Skip to content

Fix: pin ruyaml with uv lockfile and 4-day cooldown#611

Merged
potiuk merged 3 commits intomainfrom
fix/pin-ruyaml-with-uv-lockfile
Mar 28, 2026
Merged

Fix: pin ruyaml with uv lockfile and 4-day cooldown#611
potiuk merged 3 commits intomainfrom
fix/pin-ruyaml-with-uv-lockfile

Conversation

@potiuk
Copy link
Copy Markdown
Member

@potiuk potiuk commented Mar 27, 2026

Summary

  • Security fix: Previously, pip install ruyaml in workflows with contents:write permission (update_actions, update_dummy, remove_expired) fetched the latest version from PyPI on every run. A compromised ruyaml release could exploit this to modify actions.yml and inject malicious allowed actions into the ASF organization-wide allowlist.
  • Fix: Added pyproject.toml with uv.lock and a 4-day exclude-newer cooldown. All gateway workflows now use pipx install uv + uv run instead of pip install ruyaml, ensuring only locked, vetted versions are used.
  • Dependabot: Added uv package ecosystem to dependabot.yml (with 4-day cooldown) to keep uv.lock updated via PRs.

Test plan

  • Verify update_actions workflow runs successfully on PR
  • Verify remove_expired workflow runs successfully
  • Verify update_dummy workflow runs successfully
  • Verify pytest workflow passes
  • Confirm dependabot picks up the new uv ecosystem

🤖 Generated with Claude Code

potiuk and others added 2 commits March 28, 2026 00:29
@potiuk @claude
Fix security loophole: pin ruyaml with uv lockfile and 4-day cooldown
0fc3de6 
Replace `pip install ruyaml` with `uv run` backed by a locked
`pyproject.toml` / `uv.lock` and a 4-day `exclude-newer` cooldown.
This prevents a compromised latest ruyaml from being pulled into
workflows that run with contents:write, which could otherwise be
exploited to modify actions.yml and inject malicious allowed actions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@potiuk @claude
Add dependabot uv ecosystem to keep uv.lock updated
bf54573 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@potiuk potiuk requested review from dfoulks1, gmcdonald and raboof March 27, 2026 23:30
@potiuk @claude
Add pytest as dev dependency
8f6f518 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@potiuk
Copy link
Copy Markdown
Member Author

potiuk commented Mar 27, 2026

This is important to review and merge as this solves an existing security risk with the action itself @dfoulks1 @gmcdonald @raboof

@potiuk
Copy link
Copy Markdown
Member Author

potiuk commented Mar 27, 2026

This might get exploited in attack similar to litellm

@potiuk potiuk mentioned this pull request Mar 28, 2026
Open
gopidesupavan
gopidesupavan approved these changes Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@gopidesupavan gopidesupavan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@potiuk potiuk merged commit fae466b into main Mar 28, 2026
7 checks passed
@potiuk potiuk deleted the fix/pin-ruyaml-with-uv-lockfile branch March 28, 2026 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gopidesupavan gopidesupavan gopidesupavan approved these changes

@raboof raboof Awaiting requested review from raboof

@gmcdonald gmcdonald Awaiting requested review from gmcdonald

@dfoulks1 dfoulks1 Awaiting requested review from dfoulks1

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@potiuk @gopidesupavan