Disagreement · eb14fff2-openai-2

Actions not pinned to commit SHAs (supply-chain risk)

solo GPT-5

repo 6f7fc663·PR #2·reviewed 1 week ago

GPT-5 finding

Actions not pinned to commit SHAs (supply-chain risk)

mediumsecurityhigh

.github/workflows/messages.yml:168-170
.github/workflows/messages.yml:178-182

Using mutable major/minor tags can lead to unexpected code execution if a tag is moved or compromised. Pinning to specific SHAs reduces this risk.

Recommendation

Pin to verified commit SHAs for each action version, e.g.: - uses: actions/checkout@<commit-sha> - uses: actions/setup-node@<commit-sha> Regularly review and bump SHAs to known-good releases.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗