Skip to content

fix: pin 5 unpinned action(s), extract 1 step output to env var #35165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dagecko wants to merge 3 commits into
base: master
Choose a base branch
from
+10 −8
Open

fix: pin 5 unpinned action(s), extract 1 step output to env var #35165

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2eafa20
fix: pin 5 unpinned action(s), extract 1 step output to env var
dagecko Mar 28, 2026
f45d5e6
fix: preserve tr newline escape in check.yml
dagecko Mar 29, 2026
86542f2
Apply suggestion from @Copilot
BellezaEmporium Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions .github/workflows/check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,5 +33,7 @@ jobs:
- name: Validate changed files
if: steps.files.outputs.any_changed == 'true'
run: |
npm run playlist:lint -- ${{ steps.files.outputs.all_changed_files }}
npm run playlist:validate -- ${{ steps.files.outputs.all_changed_files }}
npm run playlist:lint -- ${ALL_CHANGED_FILES}
npm run playlist:validate -- ${ALL_CHANGED_FILES}
env:
ALL_CHANGED_FILES: ${{ steps.files.outputs.all_changed_files }}
Comment on lines 35 to +39
Copy link

Copilot AI Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The step output steps.files.outputs.all_changed_files ultimately originates from writing ALL_CHANGED_FILES into $GITHUB_OUTPUT as a plain name=value line. If a changed filename ever contains a newline or other special characters, this can corrupt/forge step outputs (workflow command injection) and then propagate into ALL_CHANGED_FILES here. Consider generating the file list in a NUL-delimited form (e.g., git diff -z) and writing the output using the $GITHUB_OUTPUT delimiter (multiline) syntax so arbitrary filenames can’t break the output format.

Copilot uses AI. Check for mistakes.
4 changes: 2 additions & 2 deletions .github/workflows/format.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: tibdex/github-app-token@v1.8.2
- uses: tibdex/github-app-token@0d49dd721133f900ebd5e0dff2810704e8defbc6 # v1.8.2
if: ${{ !env.ACT }}
id: create-app-token
with:
Expand Down Expand Up @@ -52,4 +52,4 @@ jobs:
git commit -m "[Bot] Format /streams" -m "Committed by [iptv-bot](https://github.com/apps/iptv-bot) via [format](https://github.com/iptv-org/iptv/actions/runs/${{ github.run_id }}) workflow." --no-verify
- name: Push all changes to the repository
if: ${{ !env.ACT && github.ref == 'refs/heads/master' && steps.files_after.outputs.any_changed == 'true' }}
run: git push
run: git push
2 changes: 1 addition & 1 deletion .github/workflows/stale.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: tibdex/github-app-token@v1.8.2
- uses: tibdex/github-app-token@0d49dd721133f900ebd5e0dff2810704e8defbc6 # v1.8.2
id: create-app-token
with:
app_id: ${{ secrets.APP_ID }}
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/update.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: tibdex/github-app-token@v1.8.2
- uses: tibdex/github-app-token@0d49dd721133f900ebd5e0dff2810704e8defbc6 # v1.8.2
if: ${{ !env.ACT }}
Comment on lines 10 to 12
Copy link

Copilot AI Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR description says it "pins all GitHub Actions to immutable commit SHAs", but this workflow (and others) still use mutable tags for first-party actions like actions/checkout@v6 and actions/setup-node@v6. Either adjust the PR description to clarify it only pins the third-party actions, or also pin the remaining actions to SHAs for consistency with the stated goal.

Copilot uses AI. Check for mistakes.
id: create-app-token
with:
Expand Down Expand Up @@ -55,7 +55,7 @@ jobs:
if: ${{ !env.ACT && github.ref == 'refs/heads/master' }}
run: git push
- name: Deploy public playlists to GitHub Pages
uses: JamesIves/github-pages-deploy-action@4.1.1
uses: JamesIves/github-pages-deploy-action@164583b9e44b4fc5910e78feb607ea7c98d3c7b9 # 4.1.1
if: ${{ !env.ACT && github.ref == 'refs/heads/master' }}
with:
repository-name: iptv-org/iptv
Expand All @@ -67,7 +67,7 @@ jobs:
commit-message: '[Bot] Deploy to GitHub Pages'
clean: true
- name: Move .api/streams.json to iptv-org/api
uses: JamesIves/github-pages-deploy-action@4.1.1
uses: JamesIves/github-pages-deploy-action@164583b9e44b4fc5910e78feb607ea7c98d3c7b9 # 4.1.1
if: ${{ !env.ACT && github.ref == 'refs/heads/master' }}
with:
repository-name: iptv-org/api
Expand Down
Loading