Skip to content

Security/812 switch GitHub actions to shas #813

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
ArBridgeman wants to merge 10 commits into
base: main
Choose a base branch
from
Draft

Security/812 switch GitHub actions to shas #813

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
5488865
Switch all actions/checkout to jinja variable
ArBridgeman Apr 30, 2026
0ab3fcd
Switch all PTB environment to jinja variable
ArBridgeman Apr 30, 2026
788510d
Switch all upload artifact to jinja variable
ArBridgeman Apr 30, 2026
530c0c6
Switch all download artifact to jinja variable
ArBridgeman Apr 30, 2026
8ceba44
Switch all update pages artifact to jinja variable
ArBridgeman Apr 30, 2026
3dc0866
Switch all deploy pages artifact to jinja variable
ArBridgeman Apr 30, 2026
6a98430
Switch to github_action_pins.
ArBridgeman Apr 30, 2026
b34c9a2
Add class to define GitHub action pins
ArBridgeman Apr 30, 2026
7c2383d
Add changelog entry
ArBridgeman Apr 30, 2026
8c98112
Update PTB workflows
ArBridgeman Apr 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/build-and-publish.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions .github/workflows/check-release-tag.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

40 changes: 20 additions & 20 deletions .github/workflows/checks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,11 @@ jobs:
steps:
- name: Check out Repository
id: check-out-repository
uses: actions/checkout@v6
uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
Copy link
Copy Markdown
Collaborator Author

@ArBridgeman ArBridgeman Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could also augment to put out the version as a comment.
zimor verifies if it's correct or not.


- name: Set up Python & Poetry Environment
id: set-up-python-and-poetry-environment
uses: exasol/python-toolbox/.github/actions/python-environment@v6
uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a"
with:
python-version: "3.10"
poetry-version: "2.3.0"
Expand All @@ -38,11 +38,11 @@ jobs:
steps:
- name: Check out Repository
id: check-out-repository
uses: actions/checkout@v6
uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"

- name: Set up Python & Poetry Environment
id: set-up-python-and-poetry-environment
uses: exasol/python-toolbox/.github/actions/python-environment@v6
uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a"
with:
python-version: "3.10"
poetry-version: "2.3.0"
Expand All @@ -63,11 +63,11 @@ jobs:
steps:
- name: Check out Repository
id: check-out-repository
uses: actions/checkout@v6
uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"

- name: Set up Python & Poetry Environment
id: set-up-python-and-poetry-environment
uses: exasol/python-toolbox/.github/actions/python-environment@v6
uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a"
with:
python-version: ${{ matrix.python-versions }}
poetry-version: "2.3.0"
Expand All @@ -78,7 +78,7 @@ jobs:

- name: Upload Artifacts
id: upload-artifacts
uses: actions/upload-artifact@v7
uses: "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a"
with:
name: lint-python${{ matrix.python-versions }}
path: |
Expand All @@ -98,11 +98,11 @@ jobs:
steps:
- name: Check out Repository
id: check-out-repository
uses: actions/checkout@v6
uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"

- name: Set up Python & Poetry Environment
id: set-up-python-and-poetry-environment
uses: exasol/python-toolbox/.github/actions/python-environment@v6
uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a"
with:
python-version: ${{ matrix.python-versions }}
poetry-version: "2.3.0"
Expand All @@ -124,11 +124,11 @@ jobs:
steps:
- name: Check out Repository
id: check-out-repository
uses: actions/checkout@v6
uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"

- name: Set up Python & Poetry Environment
id: set-up-python-and-poetry-environment
uses: exasol/python-toolbox/.github/actions/python-environment@v6
uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a"
with:
python-version: ${{ matrix.python-versions }}
poetry-version: "2.3.0"
Expand All @@ -139,7 +139,7 @@ jobs:

- name: Upload Artifacts
id: upload-artifacts
uses: actions/upload-artifact@v7
uses: "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a"
with:
name: security-python${{ matrix.python-versions }}
path: .security.json
Expand All @@ -153,11 +153,11 @@ jobs:
steps:
- name: Check out Repository
id: check-out-repository
uses: actions/checkout@v6
uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"

- name: Set up Python & Poetry Environment
id: set-up-python-and-poetry-environment
uses: exasol/python-toolbox/.github/actions/python-environment@v6
uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a"
with:
python-version: "3.10"
poetry-version: "2.3.0"
Expand All @@ -175,11 +175,11 @@ jobs:
steps:
- name: Check out Repository
id: check-out-repository
uses: actions/checkout@v6
uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"

- name: Set up Python & Poetry Environment
id: set-up-python-and-poetry-environment
uses: exasol/python-toolbox/.github/actions/python-environment@v6
uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a"
with:
python-version: "3.10"
poetry-version: "2.3.0"
Expand All @@ -196,11 +196,11 @@ jobs:
steps:
- name: Check out Repository
id: check-out-repository
uses: actions/checkout@v6
uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"

- name: Set up Python & Poetry Environment
id: set-up-python-and-poetry-environment
uses: exasol/python-toolbox/.github/actions/python-environment@v6
uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a"
with:
python-version: "3.10"
poetry-version: "2.3.0"
Expand All @@ -227,7 +227,7 @@ jobs:
fetch-depth: 0
- name: Set up Python & Poetry Environment
id: set-up-python-and-poetry-environment
uses: exasol/python-toolbox/.github/actions/python-environment@v6
uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a"
with:
python-version: ${{ matrix.python-versions }}
poetry-version: "2.3.0"
Expand All @@ -238,7 +238,7 @@ jobs:

- name: Upload Artifacts
id: upload-artifacts
uses: actions/upload-artifact@v7
uses: "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a"
with:
name: coverage-python${{ matrix.python-versions }}-fast
path: .coverage
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/gh-pages.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions .github/workflows/matrix-all.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions .github/workflows/matrix-exasol.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions .github/workflows/matrix-python.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions .github/workflows/report.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions .github/workflows/slow-checks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,11 @@ jobs:
steps:
- name: Check out Repository
id: check-out-repository
uses: actions/checkout@v6
uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"

- name: Set up Python & Poetry Environment
id: set-up-python-and-poetry-environment
uses: exasol/python-toolbox/.github/actions/python-environment@v6
uses: "exasol/python-toolbox/.github/actions/python-environment@de9c841d1e0c1d59b267900baf25da913330a25a"
with:
python-version: ${{ matrix.python-version }}
poetry-version: "2.3.0"
Expand All @@ -39,7 +39,7 @@ jobs:
run: poetry run -- nox -s test:integration -- --coverage
- name: Upload Artifacts
id: upload-artifacts
uses: actions/upload-artifact@v7
uses: "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a"
with:
name: coverage-python${{ matrix.python-version }}-exasol${{ matrix.exasol-version }}-slow
path: .coverage
Expand Down
4 changes: 4 additions & 0 deletions doc/changes/unreleased.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
# Unreleased

## Summary

## Security Issues

* #812: Switched GitHub actions from versioned to be pinned with SHAs
37 changes: 37 additions & 0 deletions exasol/toolbox/config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,7 @@ def valid_version_string(version_string: str) -> str:

ValidPluginHook = Annotated[type[Any], AfterValidator(validate_plugin_hook)]
ValidVersionStr = Annotated[str, AfterValidator(valid_version_string)]
SHA_1 = Annotated[str, Field(pattern=r"^[0-9a-fA-F]{40}$")]

DEFAULT_EXCLUDED_PATHS = {
".eggs",
Expand Down Expand Up @@ -121,6 +122,37 @@ def check_minimum_version(cls, v: str, info: ValidationInfo) -> str:
return v


class GitHubActionPins(BaseModel):
"""
GitHub action pins for use in the workflow templates.
"""

checkout: SHA_1 = Field(
default="de0fac2e4500dabe0009e67214ff5f5447ce83dd", # v6.0.2
description="Commit SHA for actions/checkout",
)
deploy_pages: SHA_1 = Field(
default="cd2ce8fcbc39b97be8ca5fce6e763baed58fa128", # v5.0.0
description="Commit SHA for actions/deploy-pages",
)
download_artifact: SHA_1 = Field(
default="3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c", # v8.0.1
description="Commit SHA for actions/download-artifact",
)
ptb_python: SHA_1 = Field(
default="de9c841d1e0c1d59b267900baf25da913330a25a", # v7
description="Commit SHA for exasol/python-toolbox/.github/actions/python-environment",
)
upload_artifact: SHA_1 = Field(
default="043fb46d1a93c77aae656e7c1c64a875d1fc6a0a", # v7.0.1
description="Commit SHA for actions/upload-artifact",
)
upload_pages_artifact: SHA_1 = Field(
default="fc324d3547104276b827a68afc52ff2a11cc49c9", # v5.0.0
description="Commit SHA for actions/upload-pages-artifact",
)


class BaseConfig(BaseModel):
"""
Basic configuration for projects using the PTB
Expand Down Expand Up @@ -191,6 +223,10 @@ class BaseConfig(BaseModel):
are supported.
""",
)
github_action_pins: GitHubActionPins = Field(
default_factory=GitHubActionPins,
description="This is used to specify the GitHub action pins used in the workflow templates.",
)
model_config = ConfigDict(frozen=True, arbitrary_types_allowed=True)

@computed_field # type: ignore[misc]
Expand Down Expand Up @@ -280,6 +316,7 @@ def github_template_dict(self) -> dict[str, Any]:
configurations.
"""
return {
"github_action_pins": self.github_action_pins.model_dump(),
"dependency_manager_version": self.dependency_manager.version,
"minimum_python_version": self.minimum_python_version,
"os_version": self.os_version,
Expand Down
4 changes: 2 additions & 2 deletions exasol/toolbox/templates/github/workflows/build-and-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ jobs:
steps:
- name: Check out Repository
id: check-out-repository
uses: actions/checkout@v6
uses: "actions/checkout@(( github_action_pins.checkout ))"

- name: Set up Python & Poetry Environment
id: set-up-python-and-poetry-environment
uses: exasol/python-toolbox/.github/actions/python-environment@v7
uses: "exasol/python-toolbox/.github/actions/python-environment@(( github_action_pins.ptb_python ))"
with:
python-version: "(( minimum_python_version ))"
poetry-version: "(( dependency_manager_version ))"
Expand Down
4 changes: 2 additions & 2 deletions exasol/toolbox/templates/github/workflows/check-release-tag.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,11 @@ jobs:
steps:
- name: Check out Repository
id: check-out-repository
uses: actions/checkout@v6
uses: "actions/checkout@(( github_action_pins.checkout ))"

- name: Set up Python & Poetry Environment
id: set-up-python-and-poetry-environment
uses: exasol/python-toolbox/.github/actions/python-environment@v7
uses: "exasol/python-toolbox/.github/actions/python-environment@(( github_action_pins.ptb_python ))"
with:
python-version: "(( minimum_python_version ))"
poetry-version: "(( dependency_manager_version ))"
Expand Down
Loading