Summary
All CI/CD workflow files pin third-party GitHub Actions to mutable major version tags (e.g., @v4, @v2) rather than immutable commit SHAs. This creates a supply chain attack surface: if any upstream action repository is compromised and a malicious commit is force-pushed under the same tag, the capture-eye release pipeline would execute attacker-controlled code with access to NPM_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and GITHUB_TOKEN.
Affected Files
.github/workflows/production-release.yml:
actions/checkout@v4 (lines 14, 28, 44, 59, 74, 98)actions/setup-node@v4 (lines 29, 46, 79)EndBug/version-check@v2 (line 17)aws-actions/configure-aws-credentials@v3 (line 85)softprops/action-gh-release@v2 (line 100)
.github/workflows/build.yml also uses @v4 tags.
Impact
- High severity — A compromised action could exfiltrate the NPM publish token, AWS credentials, or GitHub token during a production release
- This is a recognized supply chain risk (see GitHub's security hardening guide)
- The
EndBug/version-check and softprops/action-gh-release actions are third-party (not GitHub-owned), increasing the risk surface
Suggested Fix
Pin every action to its full commit SHA instead of a version tag. Add a comment with the human-readable version for maintenance. Example:
# Before
- uses: actions/checkout@v4
# After
- uses: actions/checkout@<full-sha-here> # v4.x.x
Use StepSecurity's pin-github-action or pinact tool to automate SHA resolution across all workflow files.
Additionally, consider enabling GitHub's Dependabot for Actions to receive PRs when pinned SHAs have newer versions available.
Summary
All CI/CD workflow files pin third-party GitHub Actions to mutable major version tags (e.g.,
@v4,@v2) rather than immutable commit SHAs. This creates a supply chain attack surface: if any upstream action repository is compromised and a malicious commit is force-pushed under the same tag, the capture-eye release pipeline would execute attacker-controlled code with access toNPM_TOKEN,AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY, andGITHUB_TOKEN.Affected Files
.github/workflows/production-release.yml:actions/checkout@v4(lines 14, 28, 44, 59, 74, 98)actions/setup-node@v4(lines 29, 46, 79)EndBug/version-check@v2(line 17)aws-actions/configure-aws-credentials@v3(line 85)softprops/action-gh-release@v2(line 100).github/workflows/build.ymlalso uses@v4tags.Impact
EndBug/version-checkandsoftprops/action-gh-releaseactions are third-party (not GitHub-owned), increasing the risk surfaceSuggested Fix
Pin every action to its full commit SHA instead of a version tag. Add a comment with the human-readable version for maintenance. Example:
Use StepSecurity's pin-github-action or
pinacttool to automate SHA resolution across all workflow files.Additionally, consider enabling GitHub's Dependabot for Actions to receive PRs when pinned SHAs have newer versions available.