CI supply-chain: pin action SHAs + container digest, lock deps, verify get-pip #12
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
From the review (realistic severity for a single-maintainer self-hosted project).
.gitea/workflows/release.yml+requirements-gui.txt:actions/checkout@v4,actions/setup-python@v5,softprops/action-gh-release@v2— the last runs with the release token in env) -> pin to commit SHAs.nikolaik/python-nodejs:python3.12-nodejs20-> pin by digest.>=only) -> pin/lock.Closed in
0b0ecc9: pinned actions/checkout + softprops to commit SHAs, container to manifest-list digest, and added dependency upper bounds. Deferred (low value + fragile): hash-verifying the Windowsget-pip.py/ Python embed-zip download — get-pip.py is not hash-stable and that fallback path is dormant now that the Windows runner has Python installed system-wide. Reopen if we want to bootstrap Python hermetically in CI.