Bug Description
.github/workflows/bench.yml uses several third-party Actions pinned to mutable refs:
pnpm/action-setup@v4actions/setup-node@v4 (first-party — OK with @v4 per convention, but SHA-pinning is still safer)dtolnay/rust-toolchain@stable — branch ref, force-pushable
No secrets are in scope for bench.yml (it does not publish), so the immediate blast radius is execution as the runner user with default GITHUB_TOKEN. Still a supply-chain hygiene gap.
Steps to Reproduce
grep -E "uses:" .github/workflows/bench.yml.- Observe mutable refs.
Expected Behavior
SHA-pin every third-party action:
uses: dtolnay/rust-toolchain@<sha> # stable
uses: pnpm/action-setup@<sha> # v4
Actual Behavior
Mutable refs.
Environment
- Repo:
recurram-bench
- File:
.github/workflows/bench.yml
Additional Context
Severity: Low.
Bug Description
.github/workflows/bench.ymluses several third-party Actions pinned to mutable refs:pnpm/action-setup@v4actions/setup-node@v4(first-party — OK with@v4per convention, but SHA-pinning is still safer)dtolnay/rust-toolchain@stable— branch ref, force-pushableNo secrets are in scope for
bench.yml(it does not publish), so the immediate blast radius is execution as the runner user with defaultGITHUB_TOKEN. Still a supply-chain hygiene gap.Steps to Reproduce
grep -E "uses:" .github/workflows/bench.yml.Expected Behavior
SHA-pin every third-party action:
Actual Behavior
Mutable refs.
Environment
recurram-bench.github/workflows/bench.ymlAdditional Context
Severity: Low.