From 3ec27ada8aa1abbf0e599c86ce829098add736ab Mon Sep 17 00:00:00 2001
From: dagecko <cnyhuis@vigilantnow.com>
Date: Thu, 2 Apr 2026 18:06:23 -0400
Subject: [PATCH] security(cicd): Pinned dependency versions and extract 2
 unsafe expressions to env vars (PR #1297)

---
 .github/workflows/readme-updater.yml                         | 4 +++-
 .github/workflows/remote-wordlists-updater.yml               | 5 ++++-
 .github/workflows/wordlist-updater_api-endpoints-res.yml     | 2 +-
 ...ater_awesome-list-of-secrets-in-environment-variables.yml | 2 +-
 .github/workflows/wordlist-updater_combined_directories.yml  | 2 +-
 .github/workflows/wordlist-updater_combined_words.yml        | 2 +-
 .github/workflows/wordlist-updater_default-passwords.yml     | 2 +-
 .github/workflows/wordlist-updater_fuzzing_etc_files.yml     | 2 +-
 8 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/readme-updater.yml b/.github/workflows/readme-updater.yml
index 13d8a1eab..205df88d4 100644
--- a/.github/workflows/readme-updater.yml
+++ b/.github/workflows/readme-updater.yml
@@ -29,10 +29,12 @@ jobs:
           else
               echo "[+] Files were changed! Pushing changed..."
               git add -A
-              git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/$GITHUB_REPOSITORY
+              git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/$GITHUB_REPOSITORY"
               git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
               git config --local user.name "github-actions[bot]"
               git commit -m "[Github Action] Automated readme update."
               git push
           fi
 
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/remote-wordlists-updater.yml b/.github/workflows/remote-wordlists-updater.yml
index 40e9184ae..92f621a27 100644
--- a/.github/workflows/remote-wordlists-updater.yml
+++ b/.github/workflows/remote-wordlists-updater.yml
@@ -35,9 +35,12 @@ jobs:
               git add --renormalize -A && git add -A
               chmod +x ./.bin/brute-force-renormalize.sh
               ./.bin/brute-force-renormalize.sh ./Discovery/Web-Content/trickest-robots-disallowed-wordlists/top-10000.txt
-              git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/$GITHUB_REPOSITORY
+              git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/$GITHUB_REPOSITORY"
               git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
               git config --local user.name "github-actions[bot]"
               git commit -m "[Github Action] Automated trickest wordlists update."
               git push
           fi
+
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/wordlist-updater_api-endpoints-res.yml b/.github/workflows/wordlist-updater_api-endpoints-res.yml
index 9a7c09c21..2909b47fa 100644
--- a/.github/workflows/wordlist-updater_api-endpoints-res.yml
+++ b/.github/workflows/wordlist-updater_api-endpoints-res.yml
@@ -32,7 +32,7 @@ jobs:
       - name: Commit changed files
         run: git commit -m "[Github Action] Updated api-endpoints-res.txt"
       - name: Push changes # push the output folder to your repo
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           force: true
diff --git a/.github/workflows/wordlist-updater_awesome-list-of-secrets-in-environment-variables.yml b/.github/workflows/wordlist-updater_awesome-list-of-secrets-in-environment-variables.yml
index 2cb237267..778c7ea2d 100644
--- a/.github/workflows/wordlist-updater_awesome-list-of-secrets-in-environment-variables.yml
+++ b/.github/workflows/wordlist-updater_awesome-list-of-secrets-in-environment-variables.yml
@@ -35,7 +35,7 @@ jobs:
 
       - name: Push changes # push the output folder to your repo
         if: steps.myoutputs.outputs.gitstatus != ''
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           force: true
diff --git a/.github/workflows/wordlist-updater_combined_directories.yml b/.github/workflows/wordlist-updater_combined_directories.yml
index 1d9ffa278..84b60189c 100644
--- a/.github/workflows/wordlist-updater_combined_directories.yml
+++ b/.github/workflows/wordlist-updater_combined_directories.yml
@@ -37,7 +37,7 @@ jobs:
       - name: Commit changed files
         run: git commit -m "[Github Action] Updated combined_directories.txt"
       - name: Push changes # push the output folder to your repo
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           force: true
diff --git a/.github/workflows/wordlist-updater_combined_words.yml b/.github/workflows/wordlist-updater_combined_words.yml
index 6df26b487..39fbb5c80 100644
--- a/.github/workflows/wordlist-updater_combined_words.yml
+++ b/.github/workflows/wordlist-updater_combined_words.yml
@@ -33,7 +33,7 @@ jobs:
       - name: Commit changed files
         run: git commit -m "[Github Action] Updated combined_words.txt"
       - name: Push changes # push the output folder to your repo
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           force: true
diff --git a/.github/workflows/wordlist-updater_default-passwords.yml b/.github/workflows/wordlist-updater_default-passwords.yml
index dd8fcfc9a..ff693a9ce 100644
--- a/.github/workflows/wordlist-updater_default-passwords.yml
+++ b/.github/workflows/wordlist-updater_default-passwords.yml
@@ -46,7 +46,7 @@ jobs:
       - name: Commit changed files
         run: git commit -m "[Github Action] Updated default-passwords.txt"
       - name: Push changes
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           force: true
diff --git a/.github/workflows/wordlist-updater_fuzzing_etc_files.yml b/.github/workflows/wordlist-updater_fuzzing_etc_files.yml
index 923257f57..969d3dd97 100644
--- a/.github/workflows/wordlist-updater_fuzzing_etc_files.yml
+++ b/.github/workflows/wordlist-updater_fuzzing_etc_files.yml
@@ -43,7 +43,7 @@ jobs:
 
       - name: Push changes # push the output folder to your repo
         if: steps.myoutputs.outputs.gitstatus != ''
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           force: true