Pin andelf/nightly-release to version tag instead of @main branch

[Copilot]

andelf/nightly-release@main in the nightly workflow tracked a mutable branch on a low-trust repository, running nightly with GITHUB_TOKEN write access — a supply chain risk if that repo is compromised.

Change

• .github/workflows/nightly.yml: andelf/nightly-release@main → andelf/nightly-release@v1

- uses: andelf/nightly-release@main
+ uses: andelf/nightly-release@v1

All other actions across the workflows already reference version tags and are unchanged.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>CI/CD supply chain risk: GitHub Actions not SHA-pinned, nightly-release follows @main</issue_title>
<issue_description>## Summary

Several GitHub Actions in WLED's CI/CD workflows use mutable references (tags and branches) instead of immutable SHA pins. The highest-risk case is andelf/nightly-release@main which follows the main branch of a 22-star repository and runs nightly with write access to the WLED repo.

Findings

Critical: andelf/nightly-release@main

In .github/workflows/nightly.yml (line 34):

- name: Update Nightly Release
  uses: andelf/nightly-release@main
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

This action is pinned to the main branch (not a tag, not a SHA) of a repository with 22 stars. It runs automatically every night at 2 AM UTC via cron, with GITHUB_TOKEN (repo write access) and access to PAT_PUBLIC.

If andelf/nightly-release is compromised (account takeover, malicious PR merged, etc.), the attacker's code runs inside WLED's CI with the ability to:

• Replace firmware binaries in nightly releases with malicious builds
• Exfiltrate GITHUB_TOKEN and PAT_PUBLIC
• Push commits or modify tags on the WLED repo

Broader pattern

No GitHub Actions across any workflow are SHA-pinned. All use mutable tags:

Action	Reference	Risk
andelf/nightly-release	@main (branch)	High — 22-star repo, branch pin
softprops/action-gh-release	@v1 (major tag)	Medium
janheinrichmerker/action-github-changelog-generator	@v2.4	Medium
actions-cool/check-user-permission	@v2	Medium
peter-evans/repository-dispatch	@v3	Low-Medium
actions/checkout, setup-python, setup-node, etc.	@v4/@v5	Low (official, but still mutable)

Suggested fix

Pin all actions to their commit SHA with a tag comment for readability:

# Before
uses: andelf/nightly-release@main

# After
uses: andelf/nightly-release@<commit-sha>  # main

Consider adding Dependabot or Renovate to automate SHA updates when upstream actions release new versions.

Alternatively, replace andelf/nightly-release with a more widely-used action like ncipollo/release-action (pinned to SHA), or inline the release logic with gh release CLI commands directly.

Context

Found during a third-party code audit of the WLED repository. This is a CI/CD configuration issue, not a firmware vulnerability, so public disclosure is appropriate.</issue_description>

<agent_instructions>Please update each of the actions in every github workflow file to reference the version tag for any using only branch name or no branch reference. Do not change the ones that use a tag to the gitsha</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@netmindz Please don't mix unrelated items in the same issue as it makes it really had to track. Most of the second comment is not a "finding" but just reality of certain design choices. For example, the WLED community has 3k forks, this isn't commercial software so preventing anything other than officially signed firmware to be installed is clearly something we would never do.

Please don't waste time by just spamming the results for AI without human review </comment_new>

• Fixes CI/CD supply chain risk: GitHub Actions not SHA-pinned, nightly-release follows @main #5373

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.