From 5abd0299f4468c1f860037c2b65bb241b94bdef9 Mon Sep 17 00:00:00 2001 From: Juha Jeronen Date: Thu, 11 Jun 2026 20:03:26 +0300 Subject: [PATCH] ci: pin GitHub Actions to commit SHAs (supply-chain hardening) Every `uses:` is pinned to a full 40-char commit SHA with a trailing `# vX.Y.Z` comment, replacing floating major tags (and the `release/v1` branch for gh-action-pypi-publish). A mutable ref can be silently repointed if an action repo or maintainer account is compromised (cf. tj-actions/changed-files, March 2025); a SHA pin cannot. Pins target the latest release of each action, all reviewed this session. Dependabot (github-actions ecosystem, already configured) updates SHA pins and bumps the version comment alongside, so security fixes still arrive as reviewable PRs. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/ci.yml | 18 +++++++++--------- .github/workflows/coverage.yml | 6 +++--- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d2005dfb..3d262100 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,9 +17,9 @@ jobs: lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.14" - name: Install ruff @@ -60,9 +60,9 @@ jobs: python-version: "pypy-3.11" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} - name: Install tools in CI venv @@ -89,13 +89,13 @@ jobs: needs: test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: actions/setup-python@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.14" - run: pip install build - run: python -m build - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: dist path: dist/ @@ -108,11 +108,11 @@ jobs: permissions: id-token: write steps: - - uses: actions/download-artifact@v8 + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: dist path: dist/ - - uses: pypa/gh-action-pypi-publish@release/v1 + - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: packages-dir: dist/ diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 5c60f73c..9d7ac879 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -19,9 +19,9 @@ jobs: python-version: ["3.12"] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} - name: Install tools in CI virtualenv @@ -46,7 +46,7 @@ jobs: pdm run python -m coverage run --source=. -m runtests pdm run python -m coverage xml - name: Upload coverage to Codecov - uses: codecov/codecov-action@v6 + uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage.xml