From 5dfd1e6c0c5875097add4d8051402ab401b5e8cc Mon Sep 17 00:00:00 2001 From: Patrick Kaeding Date: Mon, 23 Mar 2026 13:45:23 -0400 Subject: [PATCH 1/2] [SEC-7924] chore: pin third-party GitHub Actions to commit SHAs Pin all third-party GitHub Actions to full-length commit SHAs to prevent supply chain attacks. Addresses findings from the third-party-action-not-pinned-to-commit-sha Semgrep rule. --- .github/workflows/manual-publish.yml | 6 +++--- .github/workflows/release-please.yml | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/manual-publish.yml b/.github/workflows/manual-publish.yml index 7d93679d..b5b1ec99 100644 --- a/.github/workflows/manual-publish.yml +++ b/.github/workflows/manual-publish.yml @@ -24,7 +24,7 @@ jobs: python-version: "3.10" - name: Install poetry - uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 + uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # 7b6d33e44b4f08d7021a1dee3c044e9c253d6439 - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0 name: "Get PyPI token" @@ -37,7 +37,7 @@ jobs: - name: Publish package distributions to PyPI if: ${{ inputs.dry_run == false }} - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: password: ${{env.PYPI_AUTH_TOKEN}} @@ -47,7 +47,7 @@ jobs: actions: read id-token: write contents: write - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0 with: base64-subjects: "${{ needs.build-publish.outputs.package-hashes }}" upload-assets: ${{ !inputs.dry_run }} diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 81f5c3ed..3bb026be 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -16,7 +16,7 @@ jobs: upload-tag-name: ${{ steps.release.outputs.tag_name }} package-hashes: ${{ steps.build.outputs.package-hashes}} steps: - - uses: googleapis/release-please-action@v4 + - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4 id: release - uses: actions/checkout@v4 @@ -31,7 +31,7 @@ jobs: - name: Install poetry if: ${{ steps.release.outputs.releases_created == 'true' }} - uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 + uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # 7b6d33e44b4f08d7021a1dee3c044e9c253d6439 - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0 if: ${{ steps.release.outputs.releases_created == 'true' }} @@ -49,7 +49,7 @@ jobs: - name: Publish package distributions to PyPI if: ${{ steps.release.outputs.releases_created == 'true' }} - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: password: ${{env.PYPI_AUTH_TOKEN}} @@ -60,7 +60,7 @@ jobs: actions: read id-token: write contents: write - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0 with: base64-subjects: "${{ needs.release-package.outputs.package-hashes }}" upload-assets: true From ecba454249424a077dfbfdb90d8d7f40dd8021d4 Mon Sep 17 00:00:00 2001 From: "Matthew M. Keeler" Date: Tue, 24 Mar 2026 14:38:45 -0400 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Matthew M. Keeler --- .github/workflows/manual-publish.yml | 4 ++-- .github/workflows/release-please.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/manual-publish.yml b/.github/workflows/manual-publish.yml index b5b1ec99..85defd29 100644 --- a/.github/workflows/manual-publish.yml +++ b/.github/workflows/manual-publish.yml @@ -24,7 +24,7 @@ jobs: python-version: "3.10" - name: Install poetry - uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # 7b6d33e44b4f08d7021a1dee3c044e9c253d6439 + uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # v3.0.0 - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0 name: "Get PyPI token" @@ -37,7 +37,7 @@ jobs: - name: Publish package distributions to PyPI if: ${{ inputs.dry_run == false }} - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: password: ${{env.PYPI_AUTH_TOKEN}} diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 3bb026be..091b7636 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -16,7 +16,7 @@ jobs: upload-tag-name: ${{ steps.release.outputs.tag_name }} package-hashes: ${{ steps.build.outputs.package-hashes}} steps: - - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4 + - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0 id: release - uses: actions/checkout@v4 @@ -31,7 +31,7 @@ jobs: - name: Install poetry if: ${{ steps.release.outputs.releases_created == 'true' }} - uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # 7b6d33e44b4f08d7021a1dee3c044e9c253d6439 + uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # v3.0.0 - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0 if: ${{ steps.release.outputs.releases_created == 'true' }} @@ -49,7 +49,7 @@ jobs: - name: Publish package distributions to PyPI if: ${{ steps.release.outputs.releases_created == 'true' }} - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: password: ${{env.PYPI_AUTH_TOKEN}}