Skip to content

v1.0.1
Compare
Choose a tag to compare
@woodruffw woodruffw released this 07 Jan 19:14
· 76 commits to main since this release
v1.0.1
7a8c9f2
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

v1.0.1

This is a small quality and bugfix release. Thank you to everybody
who helped by reporting and shaking out bugs from our first stable release!

Improved

  • The github-env audit now detects dangerous writes to GITHUB_PATH,
    is more precise, and can produce multiple findings per run block (#391)

Fixed

  • workflow_call.secrets keys with missing values are now parsed correctly (#388)
  • The cache-poisoning audit no longer incorrectly treats docker/build-push-action as
    a publishing workflow is push: false is explicitly set (#389)
  • The template-injection audit no longer considers github.action_path
    to be a potentially dangerous expansion (#402)
  • The github-env audit no longer skips run: steps with non-trivial
    shell: stanzas (#403)
Assets 2
Loading