Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
Comment @cursor review or bugbot run to trigger another review on this PR
| mergetron: | ||
| uses: framer/mergetron/.github/workflows/install.yml@master | ||
| secrets: | ||
| mergetron_app_private_key: ${{ secrets.MERGETRON_APP_PRIVATE_KEY }} |
There was a problem hiding this comment.
Mutable branch ref exposes private key to supply-chain risk
Medium Severity
The reusable workflow is pinned to @master, a mutable branch reference, while being passed the MERGETRON_APP_PRIVATE_KEY secret. Any new commit pushed to the master branch of framer/mergetron — whether intentional or via a compromised account — would automatically receive the private key. Pinning to a specific commit SHA would prevent this supply-chain risk.
|
This PR has been automatically marked as stale because it has not had any activity in the last 7 days. It will be closed if no further activity occurs in the next 7 days. |
2 participants
Description
this PR adds Mergetron to the Plugins repo.
It follows the installation in the readme: https://github.com/framer/mergetron
Testing