Skip to content

Ci: SHA-pin GitHub Actions versions 0.0.45#83

Merged
kickthemoon0817 merged 2 commits into
mainfrom
feat/ci-pin-action-shas
May 5, 2026
Merged

Ci: SHA-pin GitHub Actions versions 0.0.45#83
kickthemoon0817 merged 2 commits into
mainfrom
feat/ci-pin-action-shas

Conversation

@kickthemoon0817
Copy link
Copy Markdown
Owner

@kickthemoon0817 kickthemoon0817 commented May 5, 2026

Summary

Closes the iter22 deferred MEDIUM (mutable action tags). The 6
uses: owner/repo@vN references in ci.yml are now pinned to
the specific commit SHA each tag currently resolves to.

Changes

Action Before After (SHA # human-readable tag)
actions/checkout @v4 @34e114876b... # v4.3.1
actions/setup-python @v5 @a26af69be9... # v5.6.0
astral-sh/setup-uv @v3 @caf0cab7a6... # v3.2.4

The major-version intent is preserved via the inline comment so
maintainers can see at a glance which patch each pin represents.

Why

A future tag force-push or upstream account compromise can no
longer substitute malicious code into the CI runner. The SHA is
content-addressed and immutable; the runner downloads exactly the
artifact this PR was reviewed against.

How to Test

The PR push itself is the test — both jobs (unit-tests matrix +
packaging-gate) should run green with the SHA pins. iter22's
concurrency group + permissions: contents: read carry
over unchanged.

Renewal Cadence

Re-pin to the latest patch SHA within each major every 6-12 months
via Renovate / Dependabot / pinact. iter23 does this manually as
a one-shot baseline.

Checklist

Testing

  • Local YAML validation still parses cleanly (no schema change).
  • CI workflow run will be the live verification.

Compatibility

  • No source-code changes outside the workflow file +
    4-file version bump.
  • Major-version contract preserved — same Python version
    matrix, same uv install path, same test invocation.

Documentation

  • Commit message documents the renewal cadence guidance.

@kickthemoon0817
ci: SHA-pin GitHub Actions versions for supply-chain hardening
21100fc 
Closes the iter22 deferred MEDIUM (mutable action tags). Replaces
the 6 'uses: owner/repo@vN' references in ci.yml with the
specific commit SHA each tag currently resolves to:

- actions/checkout: v4 -> 34e114876b...  (v4.3.1)
- actions/setup-python: v5 -> a26af69be9...  (v5.6.0)
- astral-sh/setup-uv: v3 -> caf0cab7a6...  (v3.2.4)

The major-version contract is preserved via inline comments so
the human-readable intent (matrix supports each major) stays
visible. A future tag force-push or upstream account compromise
can no longer substitute malicious code into the CI runner — the
SHA is content-addressed and immutable.

Recommended renewal cadence: re-pin to the latest patch SHA
within each major every 6-12 months via Renovate, Dependabot,
or pinact. iter23 does this manually as a one-shot baseline.

CI run on this branch is the live verification — the workflow
must still complete green with the SHA pins in place.
@kickthemoon0817
chore: bump version to 0.0.45, 4-file lockstep
92939d3
@kickthemoon0817 kickthemoon0817 merged commit 6649636 into main May 5, 2026
8 checks passed
@kickthemoon0817 kickthemoon0817 deleted the feat/ci-pin-action-shas branch May 5, 2026 10:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kickthemoon0817