Skip to content

security: SHA-pin GitHub Actions workflows#2

Merged
herakles-dev merged 5 commits into
mainfrom
security/sha-pin-workflows
Apr 19, 2026
Merged

security: SHA-pin GitHub Actions workflows#2
herakles-dev merged 5 commits into
mainfrom
security/sha-pin-workflows

Conversation

@herakles-dev

Copy link
Copy Markdown
Owner

Summary

  • Pins actions/checkout@v4@34e114876b0b11c390a56381ad16ebd13914f8d5 (immutable SHA)
  • Pins actions/setup-python@v5@a26af69be951a213d495a4c3e4e4022e16d87065 (immutable SHA)
  • Adds .github/dependabot.yml to keep pinned SHAs fresh weekly

Why

Tagged action refs (@vN) resolve at workflow run time. If an action's tag is force-pushed (incident class: tj-actions/changed-files Mar 2025, reviewdog/action-setup Mar 2025), our CI runs the malicious code with secrets. Pinning to SHA freezes the resolved code; Dependabot keeps it fresh.

Source

Phase 1 of ~/herakles-linux-opus/supply-chain-audit/SYSTEMIC_HARDENING_PLAN.md. Mechanical change via mheap/pin-github-action.

Test plan

  • CI passes on this branch (test.yml runs and passes against pinned SHAs)
  • Dependabot picks up github-actions ecosystem (visible in repo Insights → Dependency graph after merge)

🤖 Generated with Claude Code

herakles-dev and others added 5 commits April 19, 2026 21:18
Pins actions/checkout@v4 and actions/setup-python@v5 to immutable
SHAs. Adds Dependabot config to keep pinned SHAs fresh on a weekly
cadence.

Closes tag-hijack exposure class for CI workflows.

Source: supply-chain-audit/SYSTEMIC_HARDENING_PLAN.md (Phase 1)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Addresses adversarial-review feedback from phase-1 wave review:

- Replaces major-only # vN annotations (# v4) with specific patch
  versions (# v4.3.1) for one-glance auditability. SHA values
  unchanged; comments only.
- Adds open-pull-requests-limit: 5 to dependabot.yml to prevent
  first-scan PR flood when pinned SHAs diverge from upstream tag
  movement.

Review: ~/sessions/systemic-pinning-phase-1/reviews/wave-1.json
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
W503 is a flake8 code (line break before binary operator) that ruff
never implemented. Passing it to '--ignore' fails with 'invalid value'
on recent ruff. Removing unblocks the lint job.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
'Run tests' step invokes pytest but requirements.txt doesn't declare
it. Install pytest explicitly in the install-deps step.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
First test run after adding pytest surfaced: 'async def functions are
not natively supported'. Suite uses async pytest fixtures; requires
pytest-asyncio plugin.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@herakles-dev herakles-dev merged commit 096152d into main Apr 19, 2026
2 checks passed
@herakles-dev herakles-dev deleted the security/sha-pin-workflows branch April 19, 2026 21:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant