Summary
.github/workflows/lint.yml pins a third-party action to a mutable branch — reviewdog/action-cpplint@master — in a job that passes it a token. Pinning to a full commit SHA would close a small supply-chain gap.
Details (at current HEAD)
lint.yml, the lint-cpp job:
- uses: reviewdog/action-cpplint@master # line 110
with:
github_token: ${{ secrets.github_token }} # line 113
reviewdog/action-cpplint's default_branch is master (a live, moving ref), and reviewdog is a third-party org. The sibling reviewdog steps in the same file are already tag-pinned (action-misspell@v1, action-shellcheck@v1.31.0), so @master is the one outlier.
Why it's worth pinning
If that upstream branch were compromised or force-moved (the class of thing that happened with tj-actions/changed-files in 2025), the injected code would run with the github_token in scope. Pinning to a full 40-char SHA (optionally with a version comment) removes that moving-target risk while keeping updates deliberate.
I checked open and closed issues/PRs and didn't find an existing one for this. I'm happy to open a small PR pinning it (I'd sign the CLA first) if that's welcome — or you may prefer to handle it directly.
Disclosure: I used an AI tool to help spot this; I verified the workflow and the action's default branch myself and take responsibility for it.
Summary
.github/workflows/lint.ymlpins a third-party action to a mutable branch —reviewdog/action-cpplint@master— in a job that passes it a token. Pinning to a full commit SHA would close a small supply-chain gap.Details (at current HEAD)
lint.yml, thelint-cppjob:reviewdog/action-cpplint'sdefault_branchismaster(a live, moving ref), andreviewdogis a third-party org. The sibling reviewdog steps in the same file are already tag-pinned (action-misspell@v1,action-shellcheck@v1.31.0), so@masteris the one outlier.Why it's worth pinning
If that upstream branch were compromised or force-moved (the class of thing that happened with
tj-actions/changed-filesin 2025), the injected code would run with thegithub_tokenin scope. Pinning to a full 40-char SHA (optionally with a version comment) removes that moving-target risk while keeping updates deliberate.I checked open and closed issues/PRs and didn't find an existing one for this. I'm happy to open a small PR pinning it (I'd sign the CLA first) if that's welcome — or you may prefer to handle it directly.
Disclosure: I used an AI tool to help spot this; I verified the workflow and the action's default branch myself and take responsibility for it.