From 302e16262ac3e9e306623fe61045f8e6c67fb751 Mon Sep 17 00:00:00 2001 From: Jimisola Laursen Date: Sat, 7 Mar 2026 22:56:11 +0100 Subject: [PATCH 1/2] build: SHA-pin GitHub Actions for supply-chain security Pin external action references to exact commit SHAs instead of branch or major-version tags to prevent supply-chain attacks. Signed-off-by: jimisola --- .github/workflows/check-semantic-pr.yml | 2 +- .github/workflows/lint.yml | 2 +- .github/workflows/publish_pypi_prod.yml | 2 +- .github/workflows/publish_pypi_test.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml index 459b868..0addcd2 100644 --- a/.github/workflows/check-semantic-pr.yml +++ b/.github/workflows/check-semantic-pr.yml @@ -5,4 +5,4 @@ on: jobs: check: - uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@main + uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@33502e31f66fb7e982f48f50e3c6c29b0410a017 # main 2026-03-07 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 34bc895..9d1c3f6 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -14,7 +14,7 @@ jobs: with: python-version: "3.13" - name: Install and configure Poetry (this should ideally be done from pyproject.toml but..) - uses: snok/install-poetry@v1 + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1 with: version: 1.8.5 virtualenvs-create: true diff --git a/.github/workflows/publish_pypi_prod.yml b/.github/workflows/publish_pypi_prod.yml index 5b0ffaf..cfffc42 100644 --- a/.github/workflows/publish_pypi_prod.yml +++ b/.github/workflows/publish_pypi_prod.yml @@ -32,6 +32,6 @@ jobs: path: dist - name: Publish distribution 📦 to PyPI # if: startsWith(github.ref, 'refs/tags') - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: sign-artifacts: true diff --git a/.github/workflows/publish_pypi_test.yml b/.github/workflows/publish_pypi_test.yml index 56d9d49..93761bb 100644 --- a/.github/workflows/publish_pypi_test.yml +++ b/.github/workflows/publish_pypi_test.yml @@ -27,7 +27,7 @@ jobs: name: dist path: dist - name: Publish distribution 📦 to Test PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: repository-url: https://test.pypi.org/legacy/ sign-artifacts: true From 990169b3800ceef61cce4a1ab550a0cbb85fa654 Mon Sep 17 00:00:00 2001 From: Jimisola Laursen Date: Sat, 7 Mar 2026 23:20:26 +0100 Subject: [PATCH 2/2] build: remove shared workflow SHA pin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Revert check-semantic-pr.yml — shared workflow pinning will be handled separately via semver tagging of the .github repo. Signed-off-by: jimisola --- .github/workflows/check-semantic-pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml index 0addcd2..459b868 100644 --- a/.github/workflows/check-semantic-pr.yml +++ b/.github/workflows/check-semantic-pr.yml @@ -5,4 +5,4 @@ on: jobs: check: - uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@33502e31f66fb7e982f48f50e3c6c29b0410a017 # main 2026-03-07 + uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@main