chore(deps): bump DavidAnson/markdownlint-cli2-action from 19 to 23#65
Conversation
Bumps [DavidAnson/markdownlint-cli2-action](https://github.com/davidanson/markdownlint-cli2-action) from 19 to 23. - [Release notes](https://github.com/davidanson/markdownlint-cli2-action/releases) - [Commits](DavidAnson/markdownlint-cli2-action@v19...v23) --- updated-dependencies: - dependency-name: DavidAnson/markdownlint-cli2-action dependency-version: '23' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
dependabot
bot
added
dependencies
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward Dependabot version bump with no logic changes.
Extended reasoning...
Overview
This PR bumps DavidAnson/markdownlint-cli2-action from v19 to v23 in .github/workflows/ci.yaml. It is a single-line change generated by Dependabot.
Security risks
The inline bug comment flags that @v23 is a mutable tag rather than a pinned SHA. This is a valid supply chain security observation, but it is a nit: the same pattern (mutable tags) is used for every other action in this file (actions/checkout@v4, streetsidesoftware/cspell-action@v6, Flash-Brew-Digital/validate-skill@v1). This PR does not introduce the pattern — it follows it consistently. The risk level is unchanged relative to the pre-PR state.
Level of scrutiny
Very low. This is a mechanical Dependabot bump of a markdown linting action. It has no effect on application logic, secrets handling, or any production code path. The action only runs markdown linting on PRs.
Other factors
The Dependabot compatibility score link is included in the PR description, and the action’s changelog shows only markdown toolchain version updates (no breaking changes affecting this usage). No prior reviews exist on this PR.
| - uses: actions/checkout@v4 | ||
| - name: Lint Markdown | ||
| uses: DavidAnson/markdownlint-cli2-action@v19 | ||
| uses: DavidAnson/markdownlint-cli2-action@v23 |
There was a problem hiding this comment.
🟡 The action is pinned to the mutable tag @v23 rather than an immutable commit SHA, meaning a force-push to the tag could silently change what code runs in CI. Since the PR description already provides the target SHA (ce4853d43830c74c1753b39f3cf40f71c2031eb9), consider using DavidAnson/markdownlint-cli2-action@ce4853d instead.
Extended reasoning...
What the bug is: GitHub Action tags are mutable references. A repository owner (or a compromised account) can force-push a tag to point to a completely different commit. Using DavidAnson/markdownlint-cli2-action@v23 means that if the v23 tag is ever moved, all future CI runs will execute whatever code the tag now points to, without any indication in the workflow file that anything changed. This is a well-known supply chain security risk for CI/CD pipelines.
The specific code path: Line 15 of .github/workflows/ci.yaml uses DavidAnson/markdownlint-cli2-action@v23. This action runs with access to the repository checkout and the CI environment, so malicious code injected via a tag force-push would have meaningful access.
Why existing code does not prevent it: GitHub Actions has no built-in mechanism to warn when a tag resolves to a different commit than it previously did. The workflow file looks identical whether the tag has been moved or not. Only pinning to a full 40-character commit SHA provides an immutable reference that GitHub enforces.
Step-by-step proof of impact: (1) The v23 tag currently resolves to commit ce4853d43830c74c1753b39f3cf40f71c2031eb9. (2) If the action repository is compromised, git tag -f v23 followed by a force push would silently redirect all users of @v23 to run malicious code. (3) The next CI run in this repository would execute that malicious code without any workflow file change, making detection very difficult.
Addressing the refutation: The refutation correctly notes that all other actions in this file also use mutable tags (actions/checkout@v4, streetsidesoftware/cspell-action@v6, Flash-Brew-Digital/validate-skill@v1), and this is a consistent project pattern. However, this PR actively modifies the markdownlint action line, making it the natural moment to adopt secure pinning for at least this action. Consistency in an insecure pattern does not make the pattern secure.
How to fix it: Replace DavidAnson/markdownlint-cli2-action@v23 with DavidAnson/markdownlint-cli2-action@ce4853d. The PR description already includes this exact SHA in the commit list, so no additional research is needed. Tools like StepSecurity Harden-Runner or Renovate can be configured to automatically maintain SHA pins going forward.
Bumps DavidAnson/markdownlint-cli2-action from 19 to 23.
Release notes
Sourced from DavidAnson/markdownlint-cli2-action's releases.
... (truncated)
Commits
ce4853dUpdate to version 23.0.0.63a898cImprove type fidelity.08fc3a2Add configPointer input, examples for package.json/pyproject.toml.154744fFreshen generated index.js file.d1d523cBump markdownlint-cli2 from 0.21.0 to 0.22.0619b235Bump eslint from 10.0.3 to 10.1.0a226cbeFreshen generated index.js file.5d93b2eMigrate from Node.js 20 to Node.js 24.0cf8cddBump eslint from 10.0.2 to 10.0.3462cc85Bump@stylistic/eslint-pluginfrom 5.9.0 to 5.10.0Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)