From a3f7e723219b2e295eeb6eaf1fabaa9ed6a0d961 Mon Sep 17 00:00:00 2001 From: Mario Minardi Date: Mon, 23 Sep 2024 16:11:13 -0600 Subject: [PATCH] .github: use and pin slackapi/slack-github-action to latest 1.x (#13554) Use slackapi/slack-github-action across the board and pin to latest 1.x. Previously we were referencing the 1.27.0 tag directly which is vulnerable to someone replacing that version tag with malicious code. Replace usage of ruby/action-slack with slackapi/slack-github-action as the latter is the officially supported action from slack. Updates #cleanup Signed-off-by: Mario Minardi --- .github/workflows/govulncheck.yml | 2 +- .github/workflows/test.yml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml index a4b298f54..4a5ad54f3 100644 --- a/.github/workflows/govulncheck.yml +++ b/.github/workflows/govulncheck.yml @@ -24,7 +24,7 @@ jobs: - name: Post to slack if: failure() && github.event_name == 'schedule' - uses: slackapi/slack-github-action@v1.24.0 + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 env: SLACK_BOT_TOKEN: ${{ secrets.GOVULNCHECK_BOT_TOKEN }} with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b36e0522b..7691b9ae8 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -559,7 +559,7 @@ jobs: # By having the job always run, but skipping its only step as needed, we # let the CI output collapse nicely in PRs. if: failure() && github.event_name == 'push' - uses: ruby/action-slack@v3.2.1 + uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 with: payload: | { @@ -574,6 +574,7 @@ jobs: } env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK check_mergeability: if: always()