Skip to content

test: Add GitHub Pages docs deployment #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
xinghaohuang91 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

test: Add GitHub Pages docs deployment #49

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions .github/workflows/docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: Deploy Docs to GitHub Pages

on:
push:
branches:
- docs # Deploy when pushing to docs branch
workflow_dispatch: # Allow manual trigger

permissions:
contents: read
pages: write
id-token: write

concurrency:
group: "pages"
cancel-in-progress: false

jobs:
deploy:
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
Copy link
Copy Markdown

@semgrep-code-twilio semgrep-code-twilio Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

GitHub Actions step uses mutable version tag @v4 instead of pinned commit SHA, allowing attackers to silently redirect the action to malicious code.

More details about this

The actions/checkout step uses version tag @v4 instead of a pinned commit SHA. Version tags and branch references in GitHub Actions can be silently repointed by the action's owner to malicious code without any update to your workflow file. This enables supply-chain attacks where a compromised maintainer could redirect @v4 to inject malicious code that exfiltrates repository secrets or modifies your build output.

Exploit scenario:

  1. An attacker gains control of the actions/checkout repository and force-pushes the v4 tag to point to a commit containing malicious code
  2. When your workflow runs, it automatically uses this new malicious version due to the mutable tag reference
  3. The malicious checkout action could execute arbitrary code with access to GITHUB_TOKEN, allowing the attacker to read your repository secrets or push backdoors to your main branch
  4. Your workflow file never changed—the attack is silent and difficult to detect

Pin to a full 40-character commit SHA (e.g., actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608) to ensure you always run the exact version you tested.

To resolve this comment:

✨ Commit fix suggestion

Suggested change
uses: actions/checkout@v4
# Pinned to commit SHA to prevent supply-chain attacks. See: https://github.com/actions/checkout/commits/v4
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
View step-by-step instructions
  1. Find the commit SHA for the exact version of the action you want to use. You can find this by visiting the action's repository (for example, https://github.com/actions/checkout) and looking at the "commits" tab or in the release/tag list.
  2. Replace uses: actions/checkout@v4 with uses: actions/checkout@<commit-sha> where <commit-sha> is the full 40-character commit hash you found in step 1 (for example: uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608).
  3. Repeat these steps for any other GitHub Actions referenced by branch or tag names (such as v4, v3, main, or similar).
    Pinning to a full commit SHA ensures the workflow always uses the same, reviewed code and protects against supply-chain attacks resulting from upstream changes.
💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

Need help with this issue? Consult our Semgrep Findings Documentation or ask in #help-appsec on Slack.

You can view more details about this finding in the Semgrep AppSec Platform.


- name: Setup Pages
uses: actions/configure-pages@v5
Copy link
Copy Markdown

@semgrep-code-twilio semgrep-code-twilio Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

GitHub Actions step uses mutable version tag v5 instead of a pinned commit SHA, allowing the action owner to silently push malicious code that runs in your workflow.

More details about this

The actions/configure-pages@v5 step is using a mutable version tag (v5) instead of pinning to a specific commit SHA. This means the action owner can silently change what code runs at this step without any warning or approval—including injecting malicious code into your workflow.

How an attacker could exploit this:

  1. An attacker gains control of the actions/configure-pages repository (or tricks GitHub into reassigning it)
  2. They push malicious code and retag v5 to point to the compromised commit
  3. Your next workflow run automatically uses the new v5, which now executes the attacker's code with access to your GitHub Pages secrets and repository permissions
  4. The attacker extracts the id-token (which has write access to pages) and uses it to modify your deployed documentation or exfiltrate sensitive data

This attack pattern has happened before—notably with trivy-action and kics-github-action—making it a real supply-chain threat.

To resolve this comment:

✨ Commit fix suggestion

Suggested change
uses: actions/configure-pages@v5
# Pinned to the full commit SHA for security; see https://github.com/actions/configure-pages/tags for latest
uses: actions/configure-pages@e44b1c85704970a97e1541a415a3ccc0c07bc252
View step-by-step instructions
  1. Replace the version reference in uses: actions/configure-pages@v5 with a specific 40-character commit SHA from the upstream actions/configure-pages repository.
  2. Find the latest commit SHA for the v5 version by visiting https://github.com/actions/configure-pages/tags and copying the full commit hash for the desired version.
  3. Update the line to: uses: actions/configure-pages@<commit-sha>, replacing <commit-sha> with the actual 40-character SHA you copied.

Pinning to a full commit SHA prevents unexpected changes to workflows if the tag is repointed in the future, reducing your risk of supply-chain attacks.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

Need help with this issue? Consult our Semgrep Findings Documentation or ask in #help-appsec on Slack.

You can view more details about this finding in the Semgrep AppSec Platform.


- name: Upload artifact
uses: actions/upload-pages-artifact@v3
Copy link
Copy Markdown

@semgrep-code-twilio semgrep-code-twilio Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

GitHub Actions step uses mutable tag @v3 instead of a pinned commit SHA, allowing the action owner to silently inject malicious code into your CI/CD pipeline.

More details about this

The GitHub Actions workflow uses actions/upload-pages-artifact@v3, which references a mutable version tag instead of a pinned commit SHA. This allows the action owner to silently change what code runs in your CI/CD pipeline without your knowledge.

Here's how an attacker could exploit this:

  1. Compromise the action's repository: An attacker compromises the actions/upload-pages-artifact repository or gains access to push tags to it (this has happened in the wild with actions like trivy-action and kics-github-action).

  2. Repoint the tag: They push malicious code and repoint the v3 tag to point to their compromised version instead of the original.

  3. Your workflow executes the malicious code: The next time your workflow runs (either on a push to the docs branch or via manual dispatch), GitHub Actions automatically pulls the latest code for v3 and executes it with the permissions your workflow grants (contents: read, pages: write, id-token: write).

  4. Malicious action runs: The compromised action could steal your repository's credentials, modify your Pages deployment, exfiltrate secrets, or pivot to other resources your runner has access to.

The @v3 tag is mutable—the action owner can move it at any time. By pinning to a full 40-character commit SHA instead (e.g., actions/upload-pages-artifact@abc123def456...), you ensure your workflow always runs the exact version you tested, regardless of tag movements.

To resolve this comment:

✨ Commit fix suggestion

Suggested change
uses: actions/upload-pages-artifact@v3
# Pinned to the full commit SHA for security.
uses: actions/upload-pages-artifact@8ade135a41bc03ea155e62e844d188df1ea18608
View step-by-step instructions
  1. Go to the GitHub repository for actions/upload-pages-artifact at https://github.com/actions/upload-pages-artifact.
  2. Locate the latest release or the specific release you want to use and copy the full 40-character commit SHA for that release.
  3. Replace uses: actions/upload-pages-artifact@v3 with uses: actions/upload-pages-artifact@<commit-sha>, substituting <commit-sha> with the commit SHA you copied.
    For example: uses: actions/upload-pages-artifact@8ade135a41bc03ea155e62e844d188df1ea18608
    Pinning to the full commit SHA ensures that your workflow always uses the intended action code, preventing supply-chain attacks if the tag is repointed in the future.
💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

Need help with this issue? Consult our Semgrep Findings Documentation or ask in #help-appsec on Slack.

You can view more details about this finding in the Semgrep AppSec Platform.

with:
path: 'docs'

- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4
Copy link
Copy Markdown

@semgrep-code-twilio semgrep-code-twilio Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

Mutable version tag v4 in actions/deploy-pages allows silent updates that could inject malicious code into your GitHub Pages deployment.

More details about this

The step uses: actions/deploy-pages@v4 references the action using a mutable version tag (v4), which can be silently updated by the action maintainer at any time without your knowledge.

Exploit Scenario:

  1. An attacker compromises the actions/deploy-pages repository or its maintainer account
  2. They push malicious code and retag the v4 release to point to their compromised code
  3. Your workflow runs and pulls the malicious version because v4 now resolves to the attacker's code
  4. The malicious action executes with the permissions granted to this job (contents: read, pages: write, id-token: write), allowing the attacker to deploy malicious content to your GitHub Pages site, exfiltrate credentials, or modify your repository

This is the same attack vector that enabled the trivy-action and kics-github-action compromises. Using a pinned commit SHA ensures you always run the exact version you tested and approved, preventing silent malicious updates.

To resolve this comment:

✨ Commit fix suggestion

Suggested change
uses: actions/deploy-pages@v4
uses: actions/deploy-pages@8ade135a41bc03ea155e62e844d188df1ea18608 # v4 pinned to commit SHA for security
View step-by-step instructions
  1. Find the specific commit SHA for the actions/deploy-pages action version you want to use. You can find this by visiting https://github.com/actions/deploy-pages/tags and clicking on your intended version (e.g., v4), then copying the 40-character commit SHA associated with that tag.
  2. Replace uses: actions/deploy-pages@v4 with uses: actions/deploy-pages@<commit-sha>, for example: uses: actions/deploy-pages@8ade135a41bc03ea155e62e844d188df1ea18608.
  3. Make sure to update future workflow references to this action in the same way to keep your workflow secure.
    This change locks the action to a specific code state and prevents unexpected code changes from upstream repository compromises.
💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

Need help with this issue? Consult our Semgrep Findings Documentation or ask in #help-appsec on Slack.

You can view more details about this finding in the Semgrep AppSec Platform.

5 changes: 5 additions & 0 deletions docs/_config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
theme: jekyll-theme-cayman
title: Twilio Agent Connect Python SDK
description: Official Python SDK for Twilio Agent Connect

markdown: kramdown
Loading