Skip to content

Remove wait-for-it.j2 macro#490

Merged
bschwedler merged 2 commits into
mainfrom
worktree-pin-wait-for-it
Apr 29, 2026
Merged

Remove wait-for-it.j2 macro#490
bschwedler merged 2 commits into
mainfrom
worktree-pin-wait-for-it

Conversation

@bschwedler
Copy link
Copy Markdown
Contributor

@bschwedler bschwedler commented Apr 24, 2026
edited
Loading

Summary

This macro downloaded from a mutable GitHub branch (master) with no integrity verification at build time. Vendoring in the consumer repo eliminates the supply chain risk entirely.

Test plan

@bschwedler bschwedler requested a review from ianpittwood as a code owner April 24, 2026 19:23
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 24, 2026
edited
Loading

Test Results

1 447 tests   - 2   1 447 ✅  - 2   8m 43s ⏱️ -13s
    1 suites ±0       0 💤 ±0 
    1 files   ±0       0 ❌ ±0 

Results for commit 60f226c. ± Comparison against base commit 3fad079.

♻️ This comment has been updated with latest results.

ianpittwood
ianpittwood approved these changes Apr 24, 2026
View reviewed changes
Comment thread bitwarden-cli-supply-chain-analysis.md Outdated
@ianpittwood ianpittwood force-pushed the worktree-pin-wait-for-it branch from 5991a1b to 18dca0a Compare April 28, 2026 16:05
@bschwedler
Pin remaining actions to commit SHAs
709e1ea 
Completes the SHA pinning started in PR #443. The core build
workflows (ci.yml, bakery-build-*.yml) were already pinned; this
covers the auxiliary workflows that were missed: docs.yml,
hadolint.yml, and the slack-build-notify composite action.

Mutable git tags are the exact vector exploited in the tj-actions
supply chain attack (Unit 42, March 2025) — attackers overwrote
tags to point to malicious commits.
@bschwedler
Remove wait-for-it.j2 macro
60f226c 
The only consumer (images-workbench) now vendors the script
directly. Removes the macro, its tests, and the CLAUDE.md
reference. This eliminates a build-time download from a mutable
GitHub branch with no integrity verification.
@bschwedler bschwedler force-pushed the worktree-pin-wait-for-it branch from 18dca0a to 60f226c Compare April 28, 2026 20:04
@bschwedler bschwedler added this pull request to the merge queue Apr 29, 2026
Merged via the queue into main with commit f73b718 Apr 29, 2026
23 checks passed
@bschwedler bschwedler deleted the worktree-pin-wait-for-it branch April 29, 2026 15:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ianpittwood ianpittwood ianpittwood approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bschwedler @ianpittwood