Summary
The .github/workflows/run-publish.yml workflow uses outdated GitHub Action versions, which increases supply-chain risk if those pinned major versions receive breaking or malicious updates.
Severity: MEDIUM
Outdated Actions
| Action |
Current |
Recommended |
actions/checkout |
@v3 |
@v4 |
docker/setup-qemu-action |
@v2 |
@v3 |
docker/setup-buildx-action |
@v2 |
@v3 |
docker/login-action |
@v2 |
@v3 |
docker/metadata-action |
@v4 |
@v5 |
docker/build-push-action |
@v3 |
@v5 |
Note: The lint, unit test, and e2e workflows already use actions/checkout@v4 and actions/setup-node@v4 — only the publish workflow is behind.
Remediation
Update .github/workflows/run-publish.yml to use the versions above. For stronger supply-chain protection, consider pinning to commit SHAs (see intercom-manager#235 for the equivalent backend issue).
References
Summary
The
.github/workflows/run-publish.ymlworkflow uses outdated GitHub Action versions, which increases supply-chain risk if those pinned major versions receive breaking or malicious updates.Severity: MEDIUM
Outdated Actions
actions/checkout@v3@v4docker/setup-qemu-action@v2@v3docker/setup-buildx-action@v2@v3docker/login-action@v2@v3docker/metadata-action@v4@v5docker/build-push-action@v3@v5Note: The lint, unit test, and e2e workflows already use
actions/checkout@v4andactions/setup-node@v4— only the publish workflow is behind.Remediation
Update
.github/workflows/run-publish.ymlto use the versions above. For stronger supply-chain protection, consider pinning to commit SHAs (see intercom-manager#235 for the equivalent backend issue).References