fix(ci): pin SLSA reusable workflow by SHA#245
Merged
Conversation
Deploying archgate-cli with
|
| Latest commit: |
2668b60
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://713fe1fa.archgate-cli.pages.dev |
| Branch Preview URL: | https://fix-simple-release-pin.archgate-cli.pages.dev |
Pin slsa-framework/slsa-github-generator in release-binaries.yml by full commit SHA instead of tag reference, resolving OSSF Scorecard code-scanning alert #13 (Pinned-Dependencies). Add CI-001 ADR (Pin GitHub Actions by Commit SHA) with a companion `no-unpinned-actions` rule that enforces SHA pinning on all third-party `uses:` references in workflow files. Registers the new `ci` domain. Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
e6b2182 to
ad885a0
Compare
Merged
3 tasks
rhuanbarreto
added a commit
that referenced
this pull request
Apr 29, 2026
PR #245 SHA-pinned slsa-framework/slsa-github-generator's reusable workflow to satisfy CI-001, but the SLSA generator's generate-builder.sh extracts the version from the workflow ref to download the prebuilt builder binary from a GitHub release. It rejects non-tag refs with "Invalid ref: <sha>. Expected ref of the form refs/tags/vX.Y.Z" and exits 2, which broke the v0.31.0 release pipeline (no provenance generated, downstream upload-assets failed with "path not supplied", final job exited 27). Pin the SLSA reusable workflow by tag (@v2.1.0) and document this as a carved-out exception in CI-001. Update the no-unpinned-actions rule with a SHA_PIN_EXEMPT_PREFIXES allowlist so the exception is enforced rather than being a silent gap. Upstream limitation: slsa-framework/slsa-github-generator#150. Failing run: https://github.com/archgate/cli/actions/runs/25107195589 Signed-off-by: Rhuan Barreto <rhuan.barreto@gmail.com>
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
slsa-framework/slsa-github-generatorreusable workflow inrelease-binaries.ymlby full commit SHA (@f7dd8c54...) instead of tag (@v2.1.0), resolving OSSF Scorecard code-scanning alert #13no-unpinned-actionsrule that enforces SHA pinning on all third-partyuses:references in.github/workflows/*.ymlcidomain in.archgate/config.jsonfor CI/CD governance ADRsTest plan
bun run validatepasses (lint, typecheck, format, 690 tests, 23 ADR rules, build)CI-001/no-unpinned-actionsrule passes on all workflow filesf7dd8c54c2067bafc12ca7a55595d5ee9b75204aresolves tov2.1.0)