Skip to content

fix(ci): pin Go dev tool versions to prevent supply chain attacks#76

Merged
jongio merged 1 commit into
mainfrom
auto/secops/2026-05-17
May 18, 2026
Merged

fix(ci): pin Go dev tool versions to prevent supply chain attacks#76
jongio merged 1 commit into
mainfrom
auto/secops/2026-05-17

Conversation

@jongio
Copy link
Copy Markdown
Owner

@jongio jongio commented May 17, 2026

What

Pin Go dev tool versions in CI workflow to specific releases instead of using @latest.

Why

Using @latest resolves to whatever version the Go module proxy returns at build time. If an attacker publishes a malicious version of any tool, all subsequent CI runs would execute it with full repository access (CWE-829).

Changes

Tool Before After
gofumpt @latest @v0.10.0
deadcode @latest @v0.45.0
mage @latest @v1.17.2
govulncheck @latest @v1.3.0

Verification

  • All tests pass
  • Build succeeds
  • Lint passes

Closes #74

@jongio
fix(ci): pin Go dev tool versions to prevent supply chain attacks
8462a64 
Pin gofumpt, deadcode, mage, and govulncheck to specific versions
instead of using @latest. This ensures CI builds are reproducible
and prevents a compromised upstream from injecting malicious code.

Pinned versions:
- gofumpt v0.10.0
- deadcode v0.45.0 (golang.org/x/tools)
- mage v1.17.2
- govulncheck v1.3.0

Closes #74

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio jongio merged commit 4650155 into main May 18, 2026
2 checks passed
@jongio jongio deleted the auto/secops/2026-05-17 branch May 18, 2026 03:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jongio