Objective
Pin unpinned GitHub Actions to specific commit SHAs in daily-cli-performance.md and issue-monster.md to prevent supply chain attacks via tag mutation.
Context
Source: Static Analysis Report - 2026-03-22
Vulnerability: unpinned-uses — GitHub Actions used without pinning to a specific SHA, allowing supply chain attacks via tag mutation.
Affected files:
.github/workflows/daily-cli-performance.md.github/workflows/issue-monster.md
The compiled daily-cli-performance.lock.yml contains:
uses: actions/github-script@v8
This action reference uses a mutable tag (@v8) rather than a pinned SHA.
Approach
- Find the current SHA for
actions/github-script@v8:
gh api repos/actions/github-script/git/refs/tags/v8
# Or: git ls-remote https://github.com/actions/github-script refs/tags/v8
- Update the action references in the
.md source files to use the full SHA:
uses: actions/github-script@SHA_HERE # v8
- Check if the
.md file directly specifies these actions or if they're generated by the compiler
- If compiler-generated, update the compiler template in
pkg/workflow/ to pin to SHA
- Run
make recompile to regenerate the lock files
Files to Investigate
.github/workflows/daily-cli-performance.md.github/workflows/issue-monster.mdpkg/workflow/*.go — check if actions/github-script@v8 is hardcoded in compiler templates
Acceptance Criteria
Generated by Plan Command for issue #discussion #22240 · ◷
Objective
Pin unpinned GitHub Actions to specific commit SHAs in
daily-cli-performance.mdandissue-monster.mdto prevent supply chain attacks via tag mutation.Context
Source: Static Analysis Report - 2026-03-22
Vulnerability:
unpinned-uses— GitHub Actions used without pinning to a specific SHA, allowing supply chain attacks via tag mutation.Affected files:
.github/workflows/daily-cli-performance.md.github/workflows/issue-monster.mdThe compiled
daily-cli-performance.lock.ymlcontains:This action reference uses a mutable tag (
@v8) rather than a pinned SHA.Approach
actions/github-script@v8:gh api repos/actions/github-script/git/refs/tags/v8 # Or: git ls-remote https://github.com/actions/github-script refs/tags/v8.mdsource files to use the full SHA:.mdfile directly specifies these actions or if they're generated by the compilerpkg/workflow/to pin to SHAmake recompileto regenerate the lock filesFiles to Investigate
.github/workflows/daily-cli-performance.md.github/workflows/issue-monster.mdpkg/workflow/*.go— check ifactions/github-script@v8is hardcoded in compiler templatesAcceptance Criteria
unpinned-usesfordaily-cli-performanceandissue-monsteruses:references in the affected lock files point to full 40-character commit SHAs# v8) is preserved for readability