From 430744a44c319270129064c8e925253a0b61e606 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 3 Apr 2026 09:15:59 +0000 Subject: [PATCH 1/2] security: pin all GitHub Actions to commit SHAs with version comments Agent-Logs-Url: https://github.com/klibio/example.pde.rcp/sessions/23dd0bfe-7b86-4ecf-bed3-ea0c05929ee4 Co-authored-by: peterkir <250545+peterkir@users.noreply.github.com> --- .github/copilot-instructions.md | 17 +++++++++++++++++ .github/workflows/10_build-validation.yml | 2 +- .github/workflows/20_snapshot-deployment.yml | 2 +- .github/workflows/30_release-deployment.yml | 2 +- .github/workflows/40_product-validation.yml | 10 +++++----- .github/workflows/codeql.yml | 2 +- 6 files changed, 26 insertions(+), 9 deletions(-) diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md index ebc9391..ab12880 100644 --- a/.github/copilot-instructions.md +++ b/.github/copilot-instructions.md @@ -78,6 +78,23 @@ Target environments: 8. Signing is optional and based on the demo configuration in `certificate/`. `build.sh` reads `certificate/sign.properties` when available. 9. Generated output under `target/` and `_log/` should not be treated as source of truth when editing code. +## GitHub Actions Security + +All GitHub Actions steps must reference actions by their full commit SHA, not by a mutable tag or branch. This prevents supply-chain attacks where a tag could be silently moved to a different (malicious) commit. + +Format: `uses: owner/repo@ # vX` — always include a trailing comment with the human-readable version so the SHA can be verified. + +Example: +```yaml +uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 +``` + +When adding a new action or upgrading an existing one: +1. Look up the commit SHA for the desired tag (e.g. via `git ls-remote https://github.com/owner/repo.git refs/tags/vX`). +2. Use the dereferenced commit SHA (`refs/tags/vX^{}`), not the tag-object SHA. +3. Append a comment with the version tag for human readability. +4. Update `dependabot.yml` keeps the `github-actions` ecosystem enabled so Dependabot can propose SHA-bump PRs automatically. + ## When Making Changes - Preserve existing OSGi and Eclipse RCP patterns instead of introducing non-standard build wiring. diff --git a/.github/workflows/10_build-validation.yml b/.github/workflows/10_build-validation.yml index da5b79c..b18a366 100644 --- a/.github/workflows/10_build-validation.yml +++ b/.github/workflows/10_build-validation.yml @@ -19,7 +19,7 @@ jobs: - name: checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: actions/setup-java@v5 + - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: 'temurin' java-version: | diff --git a/.github/workflows/20_snapshot-deployment.yml b/.github/workflows/20_snapshot-deployment.yml index 201a267..e0cf9b5 100644 --- a/.github/workflows/20_snapshot-deployment.yml +++ b/.github/workflows/20_snapshot-deployment.yml @@ -21,7 +21,7 @@ jobs: - name: checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: actions/setup-java@v5 + - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: 'temurin' java-version: | diff --git a/.github/workflows/30_release-deployment.yml b/.github/workflows/30_release-deployment.yml index b514e1b..8f303e3 100644 --- a/.github/workflows/30_release-deployment.yml +++ b/.github/workflows/30_release-deployment.yml @@ -28,7 +28,7 @@ jobs: - name: checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: actions/setup-java@v5 + - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: 'temurin' java-version: | diff --git a/.github/workflows/40_product-validation.yml b/.github/workflows/40_product-validation.yml index 3248dff..ac76a4a 100644 --- a/.github/workflows/40_product-validation.yml +++ b/.github/workflows/40_product-validation.yml @@ -39,7 +39,7 @@ jobs: - name: checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: actions/setup-java@v5 + - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: 'temurin' java-version: '21' @@ -73,7 +73,7 @@ jobs: # Download platform-specific product archives # ---------------------------------------------------------------- - name: download feature product (${{ matrix.platform }}) - uses: dawidd6/action-download-artifact@v20 + uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20 with: workflow: 10_build-validation.yml workflow_conclusion: success @@ -82,7 +82,7 @@ jobs: path: artifacts/feature - name: download plugin product (${{ matrix.platform }}) - uses: dawidd6/action-download-artifact@v20 + uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20 with: workflow: 10_build-validation.yml workflow_conclusion: success @@ -91,7 +91,7 @@ jobs: path: artifacts/plugin - name: download mixed product (${{ matrix.platform }}) - uses: dawidd6/action-download-artifact@v20 + uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20 with: workflow: 10_build-validation.yml workflow_conclusion: success @@ -100,7 +100,7 @@ jobs: path: artifacts/mixed - name: download headless product (${{ matrix.platform }}) - uses: dawidd6/action-download-artifact@v20 + uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20 with: workflow: 10_build-validation.yml workflow_conclusion: success diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index f123482..a0bd716 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,7 +21,7 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: actions/setup-java@v5 + - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: 'temurin' java-version: '21' From cdc9eee2344ba57c1151cc20775b572cddb8131a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 3 Apr 2026 13:08:53 +0000 Subject: [PATCH 2/2] fix: disable p2 chmod touchpoint and propagate Maven failures in build.sh Agent-Logs-Url: https://github.com/klibio/example.pde.rcp/sessions/af63ebc3-b321-4433-8ca8-33f0bbc9d9b9 Co-authored-by: peterkir <250545+peterkir@users.noreply.github.com> --- build.sh | 4 ++-- features/example.rcp.feature.touchpoint/p2.inf | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/build.sh b/build.sh index 1e52381..4f40d45 100755 --- a/build.sh +++ b/build.sh @@ -94,7 +94,7 @@ read -r -d '' command << EOM ${signVM} EOM echo -e "#\n$command\n#\n" 2>&1 | tee -a $log_file - set -e + set -eo pipefail $command 2>&1 | tee -a $log_file fi @@ -110,7 +110,7 @@ read -r -d '' command << EOM ${signVM} EOM echo -e "#\n$command\n#\n" 2>&1 | tee -a $log_file - set -e + set -eo pipefail $command 2>&1 | tee -a $log_file fi diff --git a/features/example.rcp.feature.touchpoint/p2.inf b/features/example.rcp.feature.touchpoint/p2.inf index 56780af..685b592 100644 --- a/features/example.rcp.feature.touchpoint/p2.inf +++ b/features/example.rcp.feature.touchpoint/p2.inf @@ -1,2 +1,3 @@ -instructions.install = \ - org.eclipse.equinox.p2.touchpoint.natives.chmod(targetDir:${installFolder},targetFile:script.sh,permissions:755); \ No newline at end of file +# chmod touchpoint intentionally disabled - see README_p2touchpoint.md for usage example +# instructions.install = \ +# org.eclipse.equinox.p2.touchpoint.natives.chmod(targetDir:${installFolder},targetFile:script.sh,permissions:755); \ No newline at end of file