security: Harden release workflow (repo guard + SHA256SUMS)#42
Merged
Conversation
Align with the security baseline used in williajm/mcp_docker: - Add `if: github.repository == 'williajm/mcp_kafka'` guard to both build-and-sign and publish-pypi jobs so forks can't run the release workflow (belt-and-suspenders with the trusted-publisher binding and the pypi environment's branch/tag policy). - Generate SHA256SUMS.txt during build, exclude it from the PyPI upload artifact, and upload it to the GitHub release so consumers can verify artifacts with `sha256sum -c SHA256SUMS.txt`. - Add SHA256 section + verification snippet to the workflow step summary. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
3 tasks
Fixes CVE-2026-39892 (cryptography buffer overflow in Hash.update on non-contiguous Python buffers) and CVE-2025-71176 (pytest /tmp dir permissions allow local DoS / privilege escalation). cryptography is a transitive dep (via authlib / pyjwt / secretstorage), upgraded explicitly via `uv lock --upgrade-package cryptography`. Lockfile regenerated with `uv lock --exclude-newer` (3-day buffer). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Owner
Author
|
Bundled dep bumps: cryptography 46.0.6 → 46.0.7 (CVE-2026-39892, transitive via authlib/pyjwt) and pytest 9.0.2 → 9.0.3 (CVE-2025-71176). These were failing pip-audit in CI — fix included here so the PR is mergeable. |
The previous commit locked with `--exclude-newer` which baked an [options] exclude-newer entry into uv.lock. CI does not set UV_EXCLUDE_NEWER, so it re-resolved and `--locked` failed consistency checks. Regenerate without the flag to match main's lockfile style; hash-pinned lockfile still provides supply-chain integrity. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
release.ymljobs to the upstream repo viaif: github.repository == 'williajm/mcp_kafka'SHA256SUMS.txtduring build, upload to the GitHub release for artifact verificationContext
Aligns this repo with the security baseline in
williajm/mcp_docker. Sister PRs:Also added a
v*tag deployment policy to thepypienvironment (done out-of-band via the GitHub API).Test plan
SHA256SUMS.txtalongside the existing artifactssha256sum --ignore-missing -c SHA256SUMS.txtverifies downloaded artifacts🤖 Generated with Claude Code