fix: pin 10 unpinned action(s),extract 6 unsafe expression(s) to env vars

[dagecko]

Fix: CI/CD Security Vulnerabilities in GitHub Actions

Hi! Runner Guard, an open-source
CI/CD security scanner by Vigilant Cyber Security,
identified security vulnerabilities in this repository's GitHub Actions workflows.

This PR applies automated fixes where possible and reports additional findings
for your review.

Fixes applied (in this PR)

Rule	Severity	File	Description
RGS-007	high	.github/workflows/compiler_discord_notify.yml	Pinned 1 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/compiler_prereleases_manual.yml	Pinned 1 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/compiler_prereleases_nightly.yml	Pinned 1 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/devtools_discord_notify.yml	Pinned 1 third-party action(s) to commit SHA
RGS-002	high	.github/workflows/devtools_regression_tests.yml	Extracted 1 unsafe expression(s) to env vars
RGS-002	high	.github/workflows/runtime_build_and_test.yml	Extracted 3 unsafe expression(s) to env vars
RGS-002	high	.github/workflows/runtime_commit_artifacts.yml	Extracted 1 unsafe expression(s) to env vars
RGS-007	high	.github/workflows/runtime_discord_notify.yml	Pinned 1 third-party action(s) to commit SHA
RGS-002	high	.github/workflows/runtime_prereleases.yml	Extracted 1 unsafe expression(s) to env vars
RGS-007	high	.github/workflows/runtime_prereleases_manual.yml	Pinned 2 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/runtime_prereleases_nightly.yml	Pinned 2 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/shared_label_core_team_prs.yml	Pinned 1 third-party action(s) to commit SHA

Advisory: additional findings (manual review recommended)

| Rule | Severity | File | Description |
| RGS-005 | medium | .github/workflows/shared_label_core_team_prs.yml | Excessive Permissions on Untrusted Trigger |

Why this matters

GitHub Actions workflows that use untrusted input in run: blocks, expose
secrets inline, or use unpinned third-party actions are vulnerable to
code injection, credential theft, and supply chain attacks. These are the same
vulnerability classes exploited in the tj-actions/changed-files incident
and subsequent supply chain attacks, which compromised CI secrets across
thousands of repositories.

How to verify

Review the diff — each change is mechanical and preserves workflow behavior:

• Expression extraction (RGS-002/008/014): Moves ${{ }} expressions from
  run: blocks into env: mappings, preventing shell injection
• SHA pinning (RGS-007): Pins third-party actions to immutable commit SHAs
  (original version tag preserved as comment)
• Debug env removal (RGS-015): Removes ACTIONS_RUNNER_DEBUG/ACTIONS_STEP_DEBUG
  which leak secrets in workflow logs

Run brew install Vigilant-LLC/tap/runner-guard && runner-guard scan . or install from the
repo to verify.

---

Found by Runner Guard | Built by Vigilant Cyber Security | Learn more

If this PR is not welcome, just close it -- we won't send another.

[meta-cla]

Hi @dagecko!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks!