Skip to content

feat: add GitHub Actions for Sentry, Cloudflare, StatsIG, and more #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
simsteward wants to merge 2 commits into
base: main
Choose a base branch
from

security: pin all GitHub Actions to commit SHAs

57e0b88
Select commit
Loading
Failed to load commit list.
Open

feat: add GitHub Actions for Sentry, Cloudflare, StatsIG, and more #21

security: pin all GitHub Actions to commit SHAs
57e0b88
Select commit
Loading
Failed to load commit list.
GitHub Advanced Security / Semgrep OSS failed Mar 25, 2026 in 2s

2 new alerts including 2 errors

New alerts in code changed by this pull request

  • 2 errors

See annotations below for details.

View all branch alerts.

Annotations

Check failure on line 49 in .github/workflows/statsig-gate-check.yml

See this annotation in the file changed.

Code scanning / Semgrep OSS

Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection Error

Using variable interpolation ${...} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

Check failure on line 54 in .github/workflows/statsig-gate-check.yml

See this annotation in the file changed.

Code scanning / Semgrep OSS

Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection Error

Using variable interpolation ${...} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".