From 19149468a940732131e7ea2253d01e4658b866ce Mon Sep 17 00:00:00 2001 From: basi Date: Wed, 23 Jul 2025 19:05:38 +0900 Subject: [PATCH 1/3] security: pin GitHub Actions to specific commit hashes - Pin actions/checkout to 11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2) - Pin actions/setup-node to 49933ea5288caeca8642d1e84afbd3f7d6820020 (v4.4.0) - Pin actions/upload-artifact to 50769540e7f4bd5e21e526ee35c689e35e0d6874 (v4.4.0) - Pin actions/github-script to 60a0d83039c74a4aee543508d2ffcb1c3799cdea (v7.0.1) This prevents potential supply chain attacks by ensuring specific versions are used. --- .github/workflows/release.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 61c99ca..28bb0c4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Xcode run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer @@ -111,7 +111,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: # Fetch the latest to get any formula updates fetch-depth: 0 @@ -121,7 +121,7 @@ jobs: git pull origin main || true - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' registry-url: 'https://registry.npmjs.org' @@ -155,7 +155,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Get version id: version @@ -183,7 +183,7 @@ jobs: done - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' registry-url: 'https://registry.npmjs.org' @@ -199,7 +199,7 @@ jobs: - name: Upload test results on failure if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: linux-compatibility-test-failure path: | @@ -208,7 +208,7 @@ jobs: - name: Comment on failure if: failure() - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | github.rest.issues.createComment({ From 24443c7d85721e79a623403d211823b8a64591b4 Mon Sep 17 00:00:00 2001 From: basi Date: Wed, 23 Jul 2025 19:07:29 +0900 Subject: [PATCH 2/3] security: pin GitHub Actions in CI workflow to specific commit hashes - Pin actions/checkout to 11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2) - Pin actions/cache to 6849a6489940f00c2f30c0fb92c6274307ccb58a (v4.1.2) - Pin actions/upload-artifact to 50769540e7f4bd5e21e526ee35c689e35e0d6874 (v4.4.0) - Pin vapor/swiftly-action to afdde2275f2b916c2704383f3a6b72032adb488c (v0.2.0) This completes the security hardening of all GitHub Actions workflows. --- .github/workflows/ci.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2e74d43..c51a5a5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,13 +16,13 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Xcode run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer - name: Cache Swift Dependencies - uses: actions/cache@v4 + uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: path: .build key: ${{ runner.os }}-swift-${{ hashFiles('Package.resolved') }} @@ -63,7 +63,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup Xcode run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer @@ -84,11 +84,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Cache all dependencies - name: Cache Dependencies - uses: actions/cache@v4 + uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: path: | ~/.local/share/swiftly @@ -101,7 +101,7 @@ jobs: # Install dependencies - name: Cache APT packages - uses: actions/cache@v4 + uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 with: path: | /tmp/apt-cache @@ -136,7 +136,7 @@ jobs: sudo chmod -R 755 /tmp/apt-cache - name: Install Swiftly and Swift Toolchain - uses: vapor/swiftly-action@v0.2.0 + uses: vapor/swiftly-action@afdde2275f2b916c2704383f3a6b72032adb488c # v0.2.0 with: toolchain: 6.1.2 @@ -177,7 +177,7 @@ jobs: - name: Upload test artifacts on failure if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: linux-compatibility-test-logs path: | From 25ead9df3bf913c9ff94af02fd26214b553bac6e Mon Sep 17 00:00:00 2001 From: basi Date: Wed, 23 Jul 2025 19:10:28 +0900 Subject: [PATCH 3/3] security: update GitHub Actions to latest stable versions - Update actions/cache to 5a3ec84eff668545956fd18022155c47e93e2684 (v4.2.3) - Update actions/upload-artifact to ea165f8d65b6e75b540449e92b4886f43607fa02 (v4.6.2) This ensures we're using the most recent stable versions with security fixes. --- .github/workflows/ci.yml | 8 ++++---- .github/workflows/release.yml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c51a5a5..32947fd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,7 +22,7 @@ jobs: run: sudo xcode-select -s /Applications/Xcode_16.4.app/Contents/Developer - name: Cache Swift Dependencies - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: .build key: ${{ runner.os }}-swift-${{ hashFiles('Package.resolved') }} @@ -88,7 +88,7 @@ jobs: # Cache all dependencies - name: Cache Dependencies - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: | ~/.local/share/swiftly @@ -101,7 +101,7 @@ jobs: # Install dependencies - name: Cache APT packages - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 with: path: | /tmp/apt-cache @@ -177,7 +177,7 @@ jobs: - name: Upload test artifacts on failure if: failure() - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: linux-compatibility-test-logs path: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 28bb0c4..03f3db3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -199,7 +199,7 @@ jobs: - name: Upload test results on failure if: failure() - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: linux-compatibility-test-failure path: |