Skip to content

fix(ci): pin SLSA reusable workflow by SHA#245

Merged
rhuanbarreto merged 2 commits into
mainfrom
fix/simple-release-pin
Apr 27, 2026
Merged

fix(ci): pin SLSA reusable workflow by SHA#245
rhuanbarreto merged 2 commits into
mainfrom
fix/simple-release-pin

Conversation

@rhuanbarreto

Copy link
Copy Markdown
Contributor

Summary

  • Pins the slsa-framework/slsa-github-generator reusable workflow in release-binaries.yml by full commit SHA (@f7dd8c54...) instead of tag (@v2.1.0), resolving OSSF Scorecard code-scanning alert #13
  • Adds CI-001 ADR (Pin GitHub Actions by Commit SHA) with a companion no-unpinned-actions rule that enforces SHA pinning on all third-party uses: references in .github/workflows/*.yml
  • Registers the ci domain in .archgate/config.json for CI/CD governance ADRs

Test plan

  • bun run validate passes (lint, typecheck, format, 690 tests, 23 ADR rules, build)
  • New CI-001/no-unpinned-actions rule passes on all workflow files
  • Verify SLSA provenance generation still works on next release (the pinned SHA f7dd8c54c2067bafc12ca7a55595d5ee9b75204a resolves to v2.1.0)

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Apr 27, 2026

Copy link
Copy Markdown

Deploying archgate-cli with  Cloudflare Pages  Cloudflare Pages

Latest commit: 2668b60
Status: ✅  Deploy successful!
Preview URL: https://713fe1fa.archgate-cli.pages.dev
Branch Preview URL: https://fix-simple-release-pin.archgate-cli.pages.dev

View logs

Pin slsa-framework/slsa-github-generator in release-binaries.yml by
full commit SHA instead of tag reference, resolving OSSF Scorecard
code-scanning alert #13 (Pinned-Dependencies).

Add CI-001 ADR (Pin GitHub Actions by Commit SHA) with a companion
`no-unpinned-actions` rule that enforces SHA pinning on all third-party
`uses:` references in workflow files. Registers the new `ci` domain.

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
@rhuanbarreto rhuanbarreto force-pushed the fix/simple-release-pin branch from e6b2182 to ad885a0 Compare April 27, 2026 23:03
@rhuanbarreto rhuanbarreto merged commit 92d4829 into main Apr 27, 2026
10 checks passed
@rhuanbarreto rhuanbarreto deleted the fix/simple-release-pin branch April 27, 2026 23:13
@github-actions github-actions Bot mentioned this pull request Apr 27, 2026
rhuanbarreto added a commit that referenced this pull request Apr 29, 2026
PR #245 SHA-pinned slsa-framework/slsa-github-generator's reusable
workflow to satisfy CI-001, but the SLSA generator's generate-builder.sh
extracts the version from the workflow ref to download the prebuilt
builder binary from a GitHub release. It rejects non-tag refs with
"Invalid ref: <sha>. Expected ref of the form refs/tags/vX.Y.Z" and
exits 2, which broke the v0.31.0 release pipeline (no provenance
generated, downstream upload-assets failed with "path not supplied",
final job exited 27).

Pin the SLSA reusable workflow by tag (@v2.1.0) and document this as a
carved-out exception in CI-001. Update the no-unpinned-actions rule with
a SHA_PIN_EXEMPT_PREFIXES allowlist so the exception is enforced rather
than being a silent gap.

Upstream limitation: slsa-framework/slsa-github-generator#150.
Failing run: https://github.com/archgate/cli/actions/runs/25107195589

Signed-off-by: Rhuan Barreto <rhuan.barreto@gmail.com>
@github-actions github-actions Bot mentioned this pull request Apr 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant