fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars#157
Merged
Merged
Conversation
Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard). Changes: .github/workflows/e2e-tests.yml | 26 +++++++++++++++----------- .github/workflows/lint-and-test.yml | 2 +- .github/workflows/ok-to-test.yml | 2 +- .github/workflows/pr-check-signed-commits.yml | 2 +- .github/workflows/test-e2e.yml | 6 ++++-- 5 files changed, 22 insertions(+), 16 deletions(-)
Contributor
JillRegan
approved these changes
May 14, 2026
Merged
onap-github
pushed a commit
to onap/policy-drools-pdp
that referenced
this pull request
Jun 15, 2026
## Release notes Sourced from 1password/load-secrets-action's releases. v4.0.1 What's Changed Fix Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154) Bump actions/checkout from v5 to v6 in CI workflows. (#156) Security Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157) Docs Add 1Password API Terms of Service notice to the README (#166) New Contributors @dagecko made their first contribution in 1Password/load-secrets-action#157 @superteppo made their first contribution in 1Password/load-secrets-action#154 @libutcher made their first contribution in 1Password/load-secrets-action#166 Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1 ## Commits 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1 0f0cd1b create new build be2f36b Add Terms of Service to README (#166) 908aabf Merge pull request #154 from superteppo/main cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security 080cd2d Merge branch '1Password:main' into main 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars 2a9101f Merge pull request #156 from 1Password/jill/bump-actions 5b18565 bump actions a763b8d fix installer error on windows See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <[email protected]> Change-Id: I10e73c81528f3abf24d5963c5c329eaed81090c0 GitHub-PR: #17 GitHub-Hash: 1a3de8be57538b84 Signed-off-by: onap.gh2gerrit <[email protected]>
onap-github
pushed a commit
to onap/aai-model-loader
that referenced
this pull request
Jun 15, 2026
## Release notes Sourced from 1password/load-secrets-action's releases. v4.0.1 What's Changed Fix Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154) Bump actions/checkout from v5 to v6 in CI workflows. (#156) Security Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157) Docs Add 1Password API Terms of Service notice to the README (#166) New Contributors @dagecko made their first contribution in 1Password/load-secrets-action#157 @superteppo made their first contribution in 1Password/load-secrets-action#154 @libutcher made their first contribution in 1Password/load-secrets-action#166 Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1 ## Commits 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1 0f0cd1b create new build be2f36b Add Terms of Service to README (#166) 908aabf Merge pull request #154 from superteppo/main cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security 080cd2d Merge branch '1Password:main' into main 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars 2a9101f Merge pull request #156 from 1Password/jill/bump-actions 5b18565 bump actions a763b8d fix installer error on windows See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <[email protected]> Change-Id: If1f6a135c339a5290352ac292f3448c40b2f8d4f GitHub-PR: #24 GitHub-Hash: ddb3a30dbbee6ddc Signed-off-by: onap.gh2gerrit <[email protected]>
onap-github
pushed a commit
to onap/sdc-sdc-workflow-designer
that referenced
this pull request
Jun 15, 2026
## Release notes Sourced from 1password/load-secrets-action's releases. v4.0.1 What's Changed Fix Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154) Bump actions/checkout from v5 to v6 in CI workflows. (#156) Security Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157) Docs Add 1Password API Terms of Service notice to the README (#166) New Contributors @dagecko made their first contribution in 1Password/load-secrets-action#157 @superteppo made their first contribution in 1Password/load-secrets-action#154 @libutcher made their first contribution in 1Password/load-secrets-action#166 Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1 ## Commits 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1 0f0cd1b create new build be2f36b Add Terms of Service to README (#166) 908aabf Merge pull request #154 from superteppo/main cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security 080cd2d Merge branch '1Password:main' into main 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars 2a9101f Merge pull request #156 from 1Password/jill/bump-actions 5b18565 bump actions a763b8d fix installer error on windows See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <[email protected]> Change-Id: I2c77cbcfc24184b6d3ac7b8758f34d3bbe08e0cf GitHub-PR: #20 GitHub-Hash: 81546a6d52581d2e Signed-off-by: onap.gh2gerrit <[email protected]>
onap-github
pushed a commit
to onap/aai-schema-service
that referenced
this pull request
Jun 15, 2026
## Release notes Sourced from 1password/load-secrets-action's releases. v4.0.1 What's Changed Fix Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154) Bump actions/checkout from v5 to v6 in CI workflows. (#156) Security Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157) Docs Add 1Password API Terms of Service notice to the README (#166) New Contributors @dagecko made their first contribution in 1Password/load-secrets-action#157 @superteppo made their first contribution in 1Password/load-secrets-action#154 @libutcher made their first contribution in 1Password/load-secrets-action#166 Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1 ## Commits 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1 0f0cd1b create new build be2f36b Add Terms of Service to README (#166) 908aabf Merge pull request #154 from superteppo/main cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security 080cd2d Merge branch '1Password:main' into main 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars 2a9101f Merge pull request #156 from 1Password/jill/bump-actions 5b18565 bump actions a763b8d fix installer error on windows See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <[email protected]> Change-Id: Iafb525e0e54513700501adbda57a6ad9190a59f7 GitHub-PR: #14 GitHub-Hash: 5b3c05bd559d9dfc Signed-off-by: onap.gh2gerrit <[email protected]>
onap-github
pushed a commit
to onap/ccsdk-distribution
that referenced
this pull request
Jun 15, 2026
## Release notes Sourced from 1password/load-secrets-action's releases. v4.0.1 What's Changed Fix Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154) Bump actions/checkout from v5 to v6 in CI workflows. (#156) Security Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157) Docs Add 1Password API Terms of Service notice to the README (#166) New Contributors @dagecko made their first contribution in 1Password/load-secrets-action#157 @superteppo made their first contribution in 1Password/load-secrets-action#154 @libutcher made their first contribution in 1Password/load-secrets-action#166 Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1 ## Commits 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1 0f0cd1b create new build be2f36b Add Terms of Service to README (#166) 908aabf Merge pull request #154 from superteppo/main cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security 080cd2d Merge branch '1Password:main' into main 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars 2a9101f Merge pull request #156 from 1Password/jill/bump-actions 5b18565 bump actions a763b8d fix installer error on windows See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <[email protected]> Change-Id: Iebffb75b84b7df1c1d238facd3ba35c5219b6185 GitHub-PR: #14 GitHub-Hash: 7a155250f9f2e395 Signed-off-by: onap.gh2gerrit <[email protected]>
onap-github
pushed a commit
to onap/ccsdk-parent
that referenced
this pull request
Jun 15, 2026
## Release notes Sourced from 1password/load-secrets-action's releases. v4.0.1 What's Changed Fix Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154) Bump actions/checkout from v5 to v6 in CI workflows. (#156) Security Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157) Docs Add 1Password API Terms of Service notice to the README (#166) New Contributors @dagecko made their first contribution in 1Password/load-secrets-action#157 @superteppo made their first contribution in 1Password/load-secrets-action#154 @libutcher made their first contribution in 1Password/load-secrets-action#166 Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1 ## Commits 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1 0f0cd1b create new build be2f36b Add Terms of Service to README (#166) 908aabf Merge pull request #154 from superteppo/main cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security 080cd2d Merge branch '1Password:main' into main 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars 2a9101f Merge pull request #156 from 1Password/jill/bump-actions 5b18565 bump actions a763b8d fix installer error on windows See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <[email protected]> Change-Id: I732c0d909fd7d0cdc3e7a189d9e419fd55ecdca1 GitHub-PR: #24 GitHub-Hash: 43e092a08de4141c Signed-off-by: onap.gh2gerrit <[email protected]>
onap-github
pushed a commit
to onap/oparent
that referenced
this pull request
Jun 15, 2026
## Release notes Sourced from 1password/load-secrets-action's releases. v4.0.1 What's Changed Fix Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154) Bump actions/checkout from v5 to v6 in CI workflows. (#156) Security Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157) Docs Add 1Password API Terms of Service notice to the README (#166) New Contributors @dagecko made their first contribution in 1Password/load-secrets-action#157 @superteppo made their first contribution in 1Password/load-secrets-action#154 @libutcher made their first contribution in 1Password/load-secrets-action#166 Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1 ## Commits 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1 0f0cd1b create new build be2f36b Add Terms of Service to README (#166) 908aabf Merge pull request #154 from superteppo/main cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security 080cd2d Merge branch '1Password:main' into main 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars 2a9101f Merge pull request #156 from 1Password/jill/bump-actions 5b18565 bump actions a763b8d fix installer error on windows See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <[email protected]> Change-Id: Icb8f848798a5d8c8d9f4a432e77d9d92036a8cd7 GitHub-PR: #21 GitHub-Hash: d0dc85829fa0a11d Signed-off-by: onap.gh2gerrit <[email protected]>
onap-github
pushed a commit
to onap/ccsdk-apps
that referenced
this pull request
Jun 15, 2026
## Release notes Sourced from 1password/load-secrets-action's releases. v4.0.1 What's Changed Fix Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154) Bump actions/checkout from v5 to v6 in CI workflows. (#156) Security Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157) Docs Add 1Password API Terms of Service notice to the README (#166) New Contributors @dagecko made their first contribution in 1Password/load-secrets-action#157 @superteppo made their first contribution in 1Password/load-secrets-action#154 @libutcher made their first contribution in 1Password/load-secrets-action#166 Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1 ## Commits 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1 0f0cd1b create new build be2f36b Add Terms of Service to README (#166) 908aabf Merge pull request #154 from superteppo/main cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security 080cd2d Merge branch '1Password:main' into main 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars 2a9101f Merge pull request #156 from 1Password/jill/bump-actions 5b18565 bump actions a763b8d fix installer error on windows See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <[email protected]> Change-Id: Id896d2e89e49c63bef93619b259e38d79521c888 GitHub-PR: #17 GitHub-Hash: e9f262c17903f33f Signed-off-by: onap.gh2gerrit <[email protected]>
onap-github
pushed a commit
to onap/sdc-sdc-be-common
that referenced
this pull request
Jun 15, 2026
## Release notes Sourced from 1password/load-secrets-action's releases. v4.0.1 What's Changed Fix Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154) Bump actions/checkout from v5 to v6 in CI workflows. (#156) Security Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157) Docs Add 1Password API Terms of Service notice to the README (#166) New Contributors @dagecko made their first contribution in 1Password/load-secrets-action#157 @superteppo made their first contribution in 1Password/load-secrets-action#154 @libutcher made their first contribution in 1Password/load-secrets-action#166 Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1 ## Commits 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1 0f0cd1b create new build be2f36b Add Terms of Service to README (#166) 908aabf Merge pull request #154 from superteppo/main cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security 080cd2d Merge branch '1Password:main' into main 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars 2a9101f Merge pull request #156 from 1Password/jill/bump-actions 5b18565 bump actions a763b8d fix installer error on windows See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <[email protected]> Change-Id: Ic0ba82401c60ef013c5217149acea107f5afd663 GitHub-PR: #24 GitHub-Hash: 5405891e56402378 Signed-off-by: onap.gh2gerrit <[email protected]>
onap-github
pushed a commit
to onap/policy-pap
that referenced
this pull request
Jun 16, 2026
## Release notes Sourced from 1password/load-secrets-action's releases. v4.0.1 What's Changed Fix Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154) Bump actions/checkout from v5 to v6 in CI workflows. (#156) Security Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157) Docs Add 1Password API Terms of Service notice to the README (#166) New Contributors @dagecko made their first contribution in 1Password/load-secrets-action#157 @superteppo made their first contribution in 1Password/load-secrets-action#154 @libutcher made their first contribution in 1Password/load-secrets-action#166 Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1 ## Commits 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1 0f0cd1b create new build be2f36b Add Terms of Service to README (#166) 908aabf Merge pull request #154 from superteppo/main cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security 080cd2d Merge branch '1Password:main' into main 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars 2a9101f Merge pull request #156 from 1Password/jill/bump-actions 5b18565 bump actions a763b8d fix installer error on windows See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <[email protected]> Change-Id: I9b97add3878fce8f736e5629f76268bb8734e79d GitHub-PR: #11 GitHub-Hash: 29284c1c2b90720c Signed-off-by: onap.gh2gerrit <[email protected]>
onap-github
pushed a commit
to onap/aai-sparky-be
that referenced
this pull request
Jun 16, 2026
## Release notes Sourced from 1password/load-secrets-action's releases. v4.0.1 What's Changed Fix Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154) Bump actions/checkout from v5 to v6 in CI workflows. (#156) Security Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157) Docs Add 1Password API Terms of Service notice to the README (#166) New Contributors @dagecko made their first contribution in 1Password/load-secrets-action#157 @superteppo made their first contribution in 1Password/load-secrets-action#154 @libutcher made their first contribution in 1Password/load-secrets-action#166 Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1 ## Commits 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1 0f0cd1b create new build be2f36b Add Terms of Service to README (#166) 908aabf Merge pull request #154 from superteppo/main cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security 080cd2d Merge branch '1Password:main' into main 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars 2a9101f Merge pull request #156 from 1Password/jill/bump-actions 5b18565 bump actions a763b8d fix installer error on windows See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <[email protected]> Change-Id: I18fd4bf8b35e9b48442620522b3046219dda9171 GitHub-PR: #13 GitHub-Hash: a453efc59d0c8d7f Signed-off-by: onap.gh2gerrit <[email protected]>
onap-github
pushed a commit
to onap/usecase-ui
that referenced
this pull request
Jun 16, 2026
## Release notes Sourced from 1password/load-secrets-action's releases. v4.0.1 What's Changed Fix Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154) Bump actions/checkout from v5 to v6 in CI workflows. (#156) Security Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157) Docs Add 1Password API Terms of Service notice to the README (#166) New Contributors @dagecko made their first contribution in 1Password/load-secrets-action#157 @superteppo made their first contribution in 1Password/load-secrets-action#154 @libutcher made their first contribution in 1Password/load-secrets-action#166 Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1 ## Commits 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1 0f0cd1b create new build be2f36b Add Terms of Service to README (#166) 908aabf Merge pull request #154 from superteppo/main cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security 080cd2d Merge branch '1Password:main' into main 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars 2a9101f Merge pull request #156 from 1Password/jill/bump-actions 5b18565 bump actions a763b8d fix installer error on windows See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <[email protected]> Change-Id: Iea4541d631b5eb06dc81732d1b46287a9c08db9f GitHub-PR: #13 GitHub-Hash: f7d6c1ad61cfe1fc Signed-off-by: onap.gh2gerrit <[email protected]>
onap-github
pushed a commit
to onap/aai-rest-client
that referenced
this pull request
Jun 16, 2026
## Release notes Sourced from 1password/load-secrets-action's releases. v4.0.1 What's Changed Fix Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154) Bump actions/checkout from v5 to v6 in CI workflows. (#156) Security Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157) Docs Add 1Password API Terms of Service notice to the README (#166) New Contributors @dagecko made their first contribution in 1Password/load-secrets-action#157 @superteppo made their first contribution in 1Password/load-secrets-action#154 @libutcher made their first contribution in 1Password/load-secrets-action#166 Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1 ## Commits 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1 0f0cd1b create new build be2f36b Add Terms of Service to README (#166) 908aabf Merge pull request #154 from superteppo/main cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security 080cd2d Merge branch '1Password:main' into main 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars 2a9101f Merge pull request #156 from 1Password/jill/bump-actions 5b18565 bump actions a763b8d fix installer error on windows See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <[email protected]> Change-Id: I4676c0b07a637eb12b560a12ab94b0c0e34d1e3f GitHub-PR: #13 GitHub-Hash: 09b7eb116160600c Signed-off-by: onap.gh2gerrit <[email protected]>
onap-github
pushed a commit
to onap/so
that referenced
this pull request
Jun 16, 2026
## Release notes Sourced from 1password/load-secrets-action's releases. v4.0.1 What's Changed Fix Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154) Bump actions/checkout from v5 to v6 in CI workflows. (#156) Security Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157) Docs Add 1Password API Terms of Service notice to the README (#166) New Contributors @dagecko made their first contribution in 1Password/load-secrets-action#157 @superteppo made their first contribution in 1Password/load-secrets-action#154 @libutcher made their first contribution in 1Password/load-secrets-action#166 Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1 ## Commits 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1 0f0cd1b create new build be2f36b Add Terms of Service to README (#166) 908aabf Merge pull request #154 from superteppo/main cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security 080cd2d Merge branch '1Password:main' into main 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars 2a9101f Merge pull request #156 from 1Password/jill/bump-actions 5b18565 bump actions a763b8d fix installer error on windows See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <[email protected]> Change-Id: I4d549a73e8a7be5fcbeff566cd29ebc3474d180e GitHub-PR: #27 GitHub-Hash: a447eb534dd12405 Signed-off-by: onap.gh2gerrit <[email protected]>
onap-github
pushed a commit
to onap/multicloud-framework
that referenced
this pull request
Jun 16, 2026
## Release notes Sourced from 1password/load-secrets-action's releases. v4.0.1 What's Changed Fix Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154) Bump actions/checkout from v5 to v6 in CI workflows. (#156) Security Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157) Docs Add 1Password API Terms of Service notice to the README (#166) New Contributors @dagecko made their first contribution in 1Password/load-secrets-action#157 @superteppo made their first contribution in 1Password/load-secrets-action#154 @libutcher made their first contribution in 1Password/load-secrets-action#166 Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1 ## Commits 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1 0f0cd1b create new build be2f36b Add Terms of Service to README (#166) 908aabf Merge pull request #154 from superteppo/main cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security 080cd2d Merge branch '1Password:main' into main 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars 2a9101f Merge pull request #156 from 1Password/jill/bump-actions 5b18565 bump actions a763b8d fix installer error on windows See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <[email protected]> Change-Id: If397530015b1da353ba3fbe7a3348ea8f171151f GitHub-PR: #13 GitHub-Hash: 0202bbce5096f587 Signed-off-by: onap.gh2gerrit <[email protected]>
onap-github
pushed a commit
to onap/policy-parent
that referenced
this pull request
Jun 16, 2026
## Release notes Sourced from 1password/load-secrets-action's releases. v4.0.1 What's Changed Fix Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154) Bump actions/checkout from v5 to v6 in CI workflows. (#156) Security Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157) Docs Add 1Password API Terms of Service notice to the README (#166) New Contributors @dagecko made their first contribution in 1Password/load-secrets-action#157 @superteppo made their first contribution in 1Password/load-secrets-action#154 @libutcher made their first contribution in 1Password/load-secrets-action#166 Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1 ## Commits 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1 0f0cd1b create new build be2f36b Add Terms of Service to README (#166) 908aabf Merge pull request #154 from superteppo/main cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security 080cd2d Merge branch '1Password:main' into main 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars 2a9101f Merge pull request #156 from 1Password/jill/bump-actions 5b18565 bump actions a763b8d fix installer error on windows See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <[email protected]> Change-Id: Ib59907e6e6d4eadadc75dfd7e22d4729b62f6484 GitHub-PR: #3 GitHub-Hash: ef714032f59e46ea Signed-off-by: onap.gh2gerrit <[email protected]>
onap-github
pushed a commit
to onap/policy-distribution
that referenced
this pull request
Jun 16, 2026
## Release notes Sourced from 1password/load-secrets-action's releases. v4.0.1 What's Changed Fix Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154) Bump actions/checkout from v5 to v6 in CI workflows. (#156) Security Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157) Docs Add 1Password API Terms of Service notice to the README (#166) New Contributors @dagecko made their first contribution in 1Password/load-secrets-action#157 @superteppo made their first contribution in 1Password/load-secrets-action#154 @libutcher made their first contribution in 1Password/load-secrets-action#166 Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1 ## Commits 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1 0f0cd1b create new build be2f36b Add Terms of Service to README (#166) 908aabf Merge pull request #154 from superteppo/main cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security 080cd2d Merge branch '1Password:main' into main 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars 2a9101f Merge pull request #156 from 1Password/jill/bump-actions 5b18565 bump actions a763b8d fix installer error on windows See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <[email protected]> Change-Id: Ia96f10b42cb5d4de72d6e29cfcb45fc4c66ea1a6 GitHub-PR: #5 GitHub-Hash: 8bcad7f4aeae9c2e Signed-off-by: onap.gh2gerrit <[email protected]>
onap-github
pushed a commit
to onap/policy-api
that referenced
this pull request
Jun 22, 2026
## Release notes Sourced from 1password/load-secrets-action's releases. v4.0.1 What's Changed Fix Fixed a Windows specific issue where 1Password CLI installation could fail because the downloaded archive lacked a .zip extension required by PowerShell’s archive extraction fallback. (#154) Bump actions/checkout from v5 to v6 in CI workflows. (#156) Security Harden GitHub Actions workflows by pinning external actions to immutable commit SHAs. (#157) Docs Add 1Password API Terms of Service notice to the README (#166) New Contributors @dagecko made their first contribution in 1Password/load-secrets-action#157 @superteppo made their first contribution in 1Password/load-secrets-action#154 @libutcher made their first contribution in 1Password/load-secrets-action#166 Full Changelog: 1Password/load-secrets-action@v4.0.0...v4.0.1 ## Commits 3a12b0a Merge pull request #167 from 1Password/release/v4.0.1 0f0cd1b create new build be2f36b Add Terms of Service to README (#166) 908aabf Merge pull request #154 from superteppo/main cc166c6 Merge pull request #157 from dagecko/runner-guard/fix-ci-security 080cd2d Merge branch '1Password:main' into main 2a321c3 fix: pin 4 unpinned action(s),extract 3 unsafe expression(s) to env vars 2a9101f Merge pull request #156 from 1Password/jill/bump-actions 5b18565 bump actions a763b8d fix installer error on windows See full diff in compare view  Issue-ID: CIMAN-33 Signed-off-by: dependabot[bot] <[email protected]> Change-Id: I43300f2ca3ed4e1abb569b72681f550c9415bd50 GitHub-PR: #10 GitHub-Hash: 1f121d43f80838eb Signed-off-by: onap.gh2gerrit <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR hardens your CI/CD workflows against supply chain attacks by pinning GitHub Actions to immutable commit SHAs and extracting unsafe expressions from
run:blocks intoenv:mappings.Fixes applied (in this PR)
e2e-tests.ymllint-and-test.ymlok-to-test.ymlpr-check-signed-commits.ymltest-e2e.ymltest-e2e.ymlWhy this PR
I've been scanning the top 50,000 GitHub repositories for CI/CD pipeline vulnerabilities over the last 5 weeks as part of an ongoing research effort into the supply chain attack campaign that started with tj-actions in March and has escalated through multiple phases since.
You may notice that I have opened up a lot of PRs - don't take that as a negative. I've been working around the clock on this and monitoring all comms. It may take me an hour or two to get back to a comment you leave.
How to verify
Every change is mechanical and preserves workflow behavior:
action@v3becomesaction@abc123 # v3- original version preserved as comment${{ expr }}inrun:moves toenv:block, referenced as"${ENV_VAR}"in the scriptI've had 22 merges so far. I created a tool called Runner Guard to assist in my research - it does mechanical, non-AI fixes to reduce hallucinations to zero and produce consistent fixes. If you would like to scan it yourself to validate my work, feel free.
Happy to answer any questions - I'm monitoring comms on every PR.
- Chris Nyhuis (dagecko)