Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions .github/workflows/aireceipts.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
name: aireceipts
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
check:
runs-on: ubuntu-latest
steps:
- run: npx -y aireceipts-cli@latest pr-check

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: @latest reintroduces an unpinned supply-chain risk with a write token

This commit reverts the @0.5.0 pin (added explicitly for "supply-chain: no mutable @latest with write token") back to @latest. Since the step exposes GH_TOKEN with pull-requests: write, every run resolves and executes whatever aireceipts-cli version is @latest at run time — so a compromised or broken newly published release runs with PR-write capability before this repo has reviewed it. If the floating version is intentional, consider isolating the install step from the write token (or otherwise limiting the token's blast radius) to reduce the risk.


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

env:
GH_TOKEN: ${{ github.token }}
Loading