fix: pin 6 actions to commit SHA, extract 12 expressions to env vars

[dagecko]

Re-submission of #34350. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.

Summary

This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags and extracts expressions from run: blocks into env: mappings.

• Pin 6 unpinned actions to full 40-character SHAs
• Add version comments for readability
• Extract 12 expressions from run blocks to env vars

Changes by file

File	Changes
code-simplifier.lock.yml	Pinned actions to SHA
cron-weekly.yml	Pinned actions to SHA
duplicate-code-detector.lock.yml	Pinned actions to SHA
generate-sandboxes.yml	Pinned actions to SHA
handle-release-branches.yml	Pinned actions to SHA
nx.yml	Pinned actions to SHA
publish.yml	Pinned actions to SHA
triage.yml	Pinned actions to SHA
trigger-circle-ci-workflow.yml	Pinned actions to SHA

A note on internal action pinning

This PR pins all actions including org-owned ones. Best practice is to pin everything — the tj-actions/changed-files attack was an internally maintained action that was compromised, and every repo referencing it by tag silently executed attacker code. That said, it's your codebase. If you'd prefer to leave org-owned actions unpinned, let us know and we'll adjust the PR.

How to verify

Review the diff — each change is mechanical and preserves workflow behavior:

• SHA pinning: action@v3 becomes action@abc123 # v3 — original version preserved as comment
• Expression extraction: ${{ expr }} in run: moves to env: block, referenced as $ENV_VAR in the script
• No workflow logic, triggers, or permissions are modified

I put up some research on this on Twitter and a research site if you want more context. I wrote a scanner called Runner Guard and open sourced it here.

If you have any questions, reach out. I'll be monitoring comms.

- Chris Nyhuis (dagecko)

Summary by CodeRabbit

• Chores
  • Improved CI/CD infrastructure security and build determinism by pinning GitHub Actions versions to specific commits across multiple workflows (checkout, publishing, releases, notifications, and branch management).
  • Enhanced credential security by migrating secret references from direct command interpolation to step-level environment variables for safer execution patterns.

[coderabbitai]

📝 Walkthrough

Walkthrough

Multiple GitHub Actions workflows are updated to pin external action versions to specific commit SHAs instead of floating semantic version tags, and to refactor secrets and GitHub context references from inline interpolation into step-level environment variables.

Changes

Cohort / File(s)

Summary

GitHub Actions Workflow Hardening .github/workflows/cron-weekly.yml, .github/workflows/generate-sandboxes.yml, .github/workflows/handle-release-branches.yml, .github/workflows/nx.yml, .github/workflows/publish.yml, .github/workflows/triage.yml, .github/workflows/trigger-circle-ci-workflow.yml

Across all workflows: pins external GitHub Actions (actions/checkout, gaurav-nelson/github-action-markdown-link-check, getsentry/action-release, balazsorban44/nissuer, fjogeleit/http-request-action, nrwl/nx-set-shas, notiz-dev/github-action-json-property) from floating version tags to specific commit SHAs while preserving version annotations. Moves secrets (DISCORD_MONITORING_URL, PAT_STORYBOOK_BOT, FRONTPAGE_HOOK, FRONTPAGE_ACCESS_TOKEN) and GitHub context references (github.ref) from inline shell interpolation into step-scoped env: blocks for improved security and consistency.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• Adjust release GitHub workflow for v8 #33843: Modifies .github/workflows/publish.yml to introduce REF_NAME environment variable handling in the "Get target branch" step, directly related to the context variable extraction pattern applied here.
• Adjust release GitHub workflow for v7 #33846: Updates GitHub Actions workflows, including the publish workflow, with similar hardening patterns for branch/ref handling and action versioning.
• Release tooling: Use npm Trusted Publishing for canaries #32621: Modifies .github/workflows/publish.yml target branch and REF_NAME handling in publish steps, sharing the same refactoring pattern for environment variable extraction.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[huang-julien]

Hi 👋 nice catch. It's indeed better to switch to sha commit, thanks.

I left you a small comment.

[dagecko]

@huang-julien just circling back — the actions/checkout pin in cron-weekly.yml has been pushed. Let me know if there's anything else that needs attention.

- Chris

[huang-julien]

this is unpinned

[huang-julien]

This is an auto-generated file. It probably should not be touched, the fix should happen upstream. Otherwise, next generation will erase this PRs changes.

[huang-julien]

Same for code-simplifier.lock.yml

[dagecko]

Hey @huang-julien, good call on the lock files. You're right that those are gh-aw generated and the fix should happen upstream. We filed a report directly with the gh-aw team (github/gh-aw#24743) and they were great to work with, resolved it the same day. The fix is in the code generator itself so all downstream lock files will be hardened on the next generation.

They also incorporated our tool Runner Guard into gh-aw's pipeline (github/gh-aw#24749) as an additional layer of continuous analysis. If you're using gh-aw you can add --runner-guard to your compile command to get the same scanning on your workflows.

Happy to drop the 2 lock files from this PR so the other 7 workflow hardening fixes can go through cleanly. Let me know.

• Chris

[huang-julien]

Yup, please revert the changes on the gh aw files and then this should be good to merge. Thank you !

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/handle-release-branches.yml (1)

51-53: Extraction of inline expressions is incomplete.

Several run: blocks still interpolate GitHub context / needs.* outputs directly into shell (line 52 uses steps.next-version.outputs.prop; lines 68–71 and 89 use needs.*.outputs.branch). For consistency with the rest of this PR's hardening and to keep the same defense-in-depth posture the PR aims for, consider moving these to step-level env: as well. The values flow from internal outputs (git refs / package.json version), so risk is low, but the extraction pattern should be uniform.

Also applies to: 66-71, 87-90

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/handle-release-branches.yml around lines 51 - 53, The run
block currently interpolates steps.next-version.outputs.prop inline (used to
build NEXT_RELEASE_BRANCH) and other run blocks reference needs.*.outputs.branch
directly; extract these outputs to step-level environment variables instead
(e.g., set an env entry like NEXT_RELEASE_PROP: ${{
steps.next-version.outputs.prop }} and branch outputs like SOME_BRANCH: ${{
needs.some_job.outputs.branch }}), then reference the env vars inside the run
scripts (use $NEXT_RELEASE_PROP / $SOME_BRANCH) so all GitHub context/output
interpolation is done in env:, updating the code that computes
NEXT_RELEASE_BRANCH and the run blocks that use needs.*.outputs.branch
accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/handle-release-branches.yml:
- Around line 51-53: The run block currently interpolates
steps.next-version.outputs.prop inline (used to build NEXT_RELEASE_BRANCH) and
other run blocks reference needs.*.outputs.branch directly; extract these
outputs to step-level environment variables instead (e.g., set an env entry like
NEXT_RELEASE_PROP: ${{ steps.next-version.outputs.prop }} and branch outputs
like SOME_BRANCH: ${{ needs.some_job.outputs.branch }}), then reference the env
vars inside the run scripts (use $NEXT_RELEASE_PROP / $SOME_BRANCH) so all
GitHub context/output interpolation is done in env:, updating the code that
computes NEXT_RELEASE_BRANCH and the run blocks that use needs.*.outputs.branch
accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 622f2c0a-7f52-444c-aa9d-a0030a3051b5

📥 Commits

Reviewing files that changed from the base of the PR and between 9074db1 and 486a136.

📒 Files selected for processing (1)

• .github/workflows/handle-release-branches.yml

[dagecko]

@huang-julien Apologies for the delay in getting back to you, pushing the fixes now:

1. 4d140ee — reverted code-simplifier.lock.yml to upstream (auto-generated by gh-aw)
2. 20889fc — reverted duplicate-code-detector.lock.yml to upstream (auto-generated by gh-aw)
3. 486a136f — pinned all 3 actions/checkout@v4 refs in handle-release-branches.yml to SHA, added missing trailing newline (the line 29 one you originally flagged, plus two others for consistency)

Should be good to go from our end. Thanks again for the patience on this one.

- Chris

[huang-julien]

Thank you for this PR !