Skip to content

ci: pin third-party actions to commit SHAs and least-privilege permissions#13

Closed
OgeonX-Ai wants to merge 1 commit into
mainfrom
ci/phase-31-workflow-hardening
Closed

ci: pin third-party actions to commit SHAs and least-privilege permissions#13
OgeonX-Ai wants to merge 1 commit into
mainfrom
ci/phase-31-workflow-hardening

Conversation

@OgeonX-Ai

Copy link
Copy Markdown
Contributor

Summary

  • Pins every third-party GitHub Actions uses: reference (checkout, setup-python, codeql-action init/autobuild/analyze, upload-pages-artifact, deploy-pages, amannn/action-semantic-pull-request, actions/stale) to an immutable commit SHA across ci.yml, codeql.yml, pages.yml, pr-lint.yml, stale.yml.
  • SHAs resolved live via gh api repos/<owner>/<action>/commits/<tag> on 2026-07-07 (repo had already drifted past the phase-31-01 baseline tags to checkout v7, setup-python v6, codeql-action v4, upload-pages-artifact v5, deploy-pages v5, action-semantic-pull-request v6, stale v10 — resolved fresh rather than reusing stale SHAs).
  • codeql.yml, pr-lint.yml, and stale.yml already carry permissions: blocks (added ahead of this plan run); not modified here — only uses: lines changed.
  • contract-registry-live.yml was already SHA-pinned and is untouched.
  • Part of REQ-1.4.10 (org-wide CI supply-chain hardening, phase 31).

Merge order dependency

This branch was cut from origin/main and does not touch .github/workflows/ci.yml job logic — only the uses: refs and their trailing tag comments — so it should not conflict with the two open PRs that also touch or neighbor ci.yml:

Recommended order: merge #11 first, then update-branch/rebase this PR on the result before merging, then handle #12 similarly. This PR does not merge or touch branch protection.

Test plan

  • pwsh scripts/workflow-lint.ps1 -Path portfolio/autogen -Json reports zero findings on this branch.
  • git diff --stat confirms only uses: lines changed.

…rmissions (REQ-1.4.10)

- Pin actions/checkout, setup-python, codeql-action init/autobuild/analyze,
  upload-pages-artifact, deploy-pages, amannn/action-semantic-pull-request, and
  actions/stale to immutable commit SHAs across ci.yml, codeql.yml, pages.yml,
  pr-lint.yml, stale.yml
- Tags resolved live via gh api (2026-07-07) since files were already bumped past the
  phase-31-01 baseline (checkout v7, setup-python v6, codeql-action v4,
  upload-pages-artifact v5, deploy-pages v5, action-semantic-pull-request v6, stale v10)
- codeql.yml, pr-lint.yml, and stale.yml already carry permissions: blocks (added ahead
  of this plan); not modified here — only uses: lines changed
- contract-registry-live.yml already SHA-pinned; left untouched
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@OgeonX-Ai

Copy link
Copy Markdown
Contributor Author

Superseded by #17, which consolidated the surviving work onto current main without reintroducing the stale dependency stack.

@OgeonX-Ai OgeonX-Ai closed this Jul 8, 2026
auto-merge was automatically disabled July 8, 2026 18:32

Pull request was closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants