Skip to content

fix: pin inputs#17471

Merged
viyatb-oai merged 4 commits intomainfrom
codex/viyatb/rust-supply-chain-hardening
Apr 14, 2026
Merged

fix: pin inputs#17471
viyatb-oai merged 4 commits intomainfrom
codex/viyatb/rust-supply-chain-hardening

Conversation

@viyatb-oai
Copy link
Copy Markdown
Collaborator

@viyatb-oai viyatb-oai commented Apr 11, 2026
edited
Loading

Summary

  • Pin Rust git patch dependencies to immutable revisions and make cargo-deny reject unknown git and registry sources unless explicitly allowlisted.
  • Add checked-in SHA-256 coverage for the current rusty_v8 release assets, wire those hashes into Bazel, and verify CI override downloads before use.
  • Add rusty_v8 MODULE.bazel update/check tooling plus a Bazel CI guard so future V8 bumps cannot drift from the checked-in checksum manifest.
  • Pin release/lint cargo installs and all external GitHub Actions refs to immutable inputs.

Future V8 bump flow

Run these after updating the resolved v8 crate version and checksum manifest:

python3 .github/scripts/rusty_v8_bazel.py update-module-bazel
python3 .github/scripts/rusty_v8_bazel.py check-module-bazel

The update command rewrites the matching rusty_v8_<crate_version> http_file SHA-256 values in MODULE.bazel from third_party/v8/rusty_v8_<crate_version>.sha256. The check command is also wired into Bazel CI to block drift.

Notes

  • This intentionally excludes RustSec dependency upgrades and bubblewrap-related changes per request.
  • The branch was rebased onto the latest origin/main before opening the PR.

Validation

  • cargo fetch --locked
  • cargo deny check advisories
  • cargo deny check
  • cargo deny check sources
  • python3 .github/scripts/rusty_v8_bazel.py check-module-bazel
  • python3 .github/scripts/rusty_v8_bazel.py update-module-bazel
  • python3 -m unittest discover -s .github/scripts -p 'test_rusty_v8_bazel.py'
  • python3 -m py_compile .github/scripts/rusty_v8_bazel.py .github/scripts/rusty_v8_module_bazel.py .github/scripts/test_rusty_v8_bazel.py
  • repo-wide GitHub Actions uses: audit: all external action refs are pinned to 40-character SHAs
  • yq eval on touched workflows and local actions
  • git diff --check
  • just bazel-lock-check

Hash verification

  • Confirmed MODULE.bazel hashes match third_party/v8/rusty_v8_146_4_0.sha256.
  • Confirmed GitHub release asset digests for denoland/rusty_v8 v146.4.0 and openai/codex rusty-v8-v146.4.0 match the checked-in hashes.
  • Streamed and SHA-256 hashed all 10 MODULE.bazel rusty_v8 asset URLs locally; every downloaded byte stream matched both MODULE.bazel and the checked-in manifest.

Pin verification

  • Confirmed signing-action pins match the peeled commits for their tag comments: sigstore/cosign-installer@v3.7.0, azure/login@v2, and azure/trusted-signing-action@v0.
  • Pinned the remaining tag-based action refs in Bazel CI/setup: actions/setup-node@v6, facebook/install-dotslash@v2, bazelbuild/setup-bazelisk@v3, and actions/cache/restore@v5.
  • Normalized all bazelbuild/setup-bazelisk@v3 refs to the peeled commit behind the annotated tag.
  • Audited Cargo git dependencies: every manifest git dependency uses rev only, every Cargo.lock git source has ?rev=<sha>#<same-sha>, and cargo deny check sources passes with required-git-spec = "rev".
  • Shallow-fetched each distinct git dependency repo at its pinned SHA and verified Git reports each object as a commit.

@viyatb-oai
build: harden Rust supply chain inputs
4abb102 
Pin Rust git patches to immutable revisions, verify V8 override assets with checked-in checksums, require explicit cargo-deny git sources, and pin release/tooling actions and cargo installs.

Co-authored-by: Codex noreply@openai.com
@viyatb-oai viyatb-oai changed the title [codex] Harden Rust supply chain inputs fix: pin inputs Apr 11, 2026
@viyatb-oai
build: check rusty_v8 module checksums
24a9266 
Add update and check commands for keeping MODULE.bazel rusty_v8 http_file hashes in sync with the checked-in checksum manifest, then run the check in Bazel CI.

Co-authored-by: Codex noreply@openai.com
@viyatb-oai viyatb-oai requested review from bolinfest and cconger April 11, 2026 16:42
@viyatb-oai viyatb-oai marked this pull request as ready for review April 11, 2026 16:50
@viyatb-oai
ci: pin remaining GitHub Actions refs
a0cb9e9 
Pin the remaining tag-based action refs in Bazel CI and setup-bazel-ci. Normalize setup-bazelisk v3 pins to the peeled commit behind the annotated tag.

Co-authored-by: Codex noreply@openai.com
bolinfest
bolinfest approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@bolinfest bolinfest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly small comments except for the shared action bit.

Comment thread .github/scripts/rusty_v8_module_bazel.py
Comment thread .github/workflows/bazel.yml Outdated
Comment thread .github/workflows/rust-ci-full.yml Outdated
Comment thread .github/workflows/rust-release.yml Outdated
@viyatb-oai
ci: share musl rusty_v8 setup
3a7c972 
Extract the duplicated musl rusty_v8 override and checksum verification logic into a local composite action, then use it from release and full CI workflows.

Co-authored-by: Codex noreply@openai.com
@viyatb-oai viyatb-oai enabled auto-merge (squash) April 14, 2026 00:51
@viyatb-oai viyatb-oai merged commit d9a385a into main Apr 14, 2026
30 of 33 checks passed
@viyatb-oai viyatb-oai deleted the codex/viyatb/rust-supply-chain-hardening branch April 14, 2026 01:45
@github-actions github-actions bot locked and limited conversation to collaborators Apr 14, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@bolinfest bolinfest bolinfest approved these changes

@cconger cconger Awaiting requested review from cconger

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@viyatb-oai @bolinfest