Skip to content

fix: pin third-party actions and trust docker publisher#891

Merged
stack72 merged 1 commit intomainfrom
fix/pin-third-party-actions
Mar 27, 2026
Merged

fix: pin third-party actions and trust docker publisher#891
stack72 merged 1 commit intomainfrom
fix/pin-third-party-actions

Conversation

@stack72
Copy link
Copy Markdown
Contributor

@stack72 stack72 commented Mar 27, 2026

Summary

  • Pin dorny/paths-filter, softprops/action-gh-release, and peter-evans/repository-dispatch to full commit SHAs for supply chain security
  • Add docker to TRUSTED_PUBLISHERS in scripts/audit_actions.ts so docker/* actions are accepted with tag-only pins

Test Plan

  • deno fmt --check, deno lint, and deno run test all pass
  • CI security review should no longer flag unpinned third-party actions

@stack72
fix: pin third-party actions to commit SHAs and trust docker publisher
3c8ac33 
Pin dorny/paths-filter, softprops/action-gh-release, and
peter-evans/repository-dispatch to full commit SHAs for supply chain
security. Add docker to TRUSTED_PUBLISHERS in audit_actions.ts so
docker/* actions are accepted with tag-only pins alongside actions/*,
denoland/*, and other trusted publishers.
github-actions[bot]
github-actions bot approved these changes Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

Clean, well-scoped supply chain security hardening. All three commit SHAs verified against their respective tags via the GitHub API:

  • dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 → v3 ✓
  • softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe → v2 ✓
  • peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 → v3 ✓

Blocking Issues

None.

Suggestions

None — this is minimal and correct. The docker entry is properly alphabetized in TRUSTED_PUBLISHERS, and the SHA pins include the version tag as a trailing comment for readability.

github-actions[bot]
github-actions bot approved these changes Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI Security Review

Critical / High

None.

Medium

  1. release.yml — Docker actions still tag-pinned: The docker/setup-qemu-action@v3, docker/setup-buildx-action@v3, docker/login-action@v3, and docker/build-push-action@v6 actions in the docker job remain pinned by tag only. This PR adds docker to the trusted publishers list (which is a reasonable policy decision given Docker's status as a major publisher), but for maximum supply chain security these could also be SHA-pinned like the other third-party actions in this PR. Not blocking since the trust policy is an explicit, documented decision.

Low

None.

Verdict

PASS — This PR is a pure security improvement. It pins three previously tag-only third-party actions (dorny/paths-filter, softprops/action-gh-release, peter-evans/repository-dispatch) to full commit SHAs, hardening the CI/CD pipeline against supply chain attacks. Adding docker to trusted publishers is a reasonable policy choice consistent with how actions/* and denoland/* are already treated.

@stack72 stack72 merged commit a20ffa2 into main Mar 27, 2026
10 of 11 checks passed
@stack72 stack72 deleted the fix/pin-third-party-actions branch March 27, 2026 16:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stack72