From b918fe53f92d60197c8e00bf3c040e965113f3bf Mon Sep 17 00:00:00 2001 From: Jimisola Laursen Date: Sat, 7 Mar 2026 22:50:43 +0100 Subject: [PATCH 1/2] build: SHA-pin GitHub Actions for supply-chain security Pin external action references to exact commit SHAs instead of branch or major-version tags to prevent supply-chain attacks. Signed-off-by: jimisola --- .github/workflows/check-semantic-pr.yml | 2 +- .github/workflows/publish_pypi_prod.yml | 2 +- .github/workflows/publish_pypi_test.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml index 459b868..0addcd2 100644 --- a/.github/workflows/check-semantic-pr.yml +++ b/.github/workflows/check-semantic-pr.yml @@ -5,4 +5,4 @@ on: jobs: check: - uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@main + uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@33502e31f66fb7e982f48f50e3c6c29b0410a017 # main 2026-03-07 diff --git a/.github/workflows/publish_pypi_prod.yml b/.github/workflows/publish_pypi_prod.yml index 85384a4..e55f7bc 100644 --- a/.github/workflows/publish_pypi_prod.yml +++ b/.github/workflows/publish_pypi_prod.yml @@ -31,6 +31,6 @@ jobs: path: dist - name: Publish distribution 📦 to PyPI # if: startsWith(github.ref, 'refs/tags') - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: sign-artifacts: true diff --git a/.github/workflows/publish_pypi_test.yml b/.github/workflows/publish_pypi_test.yml index f3f7736..d5d8bd7 100644 --- a/.github/workflows/publish_pypi_test.yml +++ b/.github/workflows/publish_pypi_test.yml @@ -28,7 +28,7 @@ jobs: name: dist path: dist - name: Publish distribution 📦 to Test PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: repository-url: https://test.pypi.org/legacy/ sign-artifacts: true From 4666d98ab4cbcd18a4d47d8b6c71f1583e849fed Mon Sep 17 00:00:00 2001 From: Jimisola Laursen Date: Sat, 7 Mar 2026 23:20:25 +0100 Subject: [PATCH 2/2] build: remove shared workflow SHA pin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Revert check-semantic-pr.yml — shared workflow pinning will be handled separately via semver tagging of the .github repo. Signed-off-by: jimisola --- .github/workflows/check-semantic-pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml index 0addcd2..459b868 100644 --- a/.github/workflows/check-semantic-pr.yml +++ b/.github/workflows/check-semantic-pr.yml @@ -5,4 +5,4 @@ on: jobs: check: - uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@33502e31f66fb7e982f48f50e3c6c29b0410a017 # main 2026-03-07 + uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@main