Skip to content

VLN-1461: remediate unpinned-github-actions#801

Open
picatz wants to merge 1 commit into
mainfrom
camper/unpinned-github-actions-finding-unpinned-github-actions-temporalio-api
Open

VLN-1461: remediate unpinned-github-actions#801
picatz wants to merge 1 commit into
mainfrom
camper/unpinned-github-actions-finding-unpinned-github-actions-temporalio-api

Conversation

@picatz

@picatz picatz commented Jun 11, 2026

Copy link
Copy Markdown

🏕️ This pull request was created by camper, an automated security campaign tool.

Finding

Ruleunpinned-github-actions
SeverityMEDIUM
Repositorytemporalio/api
TicketVLN-1461

Summary

🤠 Deputy pinned dependencies to immutable references.

  • Total refs: 13
  • Pinned refs: 9
  • Skipped refs: 4

Changed references:

  • arduino/setup-protoc: v2 -> a8b67ba40b37d35169e222f3bb352603327985b6 # v2.1.0
  • dcarbone/install-jq-action: v2 -> 8867ddb4788346d7c22b72ea2e2ffe4d514c7bcb # v2.1.0
  • actions/checkout: v4 -> 34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
  • actions/setup-go: v4 -> 7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4.3.0
  • actions/create-github-app-token: v1 -> d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
  • actions/checkout: v4 -> 34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
  • actions/checkout: v4 -> 34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
  • bufbuild/buf-action: v1 -> fd21066df7214747548607aaa45548ba2b9bc1ff # v1.4.0
  • actions/create-github-app-token: v1 -> d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0

Instructions

  • Approve to merge this fix
  • Request changes to trigger a new remediation attempt
  • /camper rebase — rebase onto the base branch
  • /camper close — close this PR without merging
  • /camper retry — close and retry with a new fix

@picatz picatz requested review from a team June 11, 2026 18:15
@semgrep-managed-scans

This comment was marked as off-topic.

@picatz

picatz commented Jun 18, 2026

Copy link
Copy Markdown
Author

This PR has had no activity for 7 days and may need attention.

Actions you can take:

  • Review and approve if the changes look good
  • Close if this fix is no longer needed
  • Comment /camper rebase to rebase onto the latest base branch
  • Comment /camper retry to regenerate the fix

2 similar comments
@picatz

picatz commented Jun 25, 2026

Copy link
Copy Markdown
Author

This PR has had no activity for 7 days and may need attention.

Actions you can take:

  • Review and approve if the changes look good
  • Close if this fix is no longer needed
  • Comment /camper rebase to rebase onto the latest base branch
  • Comment /camper retry to regenerate the fix

@picatz

picatz commented Jul 2, 2026

Copy link
Copy Markdown
Author

This PR has had no activity for 7 days and may need attention.

Actions you can take:

  • Review and approve if the changes look good
  • Close if this fix is no longer needed
  • Comment /camper rebase to rebase onto the latest base branch
  • Comment /camper retry to regenerate the fix

Comment thread .github/workflows/ci.yml
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't checkout be v7 now?

This comment was marked as low quality.

@picatz picatz Jul 2, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ignore comment above (generated by Camper); the v7 checkout campaign is distinct from the "pinning" campaign. The pinning campaign aims to just pin what's actually in use right now, and the v7 bump is a fast follow up / separate PR.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds good, thanks

@picatz picatz force-pushed the camper/unpinned-github-actions-finding-unpinned-github-actions-temporalio-api branch from cf8d0bc to 72e1563 Compare July 2, 2026 20:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants