Skip to content

chore: update notify-pr-reviewers-action to always use the latest version #13567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 30, 2025
Merged

chore: update notify-pr-reviewers-action to always use the latest version #13567

merged 1 commit into from
Oct 30, 2025

Conversation

@Maffooch
Copy link
Contributor

@Maffooch Maffooch commented Oct 29, 2025

The original introduction of this action did not pin to a specific commit hash or version intentionally. This PR restores that decision

@Maffooch Maffooch requested a review from mtesauro as a code owner October 29, 2025 18:18
@dryrunsecurity
Copy link

dryrunsecurity bot commented Oct 29, 2025

DryRun Security

This pull request uses a GitHub Action (DefectDojo-Inc/notify-pr-reviewers-action) without pinning it to a specific commit SHA or version tag, which allows version floating and increases supply-chain risk if the action is compromised. Pin the action to a specific commit or tagged release to prevent accidental execution of malicious updates.

Insecure Dependency Management in GitHub Actions in .github/workflows/slack-pr-reminder.yml
Vulnerability Insecure Dependency Management in GitHub Actions
Description The GitHub Actions workflow uses 'DefectDojo-Inc/notify-pr-reviewers-action' without pinning it to a specific version (e.g., a commit SHA or a version tag like @v1). This practice, known as version floating, exposes the CI/CD pipeline to supply chain attacks. If the action's repository is compromised or a malicious update is pushed, this workflow will automatically execute the potentially harmful code, which could lead to secret exfiltration or other compromises.

django-DefectDojo/.github/workflows/slack-pr-reminder.yml

Lines 14 to 17 in cc2b9f4

uses: DefectDojo-Inc/notify-pr-reviewers-action # Do not use a specific version to always get the latest updates
with:
owner: "DefectDojo"
repository: "django-DefectDojo"

All finding details can be found in the DryRun Security Dashboard.

@Maffooch Maffooch closed this Oct 29, 2025
@Maffooch Maffooch reopened this Oct 29, 2025
mtesauro
mtesauro approved these changes Oct 30, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved.

This will fix a PR reviewer tool we wrote so thanks for catching this whoops @Maffooch

@Maffooch
Copy link
Contributor Author

Maffooch commented Oct 30, 2025

Merging as this is a dep update with 2 approvals

@Maffooch Maffooch merged commit 059e304 into master Oct 30, 2025
173 of 183 checks passed
@Maffooch Maffooch deleted the notify-pr-pin-removal branch October 30, 2025 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@rossops rossops Awaiting requested review from rossops

@paulOsinski paulOsinski Awaiting requested review from paulOsinski

@Jino-T Jino-T Awaiting requested review from Jino-T

@blakeaowens blakeaowens Awaiting requested review from blakeaowens

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Maffooch @mtesauro @valentijnscholten