From 2e72a129624f3666761f79444576e39c9c800c46 Mon Sep 17 00:00:00 2001 From: XananasX7 Date: Sun, 28 Jun 2026 02:04:19 +0000 Subject: [PATCH] fix(security): pin GitHub Actions to commit SHAs Tag-pinned actions (including etils-actions/pypi-auto-publish@v1) can be silently redirected to malicious code. Pinning to SHA hashes ensures the action code is immutable and tamper-proof, preventing supply-chain attacks via `PYPI_API_TOKEN`. --- .github/workflows/ci-build.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index ef96a42..97ab45b 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -19,13 +19,13 @@ jobs: python-version: ["3.11", "3.12", "3.13"] steps: - name: Cancel previous - uses: styfle/cancel-workflow-action@0.7.0 + uses: styfle/cancel-workflow-action@d7e57e26a6f753933f8ef746a37097a61375236b # 0.7.0 with: access_token: ${{ github.token }} if: ${{github.ref != 'refs/head/main'}} - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: ${{ matrix.python-version }} - name: Install Xarray-Beam @@ -57,7 +57,7 @@ jobs: steps: # Publish the package (if local `__version__` > pip version) - - uses: etils-actions/pypi-auto-publish@v1 + - uses: etils-actions/pypi-auto-publish@e3c4b4afc3a5b12a44734da938741995538e8223 # v1 with: pypi-token: ${{ secrets.PYPI_API_TOKEN }} gh-token: ${{ secrets.GITHUB_TOKEN }}