Skip to content

CI hardening: lint.yml pins reviewdog/action-cpplint@master (mutable branch) in a token-holding job #29710

Description

@kobihikri

Summary

.github/workflows/lint.yml pins a third-party action to a mutable branch — reviewdog/action-cpplint@master — in a job that passes it a token. Pinning to a full commit SHA would close a small supply-chain gap.

Details (at current HEAD)

lint.yml, the lint-cpp job:

- uses: reviewdog/action-cpplint@master   # line 110
  with:
    github_token: ${{ secrets.github_token }}   # line 113

reviewdog/action-cpplint's default_branch is master (a live, moving ref), and reviewdog is a third-party org. The sibling reviewdog steps in the same file are already tag-pinned (action-misspell@v1, action-shellcheck@v1.31.0), so @master is the one outlier.

Why it's worth pinning

If that upstream branch were compromised or force-moved (the class of thing that happened with tj-actions/changed-files in 2025), the injected code would run with the github_token in scope. Pinning to a full 40-char SHA (optionally with a version comment) removes that moving-target risk while keeping updates deliberate.

I checked open and closed issues/PRs and didn't find an existing one for this. I'm happy to open a small PR pinning it (I'd sign the CLA first) if that's welcome — or you may prefer to handle it directly.


Disclosure: I used an AI tool to help spot this; I verified the workflow and the action's default branch myself and take responsibility for it.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions