You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The action silently trusted ambient rss/reir on PATH and only failed on missing
capabilities, and the README used the mutable @main ref — too weak for a
supply-chain gate.
- Add fail-on-unknown / fail-on-excess inputs (default true) and pass them
(plus --allow-missing when fail-on-missing=false) to `reir report-pr`, so the
gate fails closed on absence-of-evidence and over-privilege, not just missing.
- The final gate now keys off the policy-aware status and runs when any
fail-on-* is enabled.
- Warn when falling back to ambient PATH binaries (not provenance-pinned);
building from the pinned action checkout stays the trusted path.
- README: pin to a release SHA (not @main), show the fail-closed defaults, and
add a "not a production enforcement gate yet" warning (independent
native/capability audit; author-declared bindings).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
# Ambient binaries are not provenance-pinned. For a protected gate, pin
60
+
# this action to a release SHA so the toolchain is built from that ref.
61
+
echo "::warning::Using rss/reir already on PATH. These are not provenance-pinned; pin this action to a release SHA for a trusted supply-chain gate ($(command -v rss), $(command -v reir))."
0 commit comments