From 0b0ecc96e718b4456d2161c7703c97f649de53ad Mon Sep 17 00:00:00 2001 From: Justin Paul Date: Wed, 1 Jul 2026 19:42:51 -0400 Subject: [PATCH] Fix #12: pin CI actions to SHAs, container to digest, bound deps MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Supply-chain hardening for the release pipeline: - actions/checkout and softprops/action-gh-release pinned from floating major tags to commit SHAs (v4.2.2 / v2.2.1) — a moved tag can no longer inject code into the job that holds the release token. - Linux/arm64 build container pinned by manifest-list digest (nikolaik/python-nodejs:python3.12-nodejs20@sha256:9ff0859…). - requirements-gui.txt gains upper bounds so a breaking major (e.g. numpy 3, PySide6 7) can't silently change a release binary; current versions still satisfy, so no build change. Deferred (noted on the issue): hash-verifying the Windows get-pip.py / embed-zip download — low value + fragile (get-pip.py isn't hash-stable) and that fallback path is dormant now that the runner has Python installed system-wide. Closes #12 Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_016yT89n4zR4qbrySoSiEyZs --- .gitea/workflows/release.yml | 20 ++++++++++---------- requirements-gui.txt | 10 ++++++---- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml index 2eaf394..0d992a9 100644 --- a/.gitea/workflows/release.yml +++ b/.gitea/workflows/release.yml @@ -12,7 +12,7 @@ jobs: windows: runs-on: windows-latest # self-hosted Windows runner (no Python preinstalled) steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build OBDash.exe (PyInstaller) shell: pwsh run: | @@ -45,7 +45,7 @@ jobs: (Get-FileHash OBDash-windows.exe -Algorithm SHA256).Hash.ToLower() + " OBDash-windows.exe" | Out-File -Encoding ascii OBDash-windows.exe.sha256 - name: Publish to release if: startsWith(github.ref, 'refs/tags/') - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1 with: files: | OBDash-windows.exe @@ -56,7 +56,7 @@ jobs: macos: runs-on: self-hosted-mac steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build OBDash.app (PyInstaller) shell: bash run: | @@ -69,7 +69,7 @@ jobs: shasum -a 256 OBDash-macos.zip > OBDash-macos.zip.sha256 - name: Publish to release if: startsWith(github.ref, 'refs/tags/') - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1 with: files: | OBDash-macos.zip @@ -79,9 +79,9 @@ jobs: linux-amd64: runs-on: docker # Linux x86_64 runner - container: nikolaik/python-nodejs:python3.12-nodejs20 # has python+pip AND node (for checkout) + container: nikolaik/python-nodejs:python3.12-nodejs20@sha256:9ff0859871d1b3c382a39aa23d998929edaaefb31e6b3cb67f30d2f8c832db73 # has python+pip AND node (for checkout) steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build OBDash (PyInstaller) shell: bash run: | @@ -93,7 +93,7 @@ jobs: sha256sum OBDash-linux-x86_64 > OBDash-linux-x86_64.sha256 - name: Publish to release if: startsWith(github.ref, 'refs/tags/') - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1 with: files: | OBDash-linux-x86_64 @@ -103,9 +103,9 @@ jobs: linux-arm64: runs-on: arm64 # Raspberry Pi (aarch64) runner - container: nikolaik/python-nodejs:python3.12-nodejs20 # multi-arch: pulls arm64 + container: nikolaik/python-nodejs:python3.12-nodejs20@sha256:9ff0859871d1b3c382a39aa23d998929edaaefb31e6b3cb67f30d2f8c832db73 # multi-arch: pulls arm64 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Build OBDash (PyInstaller) shell: bash run: | @@ -117,7 +117,7 @@ jobs: sha256sum OBDash-linux-aarch64 > OBDash-linux-aarch64.sha256 - name: Publish to release if: startsWith(github.ref, 'refs/tags/') - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1 with: files: | OBDash-linux-aarch64 diff --git a/requirements-gui.txt b/requirements-gui.txt index 657addd..0025070 100644 --- a/requirements-gui.txt +++ b/requirements-gui.txt @@ -1,7 +1,9 @@ # GUI dependencies (cross-platform: Windows / macOS / Linux, incl. Apple Silicon) # pip install -r requirements-gui.txt # python run_gui.py -PySide6>=6.6 -pyqtgraph>=0.13 -numpy>=1.24 -pyserial>=3.5 +# Upper bounds guard the release binaries against a surprise breaking major bump +# while still resolving to wheels across the range. (bleak is optional — BLE only.) +PySide6>=6.6,<7 +pyqtgraph>=0.13,<0.15 +numpy>=1.24,<3 +pyserial>=3.5,<4