fix: pin 6 unpinned action(s),extract 1 unsafe expression(s) to env vars

dagecko · dagecko · commit f61dfed407c4 · 2026-04-03T22:01:34.000-04:00
Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard). Changes: .github/workflows/label-commenter.yml | 2 +- .github/workflows/labeler.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/test.yml | 6 +++--- .github/workflows/update-major-tag.yml | 5 ++++- 5 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/.github/workflows/label-commenter.yml b/.github/workflows/label-commenter.yml
@@ -22,6 +22,6 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Label Commenter
-        uses: peaceiris/actions-label-commenter@v1
+        uses: peaceiris/actions-label-commenter@f0dbbef043eb1b150b566db36b0bdc8b7f505579 # v1
         env:
           RUNNER_DEBUG: 1
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -10,7 +10,7 @@ jobs:
     permissions: {}
     steps:
       # https://github.com/peaceiris/actions-github-app-token
-      - uses: peaceiris/actions-github-app-token@v1.1.6
+      - uses: peaceiris/actions-github-app-token@652b86006ad2c113bdd5c478c9a98f359829847b # v1.1.6
         id: app
         with:
           app_id: ${{ secrets.GH_APP_ID }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,6 +11,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       # https://github.com/peaceiris/workflows/blob/main/create-release-npm/action.yml
-      - uses: peaceiris/workflows/create-release-npm@v0.20.1
+      - uses: peaceiris/workflows/create-release-npm@344651af76054dbb5c8231c3d0a18b109c029630 # v0.20.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -29,7 +29,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: peaceiris/workflows/setup-node@v0.20.1
+      - uses: peaceiris/workflows/setup-node@344651af76054dbb5c8231c3d0a18b109c029630 # v0.20.1
         with:
           node-version-file: ".nvmrc"
 
@@ -66,7 +66,7 @@ jobs:
           name: coverage-${{ matrix.os }}
           path: coverage
 
-      - uses: codecov/codecov-action@v4
+      - uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
 
       - name: Run ncc
         run: npm run build
@@ -79,7 +79,7 @@ jobs:
 
       - name: Setup mdBook
         if: ${{ github.ref == 'refs/heads/main' }}
-        uses: peaceiris/actions-mdbook@v1.2.0
+        uses: peaceiris/actions-mdbook@adeb05db28a0c0004681db83893d56c0388ea9ea # v1.2.0
         with:
           mdbook-version: '0.4.5'
 
diff --git a/.github/workflows/update-major-tag.yml b/.github/workflows/update-major-tag.yml
@@ -15,8 +15,11 @@ jobs:
         run: |
           git config user.name "${GITHUB_ACTOR}"
           git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
-          git remote set-url origin "https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${GITHUB_REPOSITORY}.git"
+          git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
           export TAG_NAME="${GITHUB_REF##refs/tags/}"
           export TAG_MAJOR="${TAG_NAME%%.*}"
           git tag --force -a "${TAG_MAJOR}" -m "Release ${TAG_NAME}"
           git push --force origin "${TAG_MAJOR}"
+
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
