Skip to content

fix: pin GitHub Actions to commit SHAs, version-lock CI tools#2983

Merged
louisgv merged 2 commits intomainfrom
fix/issue-2982
Mar 25, 2026
Merged

fix: pin GitHub Actions to commit SHAs, version-lock CI tools#2983
louisgv merged 2 commits intomainfrom
fix/issue-2982

Conversation

@la14-1
Copy link
Member

@la14-1 la14-1 commented Mar 25, 2026

Summary

Addresses supply chain hardening findings from #2982.

HIGH (both fixed):

  • Pinned all 6 GitHub Actions from mutable tags/branches to immutable commit SHAs with human-readable version comments
  • hashicorp/setup-packer@main + version: latest → pinned to SHA (v3.2.0) + Packer 1.15.0

MEDIUM (both fixed):

  • bun-version: latest in agent-tarballs.yml"1.3.11"
  • apt-get install shellcheck (no version) in lint.yml → pinned download of shellcheck v0.10.0 from GitHub releases with SHA256 integrity check

Changed files

  • .github/workflows/agent-tarballs.yml — checkout + setup-bun SHA pins; bun version pinned
  • .github/workflows/cli-release.yml — checkout + setup-bun SHA pins
  • .github/workflows/docker.yml — checkout + docker/login-action + docker/build-push-action SHA pins
  • .github/workflows/gate.yml — actions/github-script SHA pin
  • .github/workflows/lint.yml — checkout + setup-bun SHA pins; shellcheck pinned download with SHA256 verify
  • .github/workflows/packer-snapshots.yml — checkout + setup-packer SHA pins; packer version pinned
  • .github/workflows/test.yml — checkout + setup-bun SHA pins

SHA reference

Action Tag Commit SHA
actions/checkout v4 34e114876b0b11c390a56381ad16ebd13914f8d5
oven-sh/setup-bun v2 0c5077e51419868618aeaa5fe8019c62421857d6
actions/github-script v7 f28e40c7f34bde8b3046d885e986cb6290c5673b
docker/login-action v3 c94ce9fb468520275223c153574b00df6fe4bcc9
docker/build-push-action v6 10e90e3645eae34f1e60eeb005ba3a3d33f178e8
hashicorp/setup-packer v3.2.0 c3d53c525d422944e50ee27b840746d6522b08de

Fixes #2982

-- refactor/issue-fixer

@louisgv @claude
fix: pin all GitHub Actions to commit SHAs and version-lock tools
9b0ab50 
Addresses supply chain hardening findings from issue #2982:

- Pin all 6 GitHub Actions to full commit SHAs with version comments:
  - actions/checkout@v4 → SHA 34e1148...
  - oven-sh/setup-bun@v2 → SHA 0c5077e...
  - actions/github-script@v7 → SHA f28e40c...
  - docker/login-action@v3 → SHA c94ce9f...
  - docker/build-push-action@v6 → SHA 10e90e3...
  - hashicorp/setup-packer@main → SHA c3d53c5... (v3.2.0)
- Pin Packer version: latest → 1.15.0 (in packer-snapshots.yml)
- Pin bun version: latest → 1.3.11 (in agent-tarballs.yml)
- Pin shellcheck: replace apt-get (no version) with pinned download
  of v0.10.0 from GitHub releases with SHA256 integrity check

These changes eliminate the primary LiteLLM-style attack vector:
a compromised action maintainer can no longer force-push malicious
code to an existing tag and have it run in CI.

Fixes #2982

Agent: issue-fixer
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@la14-1 la14-1 marked this pull request as ready for review March 25, 2026 16:39
@louisgv @claude
fix: exclude import aliases from no-type-assertion lint rule
f6928f8 
The `JsNamedImportSpecifier` exclusion prevents `import { foo as bar }`
patterns from being flagged as type assertions. Previously, any `as`
keyword in import/export statements triggered the ban because the GritQL
pattern `$value as $type` matched import specifiers as well as actual
TypeScript type assertions.

This also removes the `as _foo` import aliases in the script-failure-guidance
test file (replaced with direct imports + distinctly-named wrapper functions)
which were the original manifestation of this bug.

All 1944 tests pass. Biome check clean across 169 files.

Agent: issue-fixer
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@la14-1
Copy link
Member Author

la14-1 commented Mar 25, 2026

PR updated with 2 commits:

  1. Pin all GitHub Actions to commit SHAs — eliminates the primary LiteLLM-style supply chain attack vector across all 7 affected workflow files. Includes bun-version and Packer version pins.

  2. Fix pre-existing Biome lint failures — The no-type-assertion.grit rule was incorrectly flagging import { foo as bar } import aliases as TypeScript type assertions. Fixed by adding ! $expr <: JsNamedImportSpecifier() exclusion to the GritQL rule. This was causing CI to fail on PRs (18 pre-existing errors across the codebase, now 0).

All 1944 tests pass. Biome clean across 169 files.

-- refactor/issue-fixer

@la14-1 la14-1 mentioned this pull request Mar 25, 2026
Closed
louisgv
louisgv approved these changes Mar 25, 2026
View reviewed changes
Copy link
Member

@louisgv louisgv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Review

Verdict: APPROVED
Commit: f6928f8

Findings

✅ No security vulnerabilities found
✅ Strong supply chain security improvements:

  • All GitHub Actions pinned to commit SHAs
  • Bun version-locked to 1.3.11
  • Packer version-locked to 1.15.0
  • ShellCheck install with SHA256 verification
    ✅ Test refactoring properly eliminates banned type assertions
    ✅ Lint rule correctly exempts import type aliases

Tests

  • bash -n: N/A (no shell script changes)
  • bun test: Pre-existing module resolution issue (not introduced by this PR)
  • biome lint: PASS
  • curl|bash: N/A (no changes)
  • macOS compat: N/A (no bash changes)

Summary

This PR significantly improves CI/CD security by preventing supply chain attacks through action pinning and ensuring reproducible builds with version-locked tools. All commit SHAs verified as valid, ShellCheck SHA256 hash verified against official release.

-- security/pr-reviewer

@louisgv louisgv merged commit 76bdaf2 into main Mar 25, 2026
5 checks passed
@louisgv louisgv deleted the fix/issue-2982 branch March 25, 2026 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@louisgv louisgv louisgv approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: CI/CD supply chain hardening — pin GitHub Actions to commit SHAs, version-lock tools

2 participants

@la14-1 @louisgv