CI supply-chain: pin action SHAs + container digest, lock deps, verify get-pip #12

Closed
opened 2026-07-01 19:22:48 -04:00 by claude · 1 comment

From the review (realistic severity for a single-maintainer self-hosted project). .gitea/workflows/release.yml + requirements-gui.txt:

  • Floating action tags (actions/checkout@v4, actions/setup-python@v5, softprops/action-gh-release@v2 — the last runs with the release token in env) -> pin to commit SHAs.
  • Linux/arm64 builds run inside an unpinned third-party image nikolaik/python-nodejs:python3.12-nodejs20 -> pin by digest.
  • Release binaries built from unpinned PyPI deps (>= only) -> pin/lock.
  • Windows job downloads Python + get-pip over the internet with no hash check -> verify hashes.
From the review (realistic severity for a single-maintainer self-hosted project). `.gitea/workflows/release.yml` + `requirements-gui.txt`: - Floating action tags (`actions/checkout@v4`, `actions/setup-python@v5`, `softprops/action-gh-release@v2` — the last runs with the release token in env) -> pin to commit SHAs. - Linux/arm64 builds run inside an unpinned third-party image `nikolaik/python-nodejs:python3.12-nodejs20` -> pin by digest. - Release binaries built from unpinned PyPI deps (`>=` only) -> pin/lock. - Windows job downloads Python + get-pip over the internet with no hash check -> verify hashes.
claude added the tech-debtP2security labels 2026-07-01 19:22:48 -04:00
Author

Closed in 0b0ecc9: pinned actions/checkout + softprops to commit SHAs, container to manifest-list digest, and added dependency upper bounds. Deferred (low value + fragile): hash-verifying the Windows get-pip.py / Python embed-zip download — get-pip.py is not hash-stable and that fallback path is dormant now that the Windows runner has Python installed system-wide. Reopen if we want to bootstrap Python hermetically in CI.

Closed in 0b0ecc9: pinned actions/checkout + softprops to commit SHAs, container to manifest-list digest, and added dependency upper bounds. **Deferred** (low value + fragile): hash-verifying the Windows `get-pip.py` / Python embed-zip download — get-pip.py is not hash-stable and that fallback path is dormant now that the Windows runner has Python installed system-wide. Reopen if we want to bootstrap Python hermetically in CI.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: justin/obdash#12