security: Harden release workflow (repo guard + SHA256SUMS)#47
Merged
security: Harden release workflow (repo guard + SHA256SUMS)#47
Conversation
Align with the security baseline used in williajm/mcp_docker: - Add `if: github.repository == 'williajm/forgery'` to every job so forks can't run the release workflow (belt-and-suspenders with the trusted-publisher binding and the pypi environment's branch/tag policy). - Generate SHA256SUMS.txt from the collected dist/* artifacts in the publish job, place it at the workspace root (outside dist/ so PyPI does not receive it), and upload it to the GitHub release. - Add `contents: write` to the publish job's permissions explicitly so `gh release upload` works for both the SBOM and the new SHA256SUMS upload (job-level permissions replace workflow-level). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Fixes CVE-2025-71176 (pytest through 9.0.2 uses predictable /tmp/pytest-of-{user} directory name, allowing local DoS or privilege escalation). Regenerated requirements-dev.txt via: uv pip compile pyproject.toml --extra dev --universal \ --generate-hashes --upgrade-package pytest \ --exclude-newer <3 days ago> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Owner
Author
|
Bundled dep bump: pytest 9.0.2 → 9.0.3 (CVE-2025-71176). Was failing pip-audit in CI — fix included here so the PR is mergeable. |
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
release.ymljob to the upstream repo viaif: github.repository == 'williajm/forgery'SHA256SUMS.txtfrom collected dist artifacts, upload to the GitHub releasecontents: writeto the publish job sogh release uploadworks for both SBOM and SHA256SUMS (job-level permissions replace workflow-level)Context
Aligns this repo with the security baseline in
williajm/mcp_docker. Sister PRs:Also added a
v*tag deployment policy to thepypienvironment (done out-of-band via the GitHub API).Notes
The existing SBOM release upload relied on the workflow-level
contents: writebut was overridden by the publish job's narrower permissions block. This PR fixes that inadvertently by declaringcontents: writeat job level.Test plan
SHA256SUMS.txt+ SBOM to the GitHub releasesha256sum --ignore-missing -c SHA256SUMS.txtverifies downloaded artifacts🤖 Generated with Claude Code