fix: pin 7 unpinned action(s),extract 10 unsafe expression(s) to env vars

Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard). Changes: .github/workflows/build-all.yml | 30 ++++++++++++++++++++--------- .github/workflows/build-linux.yml | 6 +++--- .github/workflows/build-osx.yml | 10 ++++++---- .github/workflows/build-windows-desktop.yml | 2 +- .github/workflows/build-windows.yml | 2 +- .github/workflows/winget-publish.yml | 5 ++++- 6 files changed, 36 insertions(+), 19 deletions(-)
2026-04-16 04:25:45 +00:00 · 2026-03-26 04:28:49 -04:00 · 2026-03-26 04:28:49 -04:00 · e83a7dd932
commit e83a7dd932
parent 005cb620ec
6 changed files with 36 additions and 19 deletions
--- a/.github/workflows/build-all.yml
+++ b/.github/workflows/build-all.yml
@ -17,53 +17,65 @@ jobs:
        run: |
          curl -X POST \
            -H "Accept: application/vnd.github.v3+json" \
-            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Authorization: token ${GITHUB_TOKEN}" \
            https://api.github.com/repos/${{ github.repository }}/actions/workflows/build-windows.yml/dispatches \
            -d "{
              \"ref\": \"master\",
              \"inputs\": {
-                \"release_tag\": \"${{ github.event.inputs.release_tag }}\"
+                \"release_tag\": \"${INPUT_RELEASE_TAG}\"
              }
            }"

+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          INPUT_RELEASE_TAG: ${{ github.event.inputs.release_tag }}
      - name: Trigger build linux
        if: github.event.inputs.release_tag != ''
        run: |
          curl -X POST \
            -H "Accept: application/vnd.github.v3+json" \
-            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Authorization: token ${GITHUB_TOKEN}" \
            https://api.github.com/repos/${{ github.repository }}/actions/workflows/build-linux.yml/dispatches \
            -d "{
              \"ref\": \"master\",
              \"inputs\": {
-                \"release_tag\": \"${{ github.event.inputs.release_tag }}\"
+                \"release_tag\": \"${INPUT_RELEASE_TAG}\"
              }
            }"

+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          INPUT_RELEASE_TAG: ${{ github.event.inputs.release_tag }}
      - name: Trigger build osx
        if: github.event.inputs.release_tag != ''
        run: |
          curl -X POST \
            -H "Accept: application/vnd.github.v3+json" \
-            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Authorization: token ${GITHUB_TOKEN}" \
            https://api.github.com/repos/${{ github.repository }}/actions/workflows/build-osx.yml/dispatches \
            -d "{
              \"ref\": \"master\",
              \"inputs\": {
-                \"release_tag\": \"${{ github.event.inputs.release_tag }}\"
+                \"release_tag\": \"${INPUT_RELEASE_TAG}\"
              }
            }"

+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          INPUT_RELEASE_TAG: ${{ github.event.inputs.release_tag }}
      - name: Trigger build windows desktop
        if: github.event.inputs.release_tag != ''
        run: |
          curl -X POST \
            -H "Accept: application/vnd.github.v3+json" \
-            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Authorization: token ${GITHUB_TOKEN}" \
            https://api.github.com/repos/${{ github.repository }}/actions/workflows/build-windows-desktop.yml/dispatches \
            -d "{
              \"ref\": \"master\",
              \"inputs\": {
-                \"release_tag\": \"${{ github.event.inputs.release_tag }}\"
+                \"release_tag\": \"${INPUT_RELEASE_TAG}\"
              }
-            }"
+            }"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          INPUT_RELEASE_TAG: ${{ github.event.inputs.release_tag }}
--- a/.github/workflows/build-linux.yml
+++ b/.github/workflows/build-linux.yml
@ -62,7 +62,7 @@ jobs:
        ./package-release-zip.sh "$OutputArchArm" "$OutputPathArm64"
    
    - name: Upload zip archive to release
-      uses: svenstaro/upload-release-action@v2
+      uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2
      if: github.event.inputs.release_tag != ''
      with:
        file: ${{ github.workspace }}/v2rayN*.zip
@ -122,7 +122,7 @@ jobs:
        path: dist/deb/**/*.deb

    - name: Upload DEBs to release
-      uses: svenstaro/upload-release-action@v2
+      uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2
      with:
        file: dist/deb/**/*.deb
        tag: ${{ env.RELEASE_TAG }}
@ -235,7 +235,7 @@ jobs:
        path: dist/rpm/**/*.rpm

    - name: Upload RPMs to release
-      uses: svenstaro/upload-release-action@v2
+      uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2
      with:
        file: dist/rpm/**/*.rpm
        tag: ${{ env.RELEASE_TAG }}
--- a/.github/workflows/build-osx.yml
+++ b/.github/workflows/build-osx.yml
@ -57,11 +57,13 @@ jobs:
      run: |
        brew install create-dmg
        chmod 755 package-osx.sh
-        ./package-osx.sh $OutputArch $OutputPath64 ${{ github.event.inputs.release_tag }}
-        ./package-osx.sh $OutputArchArm $OutputPathArm64 ${{ github.event.inputs.release_tag }}
+        ./package-osx.sh $OutputArch $OutputPath64 ${INPUT_RELEASE_TAG}
+        ./package-osx.sh $OutputArchArm $OutputPathArm64 ${INPUT_RELEASE_TAG}
    
+      env:
+        INPUT_RELEASE_TAG: ${{ github.event.inputs.release_tag }}
    - name: Upload dmg to release
-      uses: svenstaro/upload-release-action@v2
+      uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2
      if: github.event.inputs.release_tag != ''
      with:
        file: ${{ github.workspace }}/v2rayN*.dmg
@ -78,7 +80,7 @@ jobs:
        ./package-release-zip.sh $OutputArchArm $OutputPathArm64
    
    - name: Upload zip archive to release
-      uses: svenstaro/upload-release-action@v2
+      uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2
      if: github.event.inputs.release_tag != ''
      with:
        file: ${{ github.workspace }}/v2rayN*.zip
--- a/.github/workflows/build-windows-desktop.yml
+++ b/.github/workflows/build-windows-desktop.yml
@ -62,7 +62,7 @@ jobs:
        mv "v2rayN-${OutputArchArm}.zip" "v2rayN-${OutputArchArm}-desktop.zip"

    - name: Upload zip archive to release
-      uses: svenstaro/upload-release-action@v2
+      uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2
      if: github.event.inputs.release_tag != ''
      with:
        file: ${{ github.workspace }}/v2rayN*.zip
--- a/.github/workflows/build-windows.yml
+++ b/.github/workflows/build-windows.yml
@ -57,7 +57,7 @@ jobs:
        ./package-release-zip.sh $OutputArchArm $OutputPathArm64
    
    - name: Upload zip archive to release
-      uses: svenstaro/upload-release-action@v2
+      uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2
      if: github.event.inputs.release_tag != ''
      with:
        file: ${{ github.workspace }}/v2rayN*.zip
--- a/.github/workflows/winget-publish.yml
+++ b/.github/workflows/winget-publish.yml
@ -17,7 +17,7 @@ jobs:
        run: |

          $wingetPackage = "2dust.v2rayN"
-          $gitToken = "${{ secrets.PT_WINGET }}"
+          $gitToken = "${PT_WINGET}"

          $github = Invoke-RestMethod -uri "https://api.github.com/repos/2dust/v2rayN/releases" 

@ -37,3 +37,6 @@ jobs:
          Write-Host "arm64 URL: $arm64InstallerUrl"
          
          .\wingetcreate.exe update $wingetPackage -s -v $ver -u "$x64InstallerUrl|x64" "$arm64InstallerUrl|arm64" -t $gitToken
+
+        env:
+          PT_WINGET: ${{ secrets.PT_WINGET }}