From e442beff2b6a59d950e78ca3e5d57650b9d729b2 Mon Sep 17 00:00:00 2001 From: Douglas Coburn Date: Thu, 23 Oct 2025 18:27:26 -0700 Subject: [PATCH] ci: pin GitHub Actions to commit SHAs for security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pin all GitHub Actions references to specific commit SHAs instead of version tags to improve security and reproducibility: - actions/checkout@v4 → eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 - actions/setup-python@v5 → f677139bbe7f9c59b41e40162b753c062f5d49a3 - pypa/gh-action-pypi-publish@v1.12.4 → ab69e431e9c9f48a3310be0a56527c679f56e04d - actions/github-script@v7 → 60a0d83039c74a4aee543508d2ffcb1c3799cdea - docker/setup-qemu-action@v3 → 49b3bc8e6bdd4a60e6116a5414239cba5943d3cf - docker/setup-buildx-action@v3 → c47758b77c9736f4b2ef4073d4d51994fabfe349 - docker/login-action@v3 → 9780b0c442fbb1117ed29e0efdff1e18412f7567 - docker/build-push-action@v5 → 4f58ea79222b3b9dc2c8bbdd6debcef730109a75 This follows GitHub security best practices by ensuring exact versions are used and preventing potential supply chain attacks from compromised tags. --- .github/workflows/pr-preview.yml | 16 ++++++++-------- .github/workflows/release.yml | 14 +++++++------- .github/workflows/version-check.yml | 4 ++-- pyproject.toml | 2 +- socketsecurity/__init__.py | 2 +- 5 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/pr-preview.yml b/.github/workflows/pr-preview.yml index f3b142a..9386346 100644 --- a/.github/workflows/pr-preview.yml +++ b/.github/workflows/pr-preview.yml @@ -11,10 +11,10 @@ jobs: contents: read pull-requests: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 with: fetch-depth: 0 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 with: python-version: '3.x' @@ -43,14 +43,14 @@ jobs: - name: Publish to Test PyPI if: steps.version_check.outputs.exists != 'true' - uses: pypa/gh-action-pypi-publish@v1.12.4 + uses: pypa/gh-action-pypi-publish@ab69e431e9c9f48a3310be0a56527c679f56e04d with: repository-url: https://test.pypi.org/legacy/ verbose: true - name: Comment on PR if: steps.version_check.outputs.exists != 'true' - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea env: VERSION: ${{ env.VERSION }} with: @@ -120,21 +120,21 @@ jobs: exit 1 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 - name: Login to Docker Hub with Organization Token if: steps.verify_package.outputs.success == 'true' - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build & Push Docker Preview if: steps.verify_package.outputs.success == 'true' - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 env: VERSION: ${{ env.VERSION }} with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b70d26e..20b4bd1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,10 +10,10 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 with: fetch-depth: 0 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 with: python-version: '3.x' @@ -66,16 +66,16 @@ jobs: - name: Publish to PyPI if: steps.version_check.outputs.pypi_exists != 'true' - uses: pypa/gh-action-pypi-publish@v1.12.4 + uses: pypa/gh-action-pypi-publish@ab69e431e9c9f48a3310be0a56527c679f56e04d - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 - name: Login to Docker Hub with Organization Token - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -102,7 +102,7 @@ jobs: if: | steps.verify_package.outputs.success == 'true' && steps.docker_check.outputs.docker_exists != 'true' - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 env: VERSION: ${{ env.VERSION }} with: diff --git a/.github/workflows/version-check.yml b/.github/workflows/version-check.yml index fa20938..5e4335c 100644 --- a/.github/workflows/version-check.yml +++ b/.github/workflows/version-check.yml @@ -11,7 +11,7 @@ jobs: check_version: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 with: fetch-depth: 0 # Fetch all history for all branches @@ -39,7 +39,7 @@ jobs: " - name: Manage PR Comment - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea if: always() env: MAIN_VERSION: ${{ env.MAIN_VERSION }} diff --git a/pyproject.toml b/pyproject.toml index 22811e7..9ec3c0f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -6,7 +6,7 @@ build-backend = "hatchling.build" [project] name = "socketsecurity" -version = "2.2.11" +version = "2.2.12" requires-python = ">= 3.10" license = {"file" = "LICENSE"} dependencies = [ diff --git a/socketsecurity/__init__.py b/socketsecurity/__init__.py index 9ea1adb..aecfb7d 100644 --- a/socketsecurity/__init__.py +++ b/socketsecurity/__init__.py @@ -1,2 +1,2 @@ __author__ = 'socket.dev' -__version__ = '2.2.11' +__version__ = '2.2.12'