security(cicd): Pinned dependency versions and extract 2 unsafe expressions to env vars (PR #1297)

2026-05-08 04:28:07 +02:00 · 2026-04-02 18:06:23 -04:00 · 2026-04-02 18:06:23 -04:00 · 3ec27ada8a
commit 3ec27ada8a
parent fc95bad011
8 changed files with 13 additions and 8 deletions
--- a/.github/workflows/readme-updater.yml
+++ b/.github/workflows/readme-updater.yml
@ -29,10 +29,12 @@ jobs:
          else
              echo "[+] Files were changed! Pushing changed..."
              git add -A
-              git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/$GITHUB_REPOSITORY
+              git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/$GITHUB_REPOSITORY"
              git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
              git config --local user.name "github-actions[bot]"
              git commit -m "[Github Action] Automated readme update."
              git push
          fi

+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/remote-wordlists-updater.yml
+++ b/.github/workflows/remote-wordlists-updater.yml
@ -35,9 +35,12 @@ jobs:
              git add --renormalize -A && git add -A
              chmod +x ./.bin/brute-force-renormalize.sh
              ./.bin/brute-force-renormalize.sh ./Discovery/Web-Content/trickest-robots-disallowed-wordlists/top-10000.txt
-              git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/$GITHUB_REPOSITORY
+              git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/$GITHUB_REPOSITORY"
              git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
              git config --local user.name "github-actions[bot]"
              git commit -m "[Github Action] Automated trickest wordlists update."
              git push
          fi
+
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/wordlist-updater_api-endpoints-res.yml
+++ b/.github/workflows/wordlist-updater_api-endpoints-res.yml
@ -32,7 +32,7 @@ jobs:
      - name: Commit changed files
        run: git commit -m "[Github Action] Updated api-endpoints-res.txt"
      - name: Push changes # push the output folder to your repo
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          force: true
--- a/.github/workflows/wordlist-updater_awesome-list-of-secrets-in-environment-variables.yml
+++ b/.github/workflows/wordlist-updater_awesome-list-of-secrets-in-environment-variables.yml
@ -35,7 +35,7 @@ jobs:

      - name: Push changes # push the output folder to your repo
        if: steps.myoutputs.outputs.gitstatus != ''
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          force: true
--- a/.github/workflows/wordlist-updater_combined_directories.yml
+++ b/.github/workflows/wordlist-updater_combined_directories.yml
@ -37,7 +37,7 @@ jobs:
      - name: Commit changed files
        run: git commit -m "[Github Action] Updated combined_directories.txt"
      - name: Push changes # push the output folder to your repo
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          force: true
--- a/.github/workflows/wordlist-updater_combined_words.yml
+++ b/.github/workflows/wordlist-updater_combined_words.yml
@ -33,7 +33,7 @@ jobs:
      - name: Commit changed files
        run: git commit -m "[Github Action] Updated combined_words.txt"
      - name: Push changes # push the output folder to your repo
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          force: true
--- a/.github/workflows/wordlist-updater_default-passwords.yml
+++ b/.github/workflows/wordlist-updater_default-passwords.yml
@ -46,7 +46,7 @@ jobs:
      - name: Commit changed files
        run: git commit -m "[Github Action] Updated default-passwords.txt"
      - name: Push changes
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          force: true
--- a/.github/workflows/wordlist-updater_fuzzing_etc_files.yml
+++ b/.github/workflows/wordlist-updater_fuzzing_etc_files.yml
@ -43,7 +43,7 @@ jobs:

      - name: Push changes # push the output folder to your repo
        if: steps.myoutputs.outputs.gitstatus != ''
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          force: true