From 07829be8f52acbfbb9973c201e67523d952c8781 Mon Sep 17 00:00:00 2001 From: XananasX7 Date: Sun, 28 Jun 2026 01:59:08 +0000 Subject: [PATCH] fix(security): pin third-party GitHub Actions to SHA hashes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Unpinned tag references for third-party actions can be silently mutated. Pin each action to its commit SHA so the workflow is immune to tag redirection attacks that could exfiltrate PYPI_TOKEN / RELEASE_PAT or inject malicious code into CI. Actions pinned: - astral-sh/setup-uv@v7 → @94527f2e458b27549849d47d273a16bec83a01e9 - actions/checkout@v6 → @df4cb1c069e1874edd31b4311f1884172cec0e10 - actions/setup-python@v6 → @ece7cb06caefa5fff74198d8649806c4678c61a1 - pre-commit/action@v3.0.1 → @2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd --- .github/workflows/continuous-integration.yml | 18 +++++++++--------- .github/workflows/release-publish.yml | 6 +++--- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 1ae99891fe2..047f99686b0 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -40,10 +40,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Run pre-commit checks - uses: pre-commit/action@v3.0.1 + uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 # 2. Static type analysis (Mypy Check with Matrix) # Compares new changes against the target base branch dynamically to support v1. @@ -56,17 +56,17 @@ jobs: python-version: ['3.10', '3.11', '3.12', '3.13'] steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ matrix.python-version }} - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@94527f2e458b27549849d47d273a16bec83a01e9 # v7 - name: Generate Baseline env: @@ -125,15 +125,15 @@ jobs: timeout-minutes: 10 steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ matrix.python-version }} - name: Install the latest version of uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@94527f2e458b27549849d47d273a16bec83a01e9 # v7 - name: Install dependencies run: | @@ -156,7 +156,7 @@ jobs: if: github.event_name == 'pull_request' steps: - name: Checkout Code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: # Fetch full history (depth: 0) instead of shallow clone (depth: 2) to ensure # git diff origin/${base_ref}...HEAD can reliably find the merge base, diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml index 8b8296d49d6..3e9636d23ec 100644 --- a/.github/workflows/release-publish.yml +++ b/.github/workflows/release-publish.yml @@ -35,7 +35,7 @@ jobs: exit 1 fi - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Determine Release Type and Extract Version id: version @@ -66,12 +66,12 @@ jobs: fi - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@94527f2e458b27549849d47d273a16bec83a01e9 # v7 with: version: "latest" - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: "3.11"