From bef852ad2578d2973f1b57ea32af254f38c40656 Mon Sep 17 00:00:00 2001 From: Jose Tomas Robles Hahn Date: Fri, 1 Aug 2025 00:53:53 -0400 Subject: [PATCH 1/7] chore: Pin GitHub Action `super-linter/super-linter/slim` to commit hash Pin `super-linter/super-linter/slim` to commit hash instead of tag to improve supply chain security. Resolves: https://github.com/cordada/github-actions-utils/security/code-scanning/9 --- .github/workflows/super-linter.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/super-linter.yaml b/.github/workflows/super-linter.yaml index a718b54..8585790 100644 --- a/.github/workflows/super-linter.yaml +++ b/.github/workflows/super-linter.yaml @@ -171,7 +171,7 @@ jobs: validate_yaml_prettier: ${{ inputs.validate_yaml_prettier }} - name: Lint - uses: super-linter/super-linter/slim@v7.4.0 + uses: super-linter/super-linter/slim@12150456a73e248bdc94d0794898f94e23127c88 # v7.4.0 env: DEFAULT_BRANCH: ${{ inputs.default_git_branch }} LINTER_RULES_PATH: / From 3b282ff404d2935ad23338d9ca9d44ea728f684a Mon Sep 17 00:00:00 2001 From: Jose Tomas Robles Hahn Date: Fri, 1 Aug 2025 01:21:31 -0400 Subject: [PATCH 2/7] fix: Potential code injection vulnerability in GitHub Actions workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix potential code injection vulnerability in GitHub Actions workflow, caused by using GitHub Actions inputs which may be controlled by an external user. > Using user-controlled input in GitHub Actions may lead to code > injection in contexts like `run:` or `script:`. > The best practice to avoid code injection vulnerabilities in GitHub > workflows is to set the untrusted input value of the expression to an > intermediate environment variable and then use the environment > variable using the native syntax of the shell/script interpreter […] Resolves: https://github.com/cordada/github-actions-utils/security/code-scanning/2 Resolves: https://github.com/cordada/github-actions-utils/security/code-scanning/3 Resolves: https://github.com/cordada/github-actions-utils/security/code-scanning/4 Resolves: https://github.com/cordada/github-actions-utils/security/code-scanning/5 Resolves: https://github.com/cordada/github-actions-utils/security/code-scanning/6 Resolves: https://github.com/cordada/github-actions-utils/security/code-scanning/7 Resolves: https://github.com/cordada/github-actions-utils/security/code-scanning/8 --- .github/workflows/super-linter.yaml | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/workflows/super-linter.yaml b/.github/workflows/super-linter.yaml index 8585790..84d7ae6 100644 --- a/.github/workflows/super-linter.yaml +++ b/.github/workflows/super-linter.yaml @@ -121,31 +121,31 @@ jobs: done if [ "$validate_editorconfig" == 'true' ]; then - echo "EDITORCONFIG_FILE_NAME=${{ inputs.editorconfig_file_name }}" >> "$GITHUB_ENV" + echo "EDITORCONFIG_FILE_NAME=${editorconfig_file_name}" >> "$GITHUB_ENV" fi if [ "$validate_markdown" == 'true' ]; then - echo "MARKDOWN_CONFIG_FILE=${{ inputs.markdown_config_file }}" >> "$GITHUB_ENV" + echo "MARKDOWN_CONFIG_FILE=${markdown_config_file}" >> "$GITHUB_ENV" fi if [ "$validate_python_black" == 'true' ]; then - echo "PYTHON_BLACK_CONFIG_FILE=${{ inputs.python_black_config_file }}" >> "$GITHUB_ENV" + echo "PYTHON_BLACK_CONFIG_FILE=${python_black_config_file}" >> "$GITHUB_ENV" fi if [ "$validate_python_flake8" == 'true' ]; then - echo "PYTHON_FLAKE8_CONFIG_FILE=${{ inputs.python_flake8_config_file }}" >> "$GITHUB_ENV" + echo "PYTHON_FLAKE8_CONFIG_FILE=${python_flake8_config_file}" >> "$GITHUB_ENV" fi if [ "$validate_python_isort" == 'true' ]; then - echo "PYTHON_ISORT_CONFIG_FILE=${{ inputs.python_isort_config_file }}" >> "$GITHUB_ENV" + echo "PYTHON_ISORT_CONFIG_FILE=${python_isort_config_file}" >> "$GITHUB_ENV" fi if [ "$validate_python_mypy" == 'true' ]; then - echo "PYTHON_MYPY_CONFIG_FILE=${{ inputs.python_mypy_config_file }}" >> "$GITHUB_ENV" + echo "PYTHON_MYPY_CONFIG_FILE=${python_mypy_config_file}" >> "$GITHUB_ENV" fi if [ "$validate_sqlfluff" == 'true' ]; then - echo "SQLFLUFF_CONFIG_FILE=${{ inputs.sql_sqlfluff_config_file }}" >> "$GITHUB_ENV" + echo "SQLFLUFF_CONFIG_FILE=${sql_sqlfluff_config_file}" >> "$GITHUB_ENV" fi env: LANGUAGE_VAR_NAMES: >- @@ -159,6 +159,13 @@ jobs: validate_python_mypy validate_sqlfluff validate_yaml_prettier + editorconfig_file_name: ${{ inputs.editorconfig_file_name }} + markdown_config_file: ${{ inputs.markdown_config_file }} + python_black_config_file: ${{ inputs.python_black_config_file }} + python_flake8_config_file: ${{ inputs.python_flake8_config_file }} + python_isort_config_file: ${{ inputs.python_isort_config_file }} + python_mypy_config_file: ${{ inputs.python_mypy_config_file }} + sql_sqlfluff_config_file: ${{ inputs.sql_sqlfluff_config_file }} validate_editorconfig: ${{ inputs.validate_editorconfig }} validate_json_prettier: ${{ inputs.validate_json_prettier }} validate_markdown: ${{ inputs.validate_markdown }} From 364f4ab000eb6becdb54395bc124970122fe2063 Mon Sep 17 00:00:00 2001 From: Jose Tomas Robles Hahn Date: Thu, 19 Feb 2026 13:15:07 -0300 Subject: [PATCH 3/7] chore: Update Dependabot configuration --- .github/dependabot.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5faf158..cc70a1c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,13 +12,10 @@ version: 2 updates: - package-ecosystem: github-actions directory: / - groups: - github-actions-production: - dependency-type: production schedule: interval: monthly commit-message: - prefix: "chore:" + prefix: "chore(deps):" labels: - dependencies open-pull-requests-limit: 5 From 4a6202fcd262fe0c623606102b2c7b63ef314fa0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 19 Feb 2026 16:18:03 +0000 Subject: [PATCH 4/7] chore(deps): Bump actions/checkout from 4 to 6.0.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v6.0.2) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6.0.2' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/git-commit-lint.yaml | 2 +- .github/workflows/super-linter.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/git-commit-lint.yaml b/.github/workflows/git-commit-lint.yaml index 9cd8af0..d8ba3cc 100644 --- a/.github/workflows/git-commit-lint.yaml +++ b/.github/workflows/git-commit-lint.yaml @@ -39,7 +39,7 @@ jobs: steps: - name: Check Out VCS Repository - uses: actions/checkout@v4.1.1 + uses: actions/checkout@v6.0.2 with: fetch-depth: 0 diff --git a/.github/workflows/super-linter.yaml b/.github/workflows/super-linter.yaml index 84d7ae6..308490c 100644 --- a/.github/workflows/super-linter.yaml +++ b/.github/workflows/super-linter.yaml @@ -107,7 +107,7 @@ jobs: steps: - name: Check Out VCS Repository - uses: actions/checkout@v4 + uses: actions/checkout@v6.0.2 with: # Full git history is needed to get a proper list of changed files within `super-linter`. fetch-depth: 0 From cf3e1a7c25a38b8eba912c67083aab0a914a9c07 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 19 Feb 2026 16:24:39 +0000 Subject: [PATCH 5/7] chore(deps): Bump actions/setup-node from 4.4.0 to 6.2.0 Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.4.0 to 6.2.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/v4.4.0...v6.2.0) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/git-commit-lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/git-commit-lint.yaml b/.github/workflows/git-commit-lint.yaml index d8ba3cc..9c2e85c 100644 --- a/.github/workflows/git-commit-lint.yaml +++ b/.github/workflows/git-commit-lint.yaml @@ -45,7 +45,7 @@ jobs: - name: Set Up Node.js id: set_up_nodejs - uses: actions/setup-node@v4.4.0 + uses: actions/setup-node@v6.2.0 with: node-version: "lts/*" From a4042e60147627f605a037ebde8387b3dd09a840 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 19 Feb 2026 16:26:45 +0000 Subject: [PATCH 6/7] chore(deps): Bump actions/cache from 4.2.3 to 5.0.3 Bumps [actions/cache](https://github.com/actions/cache) from 4.2.3 to 5.0.3. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/v4.2.3...v5.0.3) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.3 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/git-commit-lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/git-commit-lint.yaml b/.github/workflows/git-commit-lint.yaml index 9c2e85c..39a2456 100644 --- a/.github/workflows/git-commit-lint.yaml +++ b/.github/workflows/git-commit-lint.yaml @@ -50,7 +50,7 @@ jobs: node-version: "lts/*" - name: Restoring/Saving Cache - uses: actions/cache@v4.2.3 + uses: actions/cache@v5.0.3 with: path: node_modules key: js-v2-deps-${{ runner.os }}-${{ steps.set_up_nodejs.outputs.node-version }}-${{ env.COMMITLINT_CLI_VERSION }}-${{ env.COMMITLINT_CONFIG_CORDADA_VERSION }} From 2a07b9e2ff63c1e32511a0e9466ebed5eea03515 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 19 Feb 2026 16:29:04 +0000 Subject: [PATCH 7/7] chore(deps): Bump super-linter/super-linter from 7.4.0 to 8.5.0 Bumps [super-linter/super-linter](https://github.com/super-linter/super-linter) from 7.4.0 to 8.5.0. - [Release notes](https://github.com/super-linter/super-linter/releases) - [Changelog](https://github.com/super-linter/super-linter/blob/main/CHANGELOG.md) - [Commits](https://github.com/super-linter/super-linter/compare/12150456a73e248bdc94d0794898f94e23127c88...61abc07d755095a68f4987d1c2c3d1d64408f1f9) --- updated-dependencies: - dependency-name: super-linter/super-linter dependency-version: 8.5.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/super-linter.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/super-linter.yaml b/.github/workflows/super-linter.yaml index 308490c..9f58a59 100644 --- a/.github/workflows/super-linter.yaml +++ b/.github/workflows/super-linter.yaml @@ -178,7 +178,7 @@ jobs: validate_yaml_prettier: ${{ inputs.validate_yaml_prettier }} - name: Lint - uses: super-linter/super-linter/slim@12150456a73e248bdc94d0794898f94e23127c88 # v7.4.0 + uses: super-linter/super-linter/slim@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0 env: DEFAULT_BRANCH: ${{ inputs.default_git_branch }} LINTER_RULES_PATH: /