Skip to content

ci: pin all Actions to SHA #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

ci: pin all Actions to SHA #102

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
8b7fa56
ci: harden Scorecard — publish results and pin actions by SHA
CoderDeltaLAN Sep 22, 2025
222162f
ci: fix Scorecard SARIF uploader ref
CoderDeltaLAN Sep 22, 2025
862c689
ci: enforce least-privilege GITHUB_TOKEN (permissions: contents: read)
CoderDeltaLAN Sep 22, 2025
d333966
ci: enforce least-privilege at root (permissions: contents: read) and…
CoderDeltaLAN Sep 22, 2025
634c637
build(docker): pin base image by digest for reproducible builds
CoderDeltaLAN Sep 22, 2025
186629d
ci: pin all GitHub Actions to immutable SHAs
CoderDeltaLAN Sep 22, 2025
be8801f
ci: fix malformed pinned action refs
CoderDeltaLAN Sep 22, 2025
df06b1b
ci: sign SBOM with Cosign (keyless) and attach sig+cert
CoderDeltaLAN Sep 22, 2025
31f3d6a
ci: disable PyPI publishing until explicit approval
CoderDeltaLAN Sep 22, 2025
d28268e
release: v0.1.8 — sync versions across PyPI/Release/Packages
CoderDeltaLAN Sep 22, 2025
b2f0910
ci: fix permissions for release workflows (attestations/id-token/cont…
CoderDeltaLAN Sep 22, 2025
25a9697
ci: pause all release workflows (no auto-publish)
CoderDeltaLAN Sep 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/fuzz.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/setup-nodeea5288caeca8642d1e84afbd3f7d6820020@v4
with: { node-version: "20" }
- run: npm ci
# Placeholder para fuzz real; mantener job verde
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/ghcr-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ jobs:
steps:
- uses: actions/checkout@v5
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
- uses: docker/login-actionbdaa0721073962dff0199f1fb9940f07167d1@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
Expand All @@ -24,7 +24,7 @@ jobs:
tags: |
type=raw,value=latest
type=ref,event=tag
- uses: docker/build-push-action@v6
- uses: docker/build-push-actiond21b8e681c14492fe198d362a7d2c83@v6
with:
context: .
push: true
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/labeler.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ jobs:
label:
runs-on: ubuntu-latest
steps:
- uses: actions/labeler@v6
- uses: actions/labeleredcd8ababfe52f92936142cc22ac488b1b@v6
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
sync-labels: true
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release-sbom.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,6 @@ jobs:
format: cyclonedx-json
output-file: sbom-cyclonedx.json
- name: Attach SBOM to release
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-releasecbd405e2c4e67a21c47fa9e383d020e4e28b836@v2
with:
files: sbom-cyclonedx.json
2 changes: 1 addition & 1 deletion .github/workflows/scorecards.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ jobs:
with:
results_file: results.sarif
results_format: sarif
publish_results: false
publish_results: true

- name: Upload SARIF to code scanning
uses: github/codeql-action/upload-sarif@v3
Expand Down
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,4 @@ _ci_redfix/
# local artifacts
_ci_local/
.tools/
_ci_diag/
1 change: 1 addition & 0 deletions .prettierignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,4 @@ poetry.lock

pnpm-lock.yaml
pnpm-lock.yaml
_ci_diag/
2 changes: 1 addition & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM busybox:stable-glibc
FROM busybox:stable-glibc@sha256:4a35a7836fe08f340a42e25c4ac5eef4439585bbbb817b7bd28b2cd87c742642
LABEL org.opencontainers.image.title="ci-matrix-starter"
LABEL org.opencontainers.image.description="Reusable GitHub Actions CI for Python/TypeScript with SBOM & optional signing"
LABEL org.opencontainers.image.source="https://github.com/CoderDeltaLAN/ci-matrix-starter"
Expand Down