From 4a97cf159c5526998e424e8ae900e330e552fca4 Mon Sep 17 00:00:00 2001 From: Brian G Date: Mon, 11 May 2026 15:50:02 +0100 Subject: [PATCH 1/5] chore: pin GitHub Actions to commit SHAs Pin every `uses:` ref in .github/workflows and composite actions to a full 40-character commit SHA, with the original tag preserved as a comment, e.g. uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 Tags and branches are mutable; commit SHAs are not. Pinning to a SHA closes a supply-chain vector where a compromised action could replace what runs in CI without changing the tag we reference. Generated mechanically with `pinact run` (https://github.com/suzuki-shunsuke/pinact). No version bumps were applied (strict pin). --- .github/workflows/prpush.yml | 14 +++++++------- .github/workflows/security-code-scanner.yml | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/prpush.yml b/.github/workflows/prpush.yml index dcaa728..35e1886 100644 --- a/.github/workflows/prpush.yml +++ b/.github/workflows/prpush.yml @@ -9,11 +9,11 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - name: install Go - uses: actions/setup-go@v4 + uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4.3.0 with: go-version: 1.21.x @@ -32,7 +32,7 @@ jobs: find . -type f -name '*.go' -exec sed -i 's/Code generated by .* DO NOT EDIT/FOO/g' {} \; # on macos: find . -type f -name '*.go' -exec sed -i '' -E 's/Code generated by .* DO NOT EDIT/FOO/g' {} \; - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: version: v1.54 args: -v --timeout=5m @@ -44,15 +44,15 @@ jobs: pull-requests: write steps: - name: checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: install Go - uses: actions/setup-go@v4 + uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4.3.0 with: go-version: 1.21.x # Install gotestfmt on the VM running the action. - name: Set up gotestfmt - uses: gotesttools/gotestfmt-action@v2 + uses: gotesttools/gotestfmt-action@7dd37bbcc925453b6d7465164cf3bcbd87bc691d # v2 with: # Optional: pass GITHUB_TOKEN to avoid rate limiting. token: ${{ secrets.GITHUB_TOKEN }} @@ -67,7 +67,7 @@ jobs: - name: Upload testdata if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: testdata path: ./lzss/testdata/fuzz diff --git a/.github/workflows/security-code-scanner.yml b/.github/workflows/security-code-scanner.yml index 474d2a5..b0cffb3 100644 --- a/.github/workflows/security-code-scanner.yml +++ b/.github/workflows/security-code-scanner.yml @@ -17,7 +17,7 @@ on: jobs: security-scan: - uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@v2 + uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@1cd598629833fa9fc1694f03abfce8d21b72eb5d # v2.0.6 permissions: actions: read contents: read From 38a82a8d2e164e1ac7e1b8e84bcf0beaf05f6917 Mon Sep 17 00:00:00 2001 From: Eloi Manuel Date: Tue, 23 Jun 2026 12:51:04 +0200 Subject: [PATCH 2/5] chore: update GitHub Actions to latest versions and enforce least-privilege permissions --- .github/workflows/prpush.yml | 6 +++--- .github/workflows/security-code-scanner.yml | 4 +++- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/prpush.yml b/.github/workflows/prpush.yml index 35e1886..751dc05 100644 --- a/.github/workflows/prpush.yml +++ b/.github/workflows/prpush.yml @@ -8,8 +8,8 @@ jobs: staticcheck: runs-on: ubuntu-latest steps: - - name: checkout code - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - name: Checkout code + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 - name: install Go @@ -44,7 +44,7 @@ jobs: pull-requests: write steps: - name: checkout code - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: install Go uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4.3.0 with: diff --git a/.github/workflows/security-code-scanner.yml b/.github/workflows/security-code-scanner.yml index b0cffb3..172ada1 100644 --- a/.github/workflows/security-code-scanner.yml +++ b/.github/workflows/security-code-scanner.yml @@ -15,9 +15,11 @@ on: required: false workflow_dispatch: +permissions: {} # lock everything by default (least-privilege) + jobs: security-scan: - uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@1cd598629833fa9fc1694f03abfce8d21b72eb5d # v2.0.6 + uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@ff5edd492dfd4a70813066fe9f1552a2ac13766f # v2.1.0 permissions: actions: read contents: read From 2de677534324fada34b62b430a3890bcb1285992 Mon Sep 17 00:00:00 2001 From: Eloi Manuel Date: Tue, 23 Jun 2026 13:18:12 +0200 Subject: [PATCH 3/5] chore: improve CI workflow permissions --- .github/workflows/prpush.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/prpush.yml b/.github/workflows/prpush.yml index 751dc05..ed8fb90 100644 --- a/.github/workflows/prpush.yml +++ b/.github/workflows/prpush.yml @@ -4,9 +4,14 @@ on: - 'main' pull_request: name: ci + +permissions: {} # lock everything by default (least-privilege) + jobs: staticcheck: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout code uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 @@ -40,8 +45,8 @@ jobs: test: runs-on: ubuntu-latest - permissions: - pull-requests: write + permissions: + contents: read steps: - name: checkout code uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 From fc40616c10442cc28e51d6a677946607db7418f4 Mon Sep 17 00:00:00 2001 From: Eloi Manuel Date: Tue, 23 Jun 2026 13:22:21 +0200 Subject: [PATCH 4/5] chore: fix CI workflow name position --- .github/workflows/prpush.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/prpush.yml b/.github/workflows/prpush.yml index ed8fb90..6bae1ef 100644 --- a/.github/workflows/prpush.yml +++ b/.github/workflows/prpush.yml @@ -1,9 +1,10 @@ +name: ci + on: push: branches: - 'main' pull_request: -name: ci permissions: {} # lock everything by default (least-privilege) From 7ccb5d0cad2b08a584338a79af100db189883ca5 Mon Sep 17 00:00:00 2001 From: Eloi Manuel Date: Tue, 23 Jun 2026 13:22:57 +0200 Subject: [PATCH 5/5] chore: add newlines for better readability in CI workflow --- .github/workflows/prpush.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/prpush.yml b/.github/workflows/prpush.yml index 6bae1ef..8278d74 100644 --- a/.github/workflows/prpush.yml +++ b/.github/workflows/prpush.yml @@ -18,6 +18,7 @@ jobs: uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 + - name: install Go uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4.3.0 with: @@ -25,6 +26,7 @@ jobs: - name: gofmt run: if [[ -n $(gofmt -l .) ]]; then echo "please run gofmt"; exit 1; fi + - name: generated files should not be modified run: | go generate ./... @@ -37,6 +39,7 @@ jobs: run: | find . -type f -name '*.go' -exec sed -i 's/Code generated by .* DO NOT EDIT/FOO/g' {} \; # on macos: find . -type f -name '*.go' -exec sed -i '' -E 's/Code generated by .* DO NOT EDIT/FOO/g' {} \; + - name: golangci-lint uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: @@ -51,6 +54,7 @@ jobs: steps: - name: checkout code uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - name: install Go uses: actions/setup-go@7b8cf10d4e4a01d4992d18a89f4d7dc5a3e6d6f4 # v4.3.0 with: