From 41765a2d2e11a81c1ea4a533b1d01783bbfb5680 Mon Sep 17 00:00:00 2001 From: Jimisola Laursen Date: Sat, 7 Mar 2026 22:48:37 +0100 Subject: [PATCH 1/2] build: SHA-pin GitHub Actions for supply-chain security Pin external action references to exact commit SHAs instead of branch or major-version tags to prevent supply-chain attacks. Signed-off-by: jimisola --- .github/workflows/check-semantic-pr.yml | 2 +- .github/workflows/publish_pypi_prod.yml | 2 +- .github/workflows/publish_pypi_test.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml index 5bacd57..dfb02a0 100644 --- a/.github/workflows/check-semantic-pr.yml +++ b/.github/workflows/check-semantic-pr.yml @@ -7,4 +7,4 @@ on: jobs: check: - uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@main + uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@33502e31f66fb7e982f48f50e3c6c29b0410a017 # main 2026-03-07 diff --git a/.github/workflows/publish_pypi_prod.yml b/.github/workflows/publish_pypi_prod.yml index 7717dc1..b641bac 100644 --- a/.github/workflows/publish_pypi_prod.yml +++ b/.github/workflows/publish_pypi_prod.yml @@ -32,6 +32,6 @@ jobs: path: dist - name: Publish distribution 📦 to PyPI # if: startsWith(github.ref, 'refs/tags') - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: sign-artifacts: true diff --git a/.github/workflows/publish_pypi_test.yml b/.github/workflows/publish_pypi_test.yml index ccffc43..8a0ebb4 100644 --- a/.github/workflows/publish_pypi_test.yml +++ b/.github/workflows/publish_pypi_test.yml @@ -28,7 +28,7 @@ jobs: name: dist path: dist - name: Publish distribution 📦 to Test PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: repository-url: https://test.pypi.org/legacy/ sign-artifacts: true From 394698b284e99f6f22c0813edabe33a4483f3cf4 Mon Sep 17 00:00:00 2001 From: Jimisola Laursen Date: Sat, 7 Mar 2026 23:20:24 +0100 Subject: [PATCH 2/2] build: remove shared workflow SHA pin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Revert check-semantic-pr.yml — shared workflow pinning will be handled separately via semver tagging of the .github repo. Signed-off-by: jimisola --- .github/workflows/check-semantic-pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml index dfb02a0..5bacd57 100644 --- a/.github/workflows/check-semantic-pr.yml +++ b/.github/workflows/check-semantic-pr.yml @@ -7,4 +7,4 @@ on: jobs: check: - uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@33502e31f66fb7e982f48f50e3c6c29b0410a017 # main 2026-03-07 + uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@main