Severity: Medium
Summary
Four workflow files use deprecated versions of actions/checkout and actions/setup-node (v2 and v3), while other workflows in the same repository have already been updated to v4. The v2 actions run on Node.js 12 (EOL April 2022) and v3 runs on Node.js 16 (EOL September 2023), neither of which receive security patches.
Affected Files
| Workflow File |
Line |
Action |
Version |
Internal Node.js |
.github/workflows/code-analysis.yml |
22 |
actions/checkout |
v2 |
Node.js 12 (EOL) |
.github/workflows/code-analysis.yml |
25 |
actions/setup-node |
v2 |
Node.js 12 (EOL) |
.github/workflows/publish-public-build.yml |
13 |
actions/checkout |
v3 |
Node.js 16 (EOL) |
.github/workflows/publish-public-build.yml |
15 |
actions/setup-node |
v3 |
Node.js 16 (EOL) |
.github/workflows/publish.yml |
15 |
actions/checkout |
v3 |
Node.js 16 (EOL) |
.github/workflows/publish.yml |
17 |
actions/setup-node |
v3 |
Node.js 16 (EOL) |
.github/workflows/code-reviewer.yml |
15 |
actions/checkout |
v3 |
Node.js 16 (EOL) |
.github/workflows/code-reviewer.yml |
33 |
actions/checkout |
v3 |
Node.js 16 (EOL) |
Already on v4 (correct): chromatic.yml, storybook-tests.yml, storybook-deployment.yml, tag-release.yml, claude.yml, claude-code-review.yml
Impact
actions/checkout@v2 had known issues with Git credential persistence that could leak tokens to subsequent steps or child processes.- No longer receiving security patches from the Node.js project for newly discovered vulnerabilities in the underlying runtime.
- GitHub has begun issuing deprecation warnings and may eventually hard-block these versions, causing workflow failures.
- The inconsistency across workflows suggests these were missed during a previous upgrade — some workflows are on v4 while others remain on v2/v3.
Recommended Fix
Update all instances to v4:
# Replace all occurrences of:
uses: actions/checkout@v2
uses: actions/checkout@v3
# With:
uses: actions/checkout@v4
# Replace all occurrences of:
uses: actions/setup-node@v2
uses: actions/setup-node@v3
# With:
uses: actions/setup-node@v4
Context
Identified during a modular security audit. The publish-public-build.yml workflow is especially sensitive as it handles FORCE_UI_TOKEN for pushing to the public mirror repository.
Found by automated security audit — VULN-05
Severity: Medium
Summary
Four workflow files use deprecated versions of
actions/checkoutandactions/setup-node(v2 and v3), while other workflows in the same repository have already been updated to v4. The v2 actions run on Node.js 12 (EOL April 2022) and v3 runs on Node.js 16 (EOL September 2023), neither of which receive security patches.Affected Files
.github/workflows/code-analysis.ymlactions/checkout.github/workflows/code-analysis.ymlactions/setup-node.github/workflows/publish-public-build.ymlactions/checkout.github/workflows/publish-public-build.ymlactions/setup-node.github/workflows/publish.ymlactions/checkout.github/workflows/publish.ymlactions/setup-node.github/workflows/code-reviewer.ymlactions/checkout.github/workflows/code-reviewer.ymlactions/checkoutAlready on v4 (correct):
chromatic.yml,storybook-tests.yml,storybook-deployment.yml,tag-release.yml,claude.yml,claude-code-review.ymlImpact
actions/checkout@v2had known issues with Git credential persistence that could leak tokens to subsequent steps or child processes.Recommended Fix
Update all instances to v4:
Context
Identified during a modular security audit. The
publish-public-build.ymlworkflow is especially sensitive as it handlesFORCE_UI_TOKENfor pushing to the public mirror repository.Found by automated security audit — VULN-05