chore(deps): update lycheeverse/lychee-action action to v2 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
lycheeverse/lychee-action	action	major	v1.10.0 → v2.0.2

GitHub Vulnerability Alerts

CVE-2024-48908

Summary

There is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml.

Details

The GitHub Action variable inputs.lycheeVersion can be used to execute arbitrary code in the context of the action.

PoC

- uses: lycheeverse/lychee@v2
  with:
    lycheeVersion: $(printenv >> $GITHUB_STEP_SUMMARY && echo "v0.16.1")

The previous example will just print all the environment variables to the summary of the workflow, but an attacker could potentially use this vector to compromise the security of the target repository, even passing unnotice because the action will run normally.

Impact

Low

---

Release Notes

lycheeverse/lychee-action (lycheeverse/lychee-action)

v2.0.2: Version 2.0.2

Compare Source

What's Changed

• Fix a typos by @​szepeviktor in #​257
• Document and use correct permissions in the GitHub workflows by @​dscho in #​258
• Add security policy by @​mondeja in #​259

New Contributors

• @​szepeviktor made their first contribution in #​257
• @​mondeja made their first contribution in #​259

Full Changelog: lycheeverse/lychee-action@v2...v2.0.2

v2.0.1: Version 2.0.1

Compare Source

What's Changed

• Don't remove the lychee config file by @​dmathieu in #​255
• Bump lycheeverse/lychee-action from 1 to 2 by @​dependabot in #​252
• Fix variable name in docs by @​kdeldycke in #​253

New Contributors

• @​dmathieu made their first contribution in #​255

Full Changelog: lycheeverse/lychee-action@v2...v2.0.1

v2.0.0: Version 2.0.0

Compare Source

Breaking Changes

Note: This release improves the action's robustness by changing default behaviors. Changes are only required if you want to opt out of the new failure conditions. Most users won't need to modify their existing configurations.

Fail pipeline on error by default

We've changed the default behavior: pipelines will now fail on broken links automatically. This addresses user feedback that not failing on broken links was unexpected (see issue #​71).

What you need to do:

• Update to version 2 of this action to apply this change.
• Users of the lychee-action@master branch don't need to make any changes, as fail: true has been the default there for a while.
• If you prefer the old behavior, explicitly set fail to false when updating:

- name: Link Checker
  id: lychee
  uses: lycheeverse/lychee-action@v2
  with:
    fail: false  # Don't fail action on broken links

Fail pipeline if no links were found

Similar to the above change, we now fail the pipeline if no links are found during a run. This helps warn users about potential configuration issues.

What you need to do:

• If you expect links to be found in your pipeline run, you don't need to do anything.
• If you expect no links in your pipeline run, you can opt out like this:

- name: Link Checker
  id: lychee
  uses: lycheeverse/lychee-action@v2
  with:
    failIfEmpty: false  # Don't fail action if no links were found

Exit code handling

In this version, we changed the environment variable for the lychee exit code from GITHUB_ENV to GITHUB_OUTPUT.
Please update your scripts. For more details, see #​245.

For a more detailed description of the technical aspects behind these changes, please see the full changelog below.

What's Changed

• feat: change to use the full version tag with v-* prefix by @​kemingy in #​204
• Add failIfEmpty argument (fixes #​84) by @​mre in #​86
• Fail pipeline on error by default (fixes #​71) by @​mre in #​85
• Exit in case output is set in args and action input by @​mre in #​227
• v1 will automatically use latest version by @​jacobdalamb in #​228
• Remove unneeded text by @​jacobdalamb in #​229
• Clarify README.md defaults by @​paddyroddy in #​230
• Adjust for new asset naming scheme by @​dscho in #​234
• Test various lychee versions by @​mre in #​235
• Better cleanup of old lychee assets by @​mre in #​237
• Bump peter-evans/create-issue-from-file from v4 to v5 by @​AndreiCherniaev in #​241
• Remove dots from table by @​AndreiCherniaev in #​242
• README: update actions/cache to v4 by @​sebastiaanspeck in #​243
• Set exit_code correctly as output by @​sebastiaanspeck in #​245
• action: fix failing CI by @​sebastiaanspeck in #​246
• Split up steps in action by @​mre in #​248
• Bump version to 0.16.x, respect new tag names by @​mre in #​249
• Test latest lychee version tag by @​mre in #​236

New Contributors

• @​kemingy made their first contribution in #​204
• @​paddyroddy made their first contribution in #​230
• @​dscho made their first contribution in #​234
• @​AndreiCherniaev made their first contribution in #​241
• @​sebastiaanspeck made their first contribution in #​243

Full Changelog: lycheeverse/lychee-action@v1...v1.11.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.