From b0bfaf758d16d4f05971cd35aac4aed5f61cad29 Mon Sep 17 00:00:00 2001 From: "D. Michael Piscitelli" Date: Sun, 19 Apr 2026 21:18:11 +0200 Subject: [PATCH 1/5] security: SHA-pin GitHub Actions + add Dependabot Pins actions/checkout@v4 and actions/setup-python@v5 to immutable SHAs. Adds Dependabot config to keep pinned SHAs fresh on a weekly cadence. Closes tag-hijack exposure class for CI workflows. Source: supply-chain-audit/SYSTEMIC_HARDENING_PLAN.md (Phase 1) Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/dependabot.yml | 11 +++++++++++ .github/workflows/test.yml | 4 ++-- 2 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..0089680 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "ci" + labels: + - "dependencies" + - "github-actions" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c4eb3d7..bc4c8cd 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -14,10 +14,10 @@ jobs: python-version: ["3.11", "3.12"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: ${{ matrix.python-version }} From 2e360ee77f870d249f091b7224a8b093d5b0ac54 Mon Sep 17 00:00:00 2001 From: "D. Michael Piscitelli" Date: Sun, 19 Apr 2026 22:59:03 +0200 Subject: [PATCH 2/5] security: use specific-patch tag comments + cap Dependabot PRs Addresses adversarial-review feedback from phase-1 wave review: - Replaces major-only # vN annotations (# v4) with specific patch versions (# v4.3.1) for one-glance auditability. SHA values unchanged; comments only. - Adds open-pull-requests-limit: 5 to dependabot.yml to prevent first-scan PR flood when pinned SHAs diverge from upstream tag movement. Review: ~/sessions/systemic-pinning-phase-1/reviews/wave-1.json Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/dependabot.yml | 1 + .github/workflows/test.yml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 0089680..a7b343f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,6 +4,7 @@ updates: directory: "/" schedule: interval: "weekly" + open-pull-requests-limit: 5 commit-message: prefix: "ci" labels: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index bc4c8cd..e089ed3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -14,10 +14,10 @@ jobs: python-version: ["3.11", "3.12"] steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ matrix.python-version }} From 6dae8e835394b5dc4f06aaaaafc93abcb4286cf6 Mon Sep 17 00:00:00 2001 From: "D. Michael Piscitelli" Date: Sun, 19 Apr 2026 23:08:39 +0200 Subject: [PATCH 3/5] ci: drop W503 from ruff --ignore (not a ruff rule) W503 is a flake8 code (line break before binary operator) that ruff never implemented. Passing it to '--ignore' fails with 'invalid value' on recent ruff. Removing unblocks the lint job. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e089ed3..85e38af 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -29,7 +29,7 @@ jobs: - name: Lint with Ruff run: | pip install ruff - ruff check . --select E,F,W --ignore E501,E402,W503 --exit-zero + ruff check . --select E,F,W --ignore E501,E402 --exit-zero - name: Run tests run: | From 9b96f7dfbe41c22523073f149b18429239f0b85b Mon Sep 17 00:00:00 2001 From: "D. Michael Piscitelli" Date: Sun, 19 Apr 2026 23:15:47 +0200 Subject: [PATCH 4/5] ci: install pytest (not in requirements.txt) 'Run tests' step invokes pytest but requirements.txt doesn't declare it. Install pytest explicitly in the install-deps step. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 85e38af..b550a37 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -25,6 +25,7 @@ jobs: run: | python -m pip install --upgrade pip pip install -r requirements.txt + pip install pytest - name: Lint with Ruff run: | From e6287559749ef873ad22fc6fa1f80b6f5055ebc4 Mon Sep 17 00:00:00 2001 From: "D. Michael Piscitelli" Date: Sun, 19 Apr 2026 23:17:19 +0200 Subject: [PATCH 5/5] ci: install pytest-asyncio (test suite uses async def) First test run after adding pytest surfaced: 'async def functions are not natively supported'. Suite uses async pytest fixtures; requires pytest-asyncio plugin. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b550a37..ead1858 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -25,7 +25,7 @@ jobs: run: | python -m pip install --upgrade pip pip install -r requirements.txt - pip install pytest + pip install pytest pytest-asyncio - name: Lint with Ruff run: |