Skip to content

ci: pin actions-hub/kubectl to a full commit SHA#3581

Open
kobihikri wants to merge 1 commit into
teableio:developfrom
kobihikri:harden/pin-kubectl-action
Open

ci: pin actions-hub/kubectl to a full commit SHA#3581
kobihikri wants to merge 1 commit into
teableio:developfrom
kobihikri:harden/pin-kubectl-action

Conversation

@kobihikri

Copy link
Copy Markdown

What

Pin actions-hub/kubectl@master0456ef3… in manual-preview.yml (×3) and preview-cleanup.yml
(tag kept in a comment).

Why

These deploy/cleanup steps set KUBE_CONFIG: ${{ secrets.KUBE_CONFIG }} — a full Kubernetes kubeconfig
— in the environment of a third-party action pinned to the moving @master ref. If that action's
master were moved (compromise or an accidental change), the new code would run in the runner with
cluster credentials present — the class of issue behind the 2025 tj-actions/changed-files incident,
here with Kubernetes cluster access. Pinning to a SHA removes that.

Scope / safety

Behaviour unchanged (SHA = current tip of master). Signed-off. Per GitHub's pin-to-SHA guidance.

AI-assisted; I verified the workflows, the KUBE_CONFIG exposure, and the pinned SHA myself.

The preview deploy/cleanup jobs pass a full Kubernetes kubeconfig
(secrets.KUBE_CONFIG) to actions-hub/kubectl, which is referenced by the mutable
@master tag (manual-preview.yml x3, preview-cleanup.yml x1). Pin it to the
current master commit SHA so a moved tag can't run unreviewed code with cluster
credentials in scope. Behaviour unchanged; per GitHub's pin-to-SHA guidance.

Signed-off-by: Kobi Hikri <kobi.hikri@gmail.com>
@CLAassistant

CLAassistant commented Jul 13, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants