Add validate-action-pins tool to ci-tools image#18
Merged
Conversation
Shell script that verifies GitHub Actions SHA pins match their claimed tags via the GitHub REST API. Wired through the full resolve/build/verify pipeline as a first-class versioned tool. Also adds missing stylelint and chktex entries to the README tools table and acknowledgments. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Pin all GitHub Actions in CI and publish workflows to commit SHAs for supply-chain security. Add validate-action-pins to the lint-actions Makefile target, preferring the container-installed version with a repo-copy fallback for bare metal. Gracefully skip validation when dependencies (curl, jq) are missing. Extend shellcheck coverage to repo-local scripts and document local-script conventions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
lex57ukr
added
enhancement
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CI workflows pin GitHub Actions to commit SHAs for supply-chain security, but nothing verified that a pinned SHA actually matched its claimed tag. This PR ships a validation tool in the ci-tools image that resolves tags via the GitHub API and compares them against pinned SHAs, catching mismatches automatically during
make lint.Related Issues
Fixes #14
Changes
validate-action-pinsshell script that parsesuses:lines, resolves tags via the GitHub REST API (handling both lightweight and annotated tags), and exits non-zero on mismatchresolve_localhelper, lockfile entry, Dockerfile, compose args, verify check)make lintvia thelint-actionstarget, preferring the container-installed version with a repo-copy fallback for bare metaljqto the ci-tools image for GitHub API response parsingimages/*/bin/docs/how-to/add-image.mdstylelintandchktexentries to the README tools table and acknowledgmentsFurther Comments
The script gracefully degrades when dependencies (
curl,jq) are missing or the GitHub API is unreachable — it warns and exits 0. This means CI will pass on the current published image (which lacksjq) and begin enforcing once the new image ships.