Potential fix for code scanning alert no. 54: Use of a known vulnerable action

[habib-deriv]

Potential fix for https://github.com/deriv-com/deriv-api-docs/security/code-scanning/54

To fix the issue, the workflow should update the actions/download-artifact action to version 4.1.3, which is the latest secure version as recommended. This involves replacing the specific commit hash (6b208ae046db98c579e8a3aa621ab581ff575935) with the version tag v4.1.3. This change ensures that the workflow uses a secure and patched version of the action while maintaining its functionality.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
deriv-api-docs	✅ Ready (Inspect)	Visit Preview	May 29, 2025 5:02am

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/download-artifact	d3f86a106a0bac45b974a628896c90dbdf5c8093	🟢 5.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits Vulnerabilities ⚠️ 1 9 existing vulnerabilities detected
actions/actions/download-artifact	6b208ae046db98c579e8a3aa621ab581ff575935	🟢 5.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits Vulnerabilities ⚠️ 1 9 existing vulnerabilities detected

Scanned Manifest Files

.github/workflows/release_production.yml

• actions/download-artifact@d3f86a1
• actions/download-artifact@6b208ae