Skip to content

Release 0.52.1#179

Merged
tudddorrr merged 2 commits intomainfrom
develop
Feb 24, 2026
Merged

Release 0.52.1#179
tudddorrr merged 2 commits intomainfrom
develop

Conversation

@tudddorrr
Copy link
Contributor

@tudddorrr tudddorrr commented Feb 24, 2026

No description provided.

@tudddorrr tudddorrr added the release This pull request contains a release label Feb 24, 2026
@claude
Copy link

claude bot commented Feb 24, 2026

PR Review: Release 0.52.1

The version bump changes (VERSION and ClientVersion in BaseAPI.cs) are clean and consistent.

Security

🟡 Third-party GitHub Action pinned to @master with access to secrets

The switch from manleydev/butler-publish-itchio-action@master to XanatosX/butler-publish-itchio-action@master introduces a dependency on a different community-maintained action that is not pinned to a specific commit SHA. Since this action receives the BUTLER_CREDENTIALS secret, any future push to that repo's master branch — including a compromised push — would execute with access to that secret in CI.

Since you're already editing this line, pin to a specific commit SHA:

- uses: XanatosX/butler-publish-itchio-action@<full-commit-sha>

For example:

- uses: XanatosX/butler-publish-itchio-action@a78d84b7a7f85acb3c0ae96dd98d86ba3d3e879f

The SHA can be found on the action repository's commit history. This eliminates the risk of unintended updates or supply chain compromise affecting the release pipeline.

No other issues found.

@tudddorrr tudddorrr merged commit f0257b9 into main Feb 24, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

release This pull request contains a release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tudddorrr