fix: pin 7 unpinned action(s)

[dagecko]

Fix: CI/CD Security Vulnerabilities in GitHub Actions

Hi! Runner Guard, an open-source
CI/CD security scanner by Vigilant Cyber Security,
identified security vulnerabilities in this repository's GitHub Actions workflows.

This PR applies automated fixes where possible and reports additional findings
for your review.

Fixes applied (in this PR)

Rule	Severity	File	Description
RGS-007	high	.github/workflows/e2e_android.yml	Pinned 2 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/e2e_ios.yml	Pinned 2 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/lint.yml	Pinned 1 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/publish.yml	Pinned 1 third-party action(s) to commit SHA
RGS-007	high	.github/workflows/test.yml	Pinned 1 third-party action(s) to commit SHA

Advisory: additional findings (manual review recommended)

No additional findings beyond the fixes applied above.

Why this matters

GitHub Actions workflows that use untrusted input in run: blocks, expose
secrets inline, or use unpinned third-party actions are vulnerable to
code injection, credential theft, and supply chain attacks. These are the same
vulnerability classes exploited in the tj-actions/changed-files and
LiteLLM supply chain attacks,
which compromised CI secrets across thousands of repositories.

How to verify

Review the diff — each change is mechanical and preserves workflow behavior:

• Expression extraction (RGS-002/008/014): Moves ${{ }} expressions from
  run: blocks into env: mappings, preventing shell injection
• SHA pinning (RGS-007): Pins third-party actions to immutable commit SHAs
  (original version tag preserved as comment)
• Debug env removal (RGS-015): Removes ACTIONS_RUNNER_DEBUG/ACTIONS_STEP_DEBUG
  which leak secrets in workflow logs

Run brew install Vigilant-LLC/tap/runner-guard && runner-guard scan . or install from the
repo to verify.

---

Found by Runner Guard | Built by Vigilant Cyber Security | Learn more

If this PR is not welcome, just close it -- we won't send another.

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow actions to reference specific commit versions instead of floating version tags.

[coderabbitai]

📝 Walkthrough

Walkthrough

GitHub Actions workflows across the repository have been updated to pin third-party action versions to specific commit SHAs instead of using floating semantic version tags (@v2, @v1). This change affects the Bun setup, Android emulator runner, and Xcode setup actions across multiple workflow files.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Pinning .github/workflows/e2e_android.yml, .github/workflows/e2e_ios.yml, .github/workflows/lint.yml, .github/workflows/publish.yml, .github/workflows/test.yml	Pinned oven-sh/setup-bun from @v2 to commit SHA 0c5077e51419868618aeaa5fe8019c62421857d6 (annotated as v2). Additionally, e2e_android.yml pinned reactivecircus/android-emulator-runner to a v2 commit SHA, and e2e_ios.yml pinned maxim-lobanov/setup-xcode to a v1 commit SHA.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Poem

🐰 Version tags floated far and wide,
But pinned SHAs keep reproducibility as guide,
Each action locked to its commit hash secure,
No surprises in the future—our builds endure!
A steady warren of workflows, stable and true! 🌿

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: pin 7 unpinned action(s)' accurately and concisely describes the main change: pinning GitHub Actions to specific commit SHAs for security.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/e2e_ios.yml:
- Line 46: The workflow currently pins maxim-lobanov/setup-xcode to an
unverifiable commit SHA (ed7a3b1f...) in the uses statement; replace that SHA
with a valid v1.x release tag (for example `@v1.6.0`) so the action reference is
verifiable and matches the repository's release tags—update the uses line that
contains "maxim-lobanov/setup-xcode@..." to use a proper release tag like
`@v1.6.0` (or another valid v1.* tag).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ebaf2528-ae0b-4e37-9028-4e6e91679245

📥 Commits

Reviewing files that changed from the base of the PR and between c2c66b0 and b4deae9.

📒 Files selected for processing (5)

• .github/workflows/e2e_android.yml
• .github/workflows/e2e_ios.yml
• .github/workflows/lint.yml
• .github/workflows/publish.yml
• .github/workflows/test.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify maxim-lobanov/setup-xcode SHA corresponds to v1 tag

echo "Checking maxim-lobanov/setup-xcode v1 tag..."
gh api repos/maxim-lobanov/setup-xcode/git/ref/tags/v1 --jq '.object.sha' || gh api repos/maxim-lobanov/setup-xcode/commits/v1 --jq '.sha' 2>/dev/null

echo -e "\nDetails for pinned SHA ed7a3b1fda3918c0306d1b724322adc0b8cc0a90:"
gh api repos/maxim-lobanov/setup-xcode/commits/ed7a3b1fda3918c0306d1b724322adc0b8cc0a90 --jq '{sha: .sha, date: .commit.committer.date, message: .commit.message}'

Repository: reactnativecn/react-native-update

Length of output: 603

---

🏁 Script executed:

#!/bin/bash
# Try accessing GitHub API via curl without authentication
echo "Checking v1 tag SHA..."
curl -s https://api.github.com/repos/maxim-lobanov/setup-xcode/git/refs/tags/v1 | jq '.object.sha' 2>/dev/null

echo -e "\nChecking commit details for ed7a3b1fda3918c0306d1b724322adc0b8cc0a90..."
curl -s https://api.github.com/repos/maxim-lobanov/setup-xcode/commits/ed7a3b1fda3918c0306d1b724322adc0b8cc0a90 | jq '{sha: .sha, date: .commit.committer.date, tag: .message}' 2>/dev/null

Repository: reactnativecn/react-native-update

Length of output: 389

---

🌐 Web query:

maxim-lobanov setup-xcode v1 tag release SHA

💡 Result:

No specific "v1" tag release found for maxim-lobanov/setup-xcode. The repository uses maxim-lobanov/setup-xcode@v1 in usage examples, referring to the v1.x series (e.g., latest v1.6.0 at SHA 60606e2). The earliest listed release is v1.2 on 2020-10-15 at SHA dfa1339. Older v1 releases like v1.0.0 may exist but are not shown in the releases page snippets. Repository created 2020-04-26. Maxim Lobanov is the author, working at GitHub.

Citations:

• 1: https://github.com/maxim-lobanov/setup-xcode/releases
• 2: https://github.com/maxim-lobanov/setup-xcode

---

🌐 Web query:

site:github.com maxim-lobanov setup-xcode ed7a3b1fda3918c0306d1b724322adc0b8cc0a90

💡 Result:

The query refers to the GitHub Actions action "setup-xcode" created by Maxim Lobanov (https://github.com/maxim-lobanov/setup-xcode). This is a popular open-source tool (370+ stars) for selecting a specific pre-installed Xcode version in GitHub Actions workflows on macOS runners. Key details: - Author: Maxim Lobanov, Senior Software Engineer at GitHub, based in Amsterdam. - Purpose: Switches between Xcode versions available on GitHub-hosted macOS runners (list in https://github.com/actions/runner-images). - Latest release: v1.6.0 (Sep 2023), last push 2024-06-25, recent activity as of Mar 2026. - Usage example: jobs: build: runs-on: macos-latest steps: - uses: maxim-lobanov/setup-xcode@v1.6.0 with: xcode-version: 'latest-stable' # or 'latest', semver like '14.3.1', or '-beta' suffix - Outputs: 'version' and 'path' of selected Xcode. - The hash "ed7a3b1fda3918c0306d1b724322adc0b8cc0a90" does not match any found commit, release, or reference in searches; it may be internal, a workflow artifact ID, or a typo. No exact match found across GitHub searches. Official docs and source: https://github.com/maxim-lobanov/setup-xcode

Citations:

• 1: https://github.com/maxim-lobanov
• 2: https://github.com/maxim-lobanov/setup-xcode
• 3: https://github.com/maxim-lobanov/setup-xcode/releases
• 4: https://github.com/gloomindustries/---name-setup-xcode-version-uses-maxim-lobanov-setup-xcode-v1.6.0-
• 5: https://github.com/maxim-lobanov/setup-xcode/actions/runs/20199973231
• 6: Default xcode version to contents of .xcode-version file maxim-lobanov/setup-xcode#61
• 7: Get stable versions as default maxim-lobanov/setup-xcode#31

---

🌐 Web query:

site:github.com maxim-lobanov/setup-xcode v1 tag releases

💡 Result:

The GitHub Action maxim-lobanov/setup-xcode uses the @v1 major version tag, which points to the latest minor/patch release in the v1.x.x series. There is no specific "v1" release tag; instead, releases are tagged as v1.2, v1.2.3, v1.3.0, v1.4.0, v1.4.1, v1.5.1, v1.6.0, etc. The full list of v1 releases (from oldest to newest based on available data): - v1.2 (15 Oct, commit dfa1339): Improved Xcode version parsing from app name to use build number for reliability. - v1.2.3 (21 Jul): Added "version" and "path" output variables. - v1.4.0 (07 Oct): Added ability to choose stable/unstable Xcode versions; improved version output. - v1.4.1 (04 Jan): Bumped dependencies. - v1.5.1 (19 Oct): Updated dependencies, fixed deprecated set-output warning. - v1.6.0 (23 Sep 2023): Updated Node.js to 20. The repository has 12 releases total, created starting 2020-04-26, with latest v1.6.0. Usage examples reference @v1 for the stable channel. No explicit v1.0.0 or initial v1 tag details found in search results; earliest listed is v1.2.

Citations:

• 1: https://github.com/maxim-lobanov/setup-xcode/releases
• 2: https://github.com/maxim-lobanov/setup-xcode
• 3: https://github.com/marketplace/actions/setup-xcode-version

---

Replace the pinned SHA with a valid v1.x release tag.

The pinned SHA ed7a3b1fda3918c0306d1b724322adc0b8cc0a90 does not exist in the maxim-lobanov/setup-xcode repository and cannot be verified. Additionally, there is no "v1" tag in this repository—releases use specific version tags (v1.2, v1.3.0, v1.4.0, etc.), with the latest v1.x release being v1.6.0. Use a valid release tag like @v1.6.0 instead of the unverifiable SHA.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e_ios.yml at line 46, The workflow currently pins
maxim-lobanov/setup-xcode to an unverifiable commit SHA (ed7a3b1f...) in the
uses statement; replace that SHA with a valid v1.x release tag (for example
`@v1.6.0`) so the action reference is verifiable and matches the repository's
release tags—update the uses line that contains "maxim-lobanov/setup-xcode@..."
to use a proper release tag like `@v1.6.0` (or another valid v1.* tag).