Summary
Two workflow files reference Azure/static-web-apps-deploy@v1 using a mutable tag. A mutable tag can be silently updated by the action owner at any time, meaning any new code pushed to that tag runs in CI with full repository access and secret exposure. Pinning to the exact commit SHA that the tag currently resolves to eliminates this vector. VS Code / actionlint flags these as problems in both files.
Priority
High
Acceptance criteria
Out of scope
- Pinning
actions/checkout, actions/setup-node, actions/cache — those are GitHub first-party actions with a stronger security posture and are out of scope for this issue
Summary
Two workflow files reference
Azure/static-web-apps-deploy@v1using a mutable tag. A mutable tag can be silently updated by the action owner at any time, meaning any new code pushed to that tag runs in CI with full repository access and secret exposure. Pinning to the exact commit SHA that the tag currently resolves to eliminates this vector. VS Code / actionlint flags these as problems in both files.Priority
High
Acceptance criteria
Azure/static-web-apps-deploy@v1in.github/workflows/cleanup-staging.yml(lines 22 and 32) replaced withAzure/static-web-apps-deploy@<sha> # v1Azure/static-web-apps-deploy@v1in.github/workflows/ci.yml(line 92) replaced with the same pinned refcleanup-staging.ymlOut of scope
actions/checkout,actions/setup-node,actions/cache— those are GitHub first-party actions with a stronger security posture and are out of scope for this issue