Skip to content

Commit ec954c2

Browse files
sionsmithclaude
sionsmith
and
claude
committed
fix: pin GitHub Actions to immutable commit SHAs
Mitigates supply chain attacks via tag mutation (CVE-2025-30066) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 17383bb commit ec954c2

4 files changed

Lines changed: 53 additions & 43 deletions

File tree

.github/workflows/docker-publish.yml

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,10 @@ on:
55
tags:
66
- 'v*'
77

8+
permissions:
9+
contents: read
10+
packages: write
11+
812
env:
913
REGISTRY: ghcr.io
1014
IMAGE_NAME: osodevops/k2i
@@ -16,20 +20,20 @@ jobs:
1620
name: Run Tests
1721
runs-on: ubuntu-latest
1822
steps:
19-
- uses: actions/checkout@v4
23+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
2024

2125
- name: Install system dependencies
2226
run: |
2327
sudo apt-get update
2428
sudo apt-get install -y cmake libssl-dev pkg-config
2529
2630
- name: Install Rust toolchain
27-
uses: dtolnay/rust-toolchain@stable
31+
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
2832
with:
2933
components: clippy, rustfmt
3034

3135
- name: Cache cargo registry
32-
uses: actions/cache@v4
36+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
3337
with:
3438
path: |
3539
~/.cargo/registry
@@ -59,21 +63,21 @@ jobs:
5963

6064
steps:
6165
- name: Checkout repository
62-
uses: actions/checkout@v4
66+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
6367

6468
- name: Set up Docker Buildx
65-
uses: docker/setup-buildx-action@v3
69+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
6670

6771
- name: Log in to GitHub Container Registry
68-
uses: docker/login-action@v3
72+
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
6973
with:
7074
registry: ${{ env.REGISTRY }}
7175
username: ${{ github.actor }}
7276
password: ${{ secrets.GITHUB_TOKEN }}
7377

7478
- name: Extract metadata
7579
id: meta
76-
uses: docker/metadata-action@v5
80+
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
7781
with:
7882
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
7983
tags: |
@@ -82,7 +86,7 @@ jobs:
8286
type=raw,value=latest
8387
8488
- name: Build and push Docker image
85-
uses: docker/build-push-action@v5
89+
uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
8690
with:
8791
context: .
8892
push: true

.github/workflows/release.yml

Lines changed: 21 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,7 @@ jobs:
5555
# Only run tests on actual tag pushes, not PRs (PRs have their own test workflow)
5656
if: ${{ !github.event.pull_request }}
5757
steps:
58-
- uses: actions/checkout@v4
58+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
5959
with:
6060
persist-credentials: false
6161

@@ -65,12 +65,12 @@ jobs:
6565
sudo apt-get install -y cmake libssl-dev pkg-config
6666
6767
- name: Install Rust toolchain
68-
uses: dtolnay/rust-toolchain@stable
68+
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
6969
with:
7070
components: clippy, rustfmt
7171

7272
- name: Cache cargo registry
73-
uses: actions/cache@v4
73+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
7474
with:
7575
path: |
7676
~/.cargo/registry
@@ -106,7 +106,7 @@ jobs:
106106
env:
107107
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
108108
steps:
109-
- uses: actions/checkout@v4
109+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
110110
with:
111111
persist-credentials: false
112112
submodules: recursive
@@ -116,7 +116,7 @@ jobs:
116116
shell: bash
117117
run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.30.2/cargo-dist-installer.sh | sh"
118118
- name: Cache dist
119-
uses: actions/upload-artifact@v4
119+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
120120
with:
121121
name: cargo-dist-cache
122122
path: ~/.cargo/bin/dist
@@ -132,7 +132,7 @@ jobs:
132132
cat plan-dist-manifest.json
133133
echo "manifest=$(jq -c "." plan-dist-manifest.json)" >> "$GITHUB_OUTPUT"
134134
- name: "Upload dist-manifest.json"
135-
uses: actions/upload-artifact@v4
135+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
136136
with:
137137
name: artifacts-plan-dist-manifest
138138
path: plan-dist-manifest.json
@@ -166,7 +166,7 @@ jobs:
166166
- name: enable windows longpaths
167167
run: |
168168
git config --global core.longpaths true
169-
- uses: actions/checkout@v4
169+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
170170
with:
171171
persist-credentials: false
172172
submodules: recursive
@@ -181,7 +181,7 @@ jobs:
181181
run: ${{ matrix.install_dist.run }}
182182
# Get the dist-manifest
183183
- name: Fetch local artifacts
184-
uses: actions/download-artifact@v4
184+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
185185
with:
186186
pattern: artifacts-*
187187
path: target/distrib/
@@ -208,7 +208,7 @@ jobs:
208208
209209
cp dist-manifest.json "$BUILD_MANIFEST_NAME"
210210
- name: "Upload artifacts"
211-
uses: actions/upload-artifact@v4
211+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
212212
with:
213213
name: artifacts-build-local-${{ join(matrix.targets, '_') }}
214214
path: |
@@ -225,19 +225,19 @@ jobs:
225225
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
226226
BUILD_MANIFEST_NAME: target/distrib/global-dist-manifest.json
227227
steps:
228-
- uses: actions/checkout@v4
228+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
229229
with:
230230
persist-credentials: false
231231
submodules: recursive
232232
- name: Install cached dist
233-
uses: actions/download-artifact@v4
233+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
234234
with:
235235
name: cargo-dist-cache
236236
path: ~/.cargo/bin/
237237
- run: chmod +x ~/.cargo/bin/dist
238238
# Get all the local artifacts for the global tasks to use (for e.g. checksums)
239239
- name: Fetch local artifacts
240-
uses: actions/download-artifact@v4
240+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
241241
with:
242242
pattern: artifacts-*
243243
path: target/distrib/
@@ -255,7 +255,7 @@ jobs:
255255
256256
cp dist-manifest.json "$BUILD_MANIFEST_NAME"
257257
- name: "Upload artifacts"
258-
uses: actions/upload-artifact@v4
258+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
259259
with:
260260
name: artifacts-build-global
261261
path: |
@@ -276,19 +276,19 @@ jobs:
276276
outputs:
277277
val: ${{ steps.host.outputs.manifest }}
278278
steps:
279-
- uses: actions/checkout@v4
279+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
280280
with:
281281
persist-credentials: false
282282
submodules: recursive
283283
- name: Install cached dist
284-
uses: actions/download-artifact@v4
284+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
285285
with:
286286
name: cargo-dist-cache
287287
path: ~/.cargo/bin/
288288
- run: chmod +x ~/.cargo/bin/dist
289289
# Fetch artifacts from scratch-storage
290290
- name: Fetch artifacts
291-
uses: actions/download-artifact@v4
291+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
292292
with:
293293
pattern: artifacts-*
294294
path: target/distrib/
@@ -301,14 +301,14 @@ jobs:
301301
cat dist-manifest.json
302302
echo "manifest=$(jq -c "." dist-manifest.json)" >> "$GITHUB_OUTPUT"
303303
- name: "Upload dist-manifest.json"
304-
uses: actions/upload-artifact@v4
304+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
305305
with:
306306
# Overwrite the previous copy
307307
name: artifacts-dist-manifest
308308
path: dist-manifest.json
309309
# Create a GitHub Release while uploading all files to it
310310
- name: "Download GitHub Artifacts"
311-
uses: actions/download-artifact@v4
311+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
312312
with:
313313
pattern: artifacts-*
314314
path: artifacts
@@ -342,14 +342,14 @@ jobs:
342342
GITHUB_EMAIL: "admin+bot@axo.dev"
343343
if: ${{ !fromJson(needs.plan.outputs.val).announcement_is_prerelease || fromJson(needs.plan.outputs.val).publish_prereleases }}
344344
steps:
345-
- uses: actions/checkout@v4
345+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
346346
with:
347347
persist-credentials: true
348348
repository: "osodevops/homebrew-tap"
349349
token: ${{ secrets.HOMEBREW_TAP_TOKEN }}
350350
# So we have access to the formula
351351
- name: Fetch homebrew formulae
352-
uses: actions/download-artifact@v4
352+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
353353
with:
354354
pattern: artifacts-*
355355
path: Formula/
@@ -389,7 +389,7 @@ jobs:
389389
env:
390390
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
391391
steps:
392-
- uses: actions/checkout@v4
392+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
393393
with:
394394
persist-credentials: false
395395
submodules: recursive

.github/workflows/semver-check.yml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,15 @@ on:
66
- 'crates/k2i-core/src/**'
77
- 'crates/k2i-core/Cargo.toml'
88

9+
permissions:
10+
contents: read
11+
912
jobs:
1013
semver-check:
1114
name: Detect Breaking Changes
1215
runs-on: ubuntu-latest
1316
steps:
14-
- uses: actions/checkout@v4
17+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
1518
with:
1619
fetch-depth: 0 # Need full history for baseline comparison
1720

@@ -21,10 +24,10 @@ jobs:
2124
sudo apt-get install -y cmake libssl-dev pkg-config
2225
2326
- name: Install Rust toolchain
24-
uses: dtolnay/rust-toolchain@stable
27+
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
2528

2629
- name: Run cargo-semver-checks
27-
uses: obi1kenobi/cargo-semver-checks-action@v2
30+
uses: obi1kenobi/cargo-semver-checks-action@5b298c9520f7096a4683c0bd981a7ac5a7e249ae # v2
2831
with:
2932
package: k2i-core
3033
version-tag-prefix: v

.github/workflows/test.yml

Lines changed: 14 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,9 @@ on:
1616
- 'Cargo.lock'
1717
- '.github/workflows/test.yml'
1818

19+
permissions:
20+
contents: read
21+
1922
env:
2023
CARGO_TERM_COLOR: always
2124
RUST_BACKTRACE: 1
@@ -26,20 +29,20 @@ jobs:
2629
name: Check & Lint
2730
runs-on: ubuntu-latest
2831
steps:
29-
- uses: actions/checkout@v4
32+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
3033

3134
- name: Install system dependencies
3235
run: |
3336
sudo apt-get update
3437
sudo apt-get install -y cmake libssl-dev pkg-config
3538
3639
- name: Install Rust toolchain
37-
uses: dtolnay/rust-toolchain@stable
40+
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
3841
with:
3942
components: clippy, rustfmt
4043

4144
- name: Cache cargo registry
42-
uses: actions/cache@v4
45+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
4346
with:
4447
path: |
4548
~/.cargo/registry
@@ -64,18 +67,18 @@ jobs:
6467
runs-on: ubuntu-latest
6568
needs: check
6669
steps:
67-
- uses: actions/checkout@v4
70+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
6871

6972
- name: Install system dependencies
7073
run: |
7174
sudo apt-get update
7275
sudo apt-get install -y cmake libssl-dev pkg-config
7376
7477
- name: Install Rust toolchain
75-
uses: dtolnay/rust-toolchain@stable
78+
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
7679

7780
- name: Cache cargo registry
78-
uses: actions/cache@v4
81+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
7982
with:
8083
path: |
8184
~/.cargo/registry
@@ -102,18 +105,18 @@ jobs:
102105
options: --privileged
103106

104107
steps:
105-
- uses: actions/checkout@v4
108+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
106109

107110
- name: Install system dependencies
108111
run: |
109112
sudo apt-get update
110113
sudo apt-get install -y cmake libssl-dev pkg-config
111114
112115
- name: Install Rust toolchain
113-
uses: dtolnay/rust-toolchain@stable
116+
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
114117

115118
- name: Cache cargo registry
116-
uses: actions/cache@v4
119+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
117120
with:
118121
path: |
119122
~/.cargo/registry
@@ -136,10 +139,10 @@ jobs:
136139
name: Security Audit
137140
runs-on: ubuntu-latest
138141
steps:
139-
- uses: actions/checkout@v4
142+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
140143

141144
- name: Install Rust toolchain
142-
uses: dtolnay/rust-toolchain@stable
145+
uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
143146

144147
- name: Install cargo-audit
145148
run: cargo install cargo-audit

0 commit comments

Comments
 (0)