klibio · peterkir · Apr 3, 2026 · Apr 3, 2026 · Apr 3, 2026
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -78,6 +78,23 @@ Target environments:
 8. Signing is optional and based on the demo configuration in `certificate/`. `build.sh` reads `certificate/sign.properties` when available.
 9. Generated output under `target/` and `_log/` should not be treated as source of truth when editing code.
 
+## GitHub Actions Security
+
+All GitHub Actions steps must reference actions by their full commit SHA, not by a mutable tag or branch. This prevents supply-chain attacks where a tag could be silently moved to a different (malicious) commit.
+
+Format: `uses: owner/repo@<full-commit-sha> # vX` — always include a trailing comment with the human-readable version so the SHA can be verified.
+
+Example:
+```yaml
+uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+```
+
+When adding a new action or upgrading an existing one:
+1. Look up the commit SHA for the desired tag (e.g. via `git ls-remote https://github.com/owner/repo.git refs/tags/vX`).
+2. Use the dereferenced commit SHA (`refs/tags/vX^{}`), not the tag-object SHA.
+3. Append a comment with the version tag for human readability.
+4. Update `dependabot.yml` keeps the `github-actions` ecosystem enabled so Dependabot can propose SHA-bump PRs automatically.
+
 ## When Making Changes
 
 - Preserve existing OSGi and Eclipse RCP patterns instead of introducing non-standard build wiring.

diff --git a/.github/workflows/10_build-validation.yml b/.github/workflows/10_build-validation.yml
@@ -19,7 +19,7 @@ jobs:
     - name: checkout
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-    - uses: actions/setup-java@v5
+    - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         distribution: 'temurin'
         java-version: |

diff --git a/.github/workflows/20_snapshot-deployment.yml b/.github/workflows/20_snapshot-deployment.yml
@@ -21,7 +21,7 @@ jobs:
     - name: checkout
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-    - uses: actions/setup-java@v5
+    - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         distribution: 'temurin'
         java-version: |

diff --git a/.github/workflows/30_release-deployment.yml b/.github/workflows/30_release-deployment.yml
@@ -28,7 +28,7 @@ jobs:
     - name: checkout
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-    - uses: actions/setup-java@v5
+    - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         distribution: 'temurin'
         java-version: |

diff --git a/.github/workflows/40_product-validation.yml b/.github/workflows/40_product-validation.yml
@@ -39,7 +39,7 @@ jobs:
     - name: checkout
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-    - uses: actions/setup-java@v5
+    - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         distribution: 'temurin'
         java-version: '21'
@@ -73,7 +73,7 @@ jobs:
     # Download platform-specific product archives
     # ----------------------------------------------------------------
     - name: download feature product (${{ matrix.platform }})
-      uses: dawidd6/action-download-artifact@v20
+      uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
       with:
         workflow: 10_build-validation.yml
         workflow_conclusion: success
@@ -82,7 +82,7 @@ jobs:
         path: artifacts/feature
 
     - name: download plugin product (${{ matrix.platform }})
-      uses: dawidd6/action-download-artifact@v20
+      uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
       with:
         workflow: 10_build-validation.yml
         workflow_conclusion: success
@@ -91,7 +91,7 @@ jobs:
         path: artifacts/plugin
 
     - name: download mixed product (${{ matrix.platform }})
-      uses: dawidd6/action-download-artifact@v20
+      uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
       with:
         workflow: 10_build-validation.yml
         workflow_conclusion: success
@@ -100,7 +100,7 @@ jobs:
         path: artifacts/mixed
 
     - name: download headless product (${{ matrix.platform }})
-      uses: dawidd6/action-download-artifact@v20
+      uses: dawidd6/action-download-artifact@8305c0f1062bb0d184d09ef4493ecb9288447732 # v20
       with:
         workflow: 10_build-validation.yml
         workflow_conclusion: success

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -21,7 +21,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-      - uses: actions/setup-java@v5
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: 'temurin'
           java-version: '21'

diff --git a/build.sh b/build.sh
@@ -94,7 +94,7 @@ read -r -d '' command << EOM
   ${signVM}
 EOM
     echo -e "#\n$command\n#\n"  2>&1 | tee -a $log_file
-    set -e
+    set -eo pipefail
     $command  2>&1 | tee -a $log_file
 fi
 
@@ -110,7 +110,7 @@ read -r -d '' command << EOM
   ${signVM}
 EOM
     echo -e "#\n$command\n#\n"  2>&1 | tee -a $log_file
-    set -e
+    set -eo pipefail
     $command  2>&1 | tee -a $log_file
 fi
 

diff --git a/features/example.rcp.feature.touchpoint/p2.inf b/features/example.rcp.feature.touchpoint/p2.inf
@@ -1,2 +1,3 @@
-instructions.install = \
-    org.eclipse.equinox.p2.touchpoint.natives.chmod(targetDir:${installFolder},targetFile:script.sh,permissions:755);
+# chmod touchpoint intentionally disabled - see README_p2touchpoint.md for usage example
+# instructions.install = \
+#     org.eclipse.equinox.p2.touchpoint.natives.chmod(targetDir:${installFolder},targetFile:script.sh,permissions:755);