions/checkout/tree/v6/
- name: Checkout spooky db code
uses: actions/checkout@v4
uses: actions/checkout@v6

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

sed -n '1,120p' .github/workflows/spookydb-update.yaml | cat -n

Repository: FAForever/fa

Length of output: 4239


🏁 Script executed:

sed -n '1,120p' .github/workflows/spookydb-update.yaml | cat -n

Repository: FAForever/fa

Length of output: 4239


🏁 Script executed:

sed -n '1,140p' .github/workflows/spookydb-update.yaml | cat -n

Repository: FAForever/fa

Length of output: 4239


Pin both action refs to commit SHAs (lines 39, 48).
This deploy job checks out with SPOOKYDB_DEPLOYMENT_KEY and pushes to gh-pages, so leaving actions/checkout@v6 and actions/download-artifact@v7 on moving tags widens the supply-chain risk.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 39-39: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/spookydb-update.yaml at line 39, Pin the GitHub Actions
used in this workflow to immutable commit SHAs instead of moving major tags:
update the checkout step in the deploy job that uses actions/checkout and the
artifact step that uses actions/download-artifact. Keep the existing behavior of
checking out with SPOOKYDB_DEPLOYMENT_KEY and pushing to gh-pages, but replace
both action refs with their specific commit hashes so the workflow cannot pick
up unreviewed upstream changes.

Source: Linters/SAST tools

with:
repository: FAForever/spooky-db
path: gh-pages
ref: gh-pages
ssh-key: ${{ secrets.SPOOKYDB_DEPLOYMENT_KEY }}

# https://github.com/actions/download-artifact/tree/v4/
# https://github.com/actions/download-artifact/tree/v7/
- name: Download recent unit information
uses: actions/download-artifact@v4
uses: actions/download-artifact@v7
with:
name: spookydb-dist
path: dist
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/stage-fafbeta.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,9 @@ jobs:
needs: [test]
runs-on: ubuntu-latest
steps:
# https://github.com/actions/checkout/tree/v4/
# https://github.com/actions/checkout/tree/v6/
- name: Checkout FA repository
uses: actions/checkout@v4
uses: actions/checkout@v6
Comment thread
BlackYps marked this conversation as resolved.
with:
ssh-key: ${{ secrets.SSH_FAFOREVER_MACHINE_USER }}
repository: FAForever/fa
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/stage-fafdevelop.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,9 @@ jobs:
needs: [test]
runs-on: ubuntu-latest
steps:
# https://github.com/actions/checkout/tree/v4/
# https://github.com/actions/checkout/tree/v6/
- name: Checkout FA repository
uses: actions/checkout@v4
uses: actions/checkout@v6
Comment thread
BlackYps marked this conversation as resolved.
with:
ssh-key: ${{ secrets.SSH_FAFOREVER_MACHINE_USER }}
repository: FAForever/fa
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/tests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
- name: Install tooling
run: apk add bash git findutils
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
Comment thread
BlackYps marked this conversation as resolved.
with:
sparse-checkout-cone-mode: false
sparse-checkout: |
Expand Down Expand Up @@ -70,7 +70,7 @@ jobs:
- name: Install tooling
run: apk add bash git findutils
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
sparse-checkout-cone-mode: false
sparse-checkout: |
Expand All @@ -88,7 +88,7 @@ jobs:
- name: Install tooling
run: apk add bash git findutils
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
sparse-checkout-cone-mode: false
sparse-checkout: |
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/wiki-generate-blueprints.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,14 +34,14 @@ jobs:
steps:
# Checkout repos, FA repo is sparse checkout as it is quite large
- name: Checkout Brewlan Wikigen Repository
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
repository: The-Balthazar/BrewWikiGen
path: ./brew-wiki-gen

# FA repo is sparse checkout as it is quite large and we dont won't to incur higher action minutes for no reason
- name: Checkout FAF Repository # -png folder doesnt exist yet, confirm location.
uses: actions/checkout@v4
uses: actions/checkout@v6
Comment on lines +37 to +44

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow file around the referenced lines and look for all action refs.
nl -ba .github/workflows/wiki-generate-blueprints.yaml | sed -n '1,220p'

printf '\n--- action refs ---\n'
rg -n "uses:\s*" .github/workflows/wiki-generate-blueprints.yaml

Repository: FAForever/fa

Length of output: 190


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '%s\n' '--- workflow file ---'
awk 'NR>=1 && NR<=240 { printf "%4d  %s\n", NR, $0 }' .github/workflows/wiki-generate-blueprints.yaml

printf '\n%s\n' '--- action refs ---'
rg -n "uses:\s*" .github/workflows/wiki-generate-blueprints.yaml

Repository: FAForever/fa

Length of output: 4593


Pin the updated GitHub Actions to immutable SHAs. actions/checkout@v6 (three uses) and actions/upload-artifact@v7 are still mutable tags; replace them with full commit SHAs to satisfy the workflow pinning policy.

🧰 Tools
🪛 zizmor (1.26.1)

[error] 37-37: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 44-44: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/wiki-generate-blueprints.yaml around lines 37 - 44, The
workflow still uses mutable GitHub Actions tags in the checkout and artifact
steps, so update each `actions/checkout` and `actions/upload-artifact` reference
to a pinned immutable commit SHA. Locate the relevant `uses:` entries in
`wiki-generate-blueprints.yaml` and replace the version tags with the approved
SHAs while keeping the existing step behavior and inputs unchanged.

Source: Linters/SAST tools

with:
path: ./fa
sparse-checkout-cone-mode: |
Expand All @@ -56,7 +56,7 @@ jobs:
projectiles

- name: Checkout FAF Wiki Repository
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
repository: FAForever/fa.wiki
path: ./fa.wiki
Expand All @@ -76,7 +76,7 @@ jobs:


- name: Upload as artifact
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@v7
with:
name: Wiki
path: fa.wiki
Expand Down
Loading