security(cicd): Pinned dependency versions and extract 2 unsafe expressions to env vars (PR #1297)

dagecko · web-flow · commit 3ec27ada8aa1 · 2026-04-02T19:06:23.000-03:00
diff --git a/.github/workflows/readme-updater.yml b/.github/workflows/readme-updater.yml
@@ -29,10 +29,12 @@ jobs:
           else
               echo "[+] Files were changed! Pushing changed..."
               git add -A
-              git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/$GITHUB_REPOSITORY
+              git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/$GITHUB_REPOSITORY"
               git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
               git config --local user.name "github-actions[bot]"
               git commit -m "[Github Action] Automated readme update."
               git push
           fi
 
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/remote-wordlists-updater.yml b/.github/workflows/remote-wordlists-updater.yml
@@ -35,9 +35,12 @@ jobs:
               git add --renormalize -A && git add -A
               chmod +x ./.bin/brute-force-renormalize.sh
               ./.bin/brute-force-renormalize.sh ./Discovery/Web-Content/trickest-robots-disallowed-wordlists/top-10000.txt
-              git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/$GITHUB_REPOSITORY
+              git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/$GITHUB_REPOSITORY"
               git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
               git config --local user.name "github-actions[bot]"
               git commit -m "[Github Action] Automated trickest wordlists update."
               git push
           fi
+
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/wordlist-updater_api-endpoints-res.yml b/.github/workflows/wordlist-updater_api-endpoints-res.yml
@@ -32,7 +32,7 @@ jobs:
       - name: Commit changed files
         run: git commit -m "[Github Action] Updated api-endpoints-res.txt"
       - name: Push changes # push the output folder to your repo
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           force: true
diff --git a/.github/workflows/wordlist-updater_awesome-list-of-secrets-in-environment-variables.yml b/.github/workflows/wordlist-updater_awesome-list-of-secrets-in-environment-variables.yml
@@ -35,7 +35,7 @@ jobs:
 
       - name: Push changes # push the output folder to your repo
         if: steps.myoutputs.outputs.gitstatus != ''
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           force: true
diff --git a/.github/workflows/wordlist-updater_combined_directories.yml b/.github/workflows/wordlist-updater_combined_directories.yml
@@ -37,7 +37,7 @@ jobs:
       - name: Commit changed files
         run: git commit -m "[Github Action] Updated combined_directories.txt"
       - name: Push changes # push the output folder to your repo
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           force: true
diff --git a/.github/workflows/wordlist-updater_combined_words.yml b/.github/workflows/wordlist-updater_combined_words.yml
@@ -33,7 +33,7 @@ jobs:
       - name: Commit changed files
         run: git commit -m "[Github Action] Updated combined_words.txt"
       - name: Push changes # push the output folder to your repo
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           force: true
diff --git a/.github/workflows/wordlist-updater_default-passwords.yml b/.github/workflows/wordlist-updater_default-passwords.yml
@@ -46,7 +46,7 @@ jobs:
       - name: Commit changed files
         run: git commit -m "[Github Action] Updated default-passwords.txt"
       - name: Push changes
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           force: true
diff --git a/.github/workflows/wordlist-updater_fuzzing_etc_files.yml b/.github/workflows/wordlist-updater_fuzzing_etc_files.yml
@@ -43,7 +43,7 @@ jobs:
 
       - name: Push changes # push the output folder to your repo
         if: steps.myoutputs.outputs.gitstatus != ''
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # master
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           force: true
