[Security] Workflow pre-commit.yaml is using vulnerable action pre-commit/action

[Ale0x78]

The workflow pre-commit.yaml is referencing action pre-commit/action using references v2.0.3. However this reference is missing the commit 80db042ff08cdddbbbfb6f89c06a6bfc4dddf0b7 which may contain fix to the some vulnerability. The vulnerability fix that is missing by actions version could be related to: (1) CVE fix (2) upgrade of vulnerable dependency (3) fix to secret leak and others. Please consider to update the reference to the action.

[scottclowe]

Hi @Ale0x78, thanks for letting me know. I am currently using the latest release for pre-commit/action, and there is no newer release to move to. I have tried moving to using the bleeding-edge master branch version (see run here) of this action, but it seems that pre-commit/action can only be run from releases because their action.yml file specifies running dist/index.js, which doesn't exist in the repo. This file is manually generated by their Makefile when new releases of the action are packaged and released. As such I can not change the reference to the action unless there is a new release of pre-commit/action, or changes are made upstream in pre-commit/action so that the repo source is a valid action without executing the make step. I recommend you report the issue at pre-commit/action.