Skip to content

ci(security): SHA-pin slsa-framework/slsa-github-generator in pages-deploy.yml #263

New issue
New issue
Open
Open
ci(security): SHA-pin slsa-framework/slsa-github-generator in pages-deploy.yml#263
Labels
enhancementNew feature or requestsecuritySecurity-related changes or concerns
Milestone
v2.8.0 — Supply Chain Security & Release Integrity
@WilliamBerryiii

Description

@WilliamBerryiii
WilliamBerryiii
opened on Mar 16, 2026

Problem

The slsa-framework/slsa-github-generator reusable workflow in pages-deploy.yml (line ~782) is referenced by tag only:

uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0

While #100 will replace this entirely with actions/attest@v4.1.0, the tag-only reference is a supply chain risk in the interim. Tag references are mutable — a compromised tag could inject malicious code into the attestation workflow.

Proposed Solution

SHA-pin the existing reference until #100 lands:

uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@bcb39c1a0aa1e68c09f445acae2ca1116e301104  # v2.1.0

Acceptance Criteria

  • slsa-framework/slsa-github-generator@v2.1.0 SHA-pinned with version comment
  • SHA verified against slsa-framework/slsa-github-generator v2.1.0 release tag
  • No behavioral change — same workflow, immutable reference

Notes

This is an interim fix. Issue #100 will remove this reference entirely. If #100 is implemented first, this issue can be closed as superseded.

Dependencies

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestsecuritySecurity-related changes or concerns

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions