From 15f882951e5983f61a0268cebd57a97c2ff668f5 Mon Sep 17 00:00:00 2001 From: Allen Byrd <125306425+allenfbyrd@users.noreply.github.com> Date: Mon, 22 Jun 2026 15:00:19 -0400 Subject: [PATCH] ci: pin GitHub Actions to commit SHAs + add Dependabot Pin actions to immutable commit SHAs (with # vX comments) to defend against mutable-tag supply-chain attacks; add/extend a github-actions Dependabot config so the pins still receive reviewed update PRs. --- .github/dependabot.yml | 6 ++++++ .github/workflows/action-smoke.yml | 8 ++++---- .github/workflows/consistency.yml | 4 ++-- .github/workflows/release.yml | 12 ++++++------ .github/workflows/secret-scan.yml | 4 ++-- .github/workflows/test.yml | 4 ++-- 6 files changed, 22 insertions(+), 16 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..5ace460 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/action-smoke.yml b/.github/workflows/action-smoke.yml index 1dcc8dc..3adcfa4 100644 --- a/.github/workflows/action-smoke.yml +++ b/.github/workflows/action-smoke.yml @@ -15,8 +15,8 @@ jobs: block-must-fail: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.12" - id: gate @@ -40,8 +40,8 @@ jobs: out-of-scope-must-pass: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.12" - uses: ./docs/action diff --git a/.github/workflows/consistency.yml b/.github/workflows/consistency.yml index 7193d9c..d746790 100644 --- a/.github/workflows/consistency.yml +++ b/.github/workflows/consistency.yml @@ -22,10 +22,10 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install uv - uses: astral-sh/setup-uv@v3 + uses: astral-sh/setup-uv@caf0cab7a618c569241d31dcd442f54681755d39 # v3 with: version: "0.11.6" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8c483bf..e118d70 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,10 +24,10 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install uv - uses: astral-sh/setup-uv@v3 + uses: astral-sh/setup-uv@caf0cab7a618c569241d31dcd442f54681755d39 # v3 with: version: "0.11.6" @@ -60,10 +60,10 @@ jobs: # NOTE: if the PyPI Trusted Publisher was registered with an Environment name, # add a matching `environment:` block here. Registered without one -> omit it. steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install uv - uses: astral-sh/setup-uv@v3 + uses: astral-sh/setup-uv@caf0cab7a618c569241d31dcd442f54681755d39 # v3 with: version: "0.11.6" @@ -74,9 +74,9 @@ jobs: run: uv build - name: SLSA build provenance (verify with `gh attestation verify`) - uses: actions/attest-build-provenance@v1 + uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1 with: subject-path: "dist/*" - name: Publish to PyPI (Trusted Publisher + PEP 740 attestations) - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml index 8b80563..ec6150d 100644 --- a/.github/workflows/secret-scan.yml +++ b/.github/workflows/secret-scan.yml @@ -21,12 +21,12 @@ jobs: timeout-minutes: 10 steps: # Full history so gitleaks scans every commit on a push, not just the tip. - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - name: Run gitleaks - uses: gitleaks/gitleaks-action@v2 + uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Polycentric-Labs is a GitHub Organization; gitleaks-action requires a diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e47e743..e118965 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -16,10 +16,10 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install uv - uses: astral-sh/setup-uv@v3 + uses: astral-sh/setup-uv@caf0cab7a618c569241d31dcd442f54681755d39 # v3 with: version: "0.11.6"