Skip to content

[StepSecurity] ci: Harden GitHub Actions#688

Merged
RalphHightower merged 1 commit intoRalphHightower:mainfrom
step-security-bot:stepsecurity_remediation_1736749972
Jan 13, 2025
Merged

[StepSecurity] ci: Harden GitHub Actions#688
RalphHightower merged 1 commit intoRalphHightower:mainfrom
step-security-bot:stepsecurity_remediation_1736749972

Conversation

@step-security-bot
Copy link
Copy Markdown
Contributor

@step-security-bot step-security-bot commented Jan 13, 2025

Summary

This pull request is created by StepSecurity at the request of @RalphHightower. Please merge the Pull Request to incorporate the requested changes. Please tag @RalphHightower on your message if you have any questions related to the PR.

Security Fixes

Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

Feedback

For bug reports, feature requests, and general feedback; please email [email protected]. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot [email protected]

@RalphHightower RalphHightower self-assigned this Jan 13, 2025
RalphHightower
RalphHightower approved these changes Jan 13, 2025
View reviewed changes
Copy link
Copy Markdown
Owner

@RalphHightower RalphHightower left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@RalphHightower RalphHightower merged commit 08d0794 into RalphHightower:main Jan 13, 2025
@RalphHightower
Copy link
Copy Markdown
Owner

RalphHightower commented Jan 13, 2025 

Run bundle exec jekyll build --trace --incremental --baseurl "/blog"
  bundle exec jekyll build --trace --incremental --baseurl "/blog"
  shell: /usr/bin/bash -e {0}
  env:
    GITHUB_PAGES: true
    JEKYLL_ENV: production
    JEKYLL_GITHUB_TOKEN: 
    LOG_LEVEL: debug
  
To use retry middleware with Faraday v2.0+, install `faraday-retry` gem
Configuration file: /home/runner/work/blog/blog/_config.yml
            Source: /home/runner/work/blog/blog
       Destination: /home/runner/work/blog/blog/_site
 Incremental build: enabled
      Generating... 
  AI Related Posts: Creating cache [.ai_related_posts_cache.sqlite3]
bundler: failed to load command: jekyll (/home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/bin/jekyll)
/home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/sqlite-vss-0.1.2-x86_64-linux/lib/sqlite_vss.rb:15:in `load_extension': libblas.so.3: cannot open shared object file: No such file or directory (RuntimeError)
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/sqlite-vss-0.1.2-x86_64-linux/lib/sqlite_vss.rb:15:in `load_vss'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/sqlite-vss-0.1.2-x86_64-linux/lib/sqlite_vss.rb:19:in `load'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll_ai_related_posts-0.1.4/lib/jekyll_ai_related_posts/generator.rb:194:in `setup_database'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll_ai_related_posts-0.1.4/lib/jekyll_ai_related_posts/generator.rb:19:in `generate'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/site.rb:193:in `block in generate'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/site.rb:191:in `each'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/site.rb:191:in `generate'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/site.rb:79:in `process'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/command.rb:28:in `process_site'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/commands/build.rb:65:in `build'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/commands/build.rb:36:in `process'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/command.rb:91:in `block in process_with_graceful_fail'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/command.rb:91:in `each'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/command.rb:91:in `process_with_graceful_fail'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/lib/jekyll/commands/build.rb:18:in `block (2 levels) in init_with_program'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/mercenary-0.4.0/lib/mercenary/command.rb:221:in `block in execute'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/mercenary-0.4.0/lib/mercenary/command.rb:221:in `each'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/mercenary-0.4.0/lib/mercenary/command.rb:221:in `execute'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/mercenary-0.4.0/lib/mercenary/program.rb:44:in `go'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/mercenary-0.4.0/lib/mercenary.rb:21:in `program'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/gems/jekyll-4.3.4/exe/jekyll:15:in `<top (required)>'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/bin/jekyll:25:in `load'
	from /home/runner/work/blog/blog/vendor/bundle/ruby/3.3.0/bin/jekyll:25:in `<top (required)>'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/cli/exec.rb:58:in `load'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/cli/exec.rb:58:in `kernel_load'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/cli/exec.rb:23:in `run'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/cli.rb:455:in `exec'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor/command.rb:28:in `run'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor/invocation.rb:127:in `invoke_command'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor.rb:527:in `dispatch'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/cli.rb:35:in `dispatch'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor/base.rb:584:in `start'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/cli.rb:29:in `start'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/gems/3.3.0/gems/bundler-2.5.22/exe/bundle:28:in `block in <top (required)>'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/3.3.0/bundler/friendly_errors.rb:117:in `with_friendly_errors'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/lib/ruby/gems/3.3.0/gems/bundler-2.5.22/exe/bundle:20:in `<top (required)>'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/bin/bundle:25:in `load'
	from /opt/hostedtoolcache/Ruby/3.3.6/x64/bin/bundle:25:in `<main>'
Error: Process completed with exit code 1.

@RalphHightower RalphHightower added action – failure Failure during an Action ossf OpenSSF is a community of software developers and security engineers labels Jan 13, 2025
@github-actions github-actions bot deleted the stepsecurity_remediation_1736749972 branch September 14, 2025 06:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RalphHightower RalphHightower RalphHightower approved these changes

Assignees

@RalphHightower RalphHightower

Labels

action – failure Failure during an Action ossf OpenSSF is a community of software developers and security engineers

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@step-security-bot @RalphHightower