chore(ci): pin all GitHub Actions to commit SHAs + add concurrency to audit.yml#35
chore(ci): pin all GitHub Actions to commit SHAs + add concurrency to audit.yml#35saagpatel wants to merge 1 commit into
Conversation
… audit.yml Pin every `uses:` ref across all 5 workflows (audit, ci, codeql, pypi, release) from floating major tags to the commit SHA their current tag resolves to, annotated with the resolved version. Removes the moving-tag supply-chain surface: a compromised or repointed tag can no longer swap action code into our CI silently. Add a concurrency group to audit.yml (ci.yml and codeql.yml already had one) with cancel-in-progress: false, so overlapping scheduled audit runs serialize instead of racing on the history cache. Pins are re-derived fresh against canonical's current action majors (checkout v6, setup-python v6, upload/download-artifact v7, action-gh-release v3); supersedes the stale archived attempt that targeted older v4/v5 majors.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 94dca6df82
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| - name: Publish package distributions to PyPI | ||
| uses: pypa/gh-action-pypi-publish@release/v1 | ||
| uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 |
There was a problem hiding this comment.
With this action reference now pinned, tests/test_distribution_policy.py still asserts the old floating string pypa/gh-action-pypi-publish@release/v1, and ci.yml runs python -m pytest tests/ -v --tb=short, so every CI run fails before reaching lint/type checks. I verified this with python -m pytest tests/test_distribution_policy.py -q; please update the policy test to accept the pinned ref or the adjacent version annotation.
Useful? React with 👍 / 👎.
|
|
||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v4 | ||
| uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1 |
There was a problem hiding this comment.
Pinning CodeQL to a SHA leaves tests/test_distribution_policy.py expecting github/codeql-action/init@v4 and github/codeql-action/analyze@v4; because the CI workflow runs the full pytest suite, this makes the pipeline fail on this commit. I verified the failure with python -m pytest tests/test_distribution_policy.py -q; please update the distribution policy test to validate the pinned CodeQL refs or their version comments.
Useful? React with 👍 / 👎.
|
Superseded — canonical main already carries identical SHA pins (same commit SHAs across all 5 workflows + audit.yml concurrency + the companion test_distribution_policy.py assertion updates) as of #36. This branch was developed in parallel and converged on the exact same pins; closing as redundant. The CI failure here was only because this branch forked from #33 (pre-update policy tests) — main's version is strictly more complete. |
1 participant
What
Pins every
uses:action reference across all 5 workflows to an immutable commit SHA (annotated with the resolved version), and adds a concurrency group toaudit.yml.Why
Floating major tags (
@v6,@release/v1) are a supply-chain surface — a tag can be force-repointed to malicious code. Commit SHAs can't move. This is the auditor dogfooding the GitHub Actions hardening posture it reports on other repos.Pins (resolved live against canonical's current majors)
de0fac2a309ff827d5ce7043fb4637930b187557b9b430933cef2210Concurrency
audit.ymlgainsgroup: ${{ github.workflow }}-${{ github.ref }}+cancel-in-progress: falseso overlapping scheduled audits serialize instead of racing on the history cache.ci.ymlandcodeql.ymlalready had concurrency.Notes