From 3c8ac33ea4f325fb45d353b806352d8af4391f28 Mon Sep 17 00:00:00 2001 From: stack72 Date: Fri, 27 Mar 2026 16:03:45 +0000 Subject: [PATCH] fix: pin third-party actions to commit SHAs and trust docker publisher Pin dorny/paths-filter, softprops/action-gh-release, and peter-evans/repository-dispatch to full commit SHAs for supply chain security. Add docker to TRUSTED_PUBLISHERS in audit_actions.ts so docker/* actions are accepted with tag-only pins alongside actions/*, denoland/*, and other trusted publishers. --- .github/workflows/ci.yml | 2 +- .github/workflows/release.yml | 4 ++-- scripts/audit_actions.ts | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 265f51e4..7a83a1b7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,7 +22,7 @@ jobs: uses: actions/checkout@v4 - name: Check for changes - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 id: filter with: filters: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f8189593..94508a11 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -143,7 +143,7 @@ jobs: } >> /tmp/release_body.md - name: Create GitHub Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2 with: tag_name: v${{ steps.version.outputs.version }} name: swamp ${{ steps.version.outputs.version }} @@ -159,7 +159,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Trigger UAT - uses: peter-evans/repository-dispatch@v3 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3 with: token: ${{ secrets.UAT_TRIGGER_TOKEN }} repository: systeminit/swamp-uat diff --git a/scripts/audit_actions.ts b/scripts/audit_actions.ts index 7db630b1..09a37d2b 100644 --- a/scripts/audit_actions.ts +++ b/scripts/audit_actions.ts @@ -58,6 +58,7 @@ const TRUSTED_PUBLISHERS = new Set([ "actions", "anthropics", "denoland", + "docker", "github", ]);