Security Review Findings
This issue summarizes supply chain security concerns identified in this action and its dependencies.
Unpinned action references (High)
action.yml references child actions via mutable tags:
- uses: tesslio/setup-tessl@v1
- uses: oven-sh/setup-bun@v2
Tags can be force-pushed. Pin both to full 40-character commit SHAs to make the reference immutable.
Binary downloaded without checksum verification (Medium)
tesslio/setup-tessl downloads the Tessl CLI tarball from https://install.tessl.io and executes it with no SHA-256 or signature check. A compromised distribution server or intercepted download would result in arbitrary code execution in the CI runner with access to all secrets.
Recommendation: publish a SHA256SUMS file (ideally GPG/cosign-signed) alongside each release and verify it before extracting.
Remote version resolution from live script (Medium)
When version: latest, tesslio/setup-tessl fetches https://install.tessl.io/scripts/latest.sh at runtime to parse the current version. A tampered response could redirect the subsequent download to a malicious URL. Prefer the GitHub Releases API or require callers to pin a specific version.
No permissions: declaration (Medium)
The action passes GITHUB_TOKEN to its main script but declares no permissions: block, leaving callers reliant on their repo's default token scope (often broader than needed). The minimum required scope for posting PR comments is pull-requests: write. Please document this in the README and/or add a usage example with explicit permissions.
Missing LICENSE
The repository has no LICENSE file. Without one, the default copyright applies and users have no legal right to use, modify, or distribute the action. Please add an appropriate open-source license (e.g. MIT, Apache-2.0).
No security reporting mechanism
There is no SECURITY.md and no vulnerability disclosure policy. Please add a SECURITY.md describing how to report security issues privately (e.g. GitHub's private vulnerability reporting or a contact email) so researchers have a responsible disclosure path.
Security Review Findings
This issue summarizes supply chain security concerns identified in this action and its dependencies.
Unpinned action references (High)
action.ymlreferences child actions via mutable tags:Tags can be force-pushed. Pin both to full 40-character commit SHAs to make the reference immutable.
Binary downloaded without checksum verification (Medium)
tesslio/setup-tessldownloads the Tessl CLI tarball fromhttps://install.tessl.ioand executes it with no SHA-256 or signature check. A compromised distribution server or intercepted download would result in arbitrary code execution in the CI runner with access to all secrets.Recommendation: publish a
SHA256SUMSfile (ideally GPG/cosign-signed) alongside each release and verify it before extracting.Remote version resolution from live script (Medium)
When
version: latest,tesslio/setup-tesslfetcheshttps://install.tessl.io/scripts/latest.shat runtime to parse the current version. A tampered response could redirect the subsequent download to a malicious URL. Prefer the GitHub Releases API or require callers to pin a specific version.No
permissions:declaration (Medium)The action passes
GITHUB_TOKENto its main script but declares nopermissions:block, leaving callers reliant on their repo's default token scope (often broader than needed). The minimum required scope for posting PR comments ispull-requests: write. Please document this in the README and/or add a usage example with explicit permissions.Missing LICENSE
The repository has no LICENSE file. Without one, the default copyright applies and users have no legal right to use, modify, or distribute the action. Please add an appropriate open-source license (e.g. MIT, Apache-2.0).
No security reporting mechanism
There is no
SECURITY.mdand no vulnerability disclosure policy. Please add aSECURITY.mddescribing how to report security issues privately (e.g. GitHub's private vulnerability reporting or a contact email) so researchers have a responsible disclosure path.