|
2 | 2 |
|
3 | 3 | All SwiftFloris release history is consolidated here. This replaces the former root-level `RELEASE_NOTES_v*.md` file-per-release pattern. |
4 | 4 |
|
| 5 | +<a id="v1.8.177"></a> |
| 6 | +## v1.8.177 |
| 7 | + |
| 8 | +Released: 2026-05-25 |
| 9 | + |
| 10 | +### Supply-chain hardening (RESEARCH_FEATURE_PLAN.md F19 + F20) |
| 11 | + |
| 12 | +The 2026-05-25 build/CI reconnaissance pass found that 7 of 8 GitHub Actions workflows used floating major-tag pins (e.g. `actions/checkout@v4`, `gradle/actions/setup-gradle@v4`, `reactivecircus/android-emulator-runner@v2`, `google/osv-scanner-action@v2.0.2`). A floating tag's underlying commit can be re-pointed by the action's owner after the fact; a compromise of any action's repo would re-point the tag at malicious code, and the next CI run on SwiftFloris would execute it. Only `crowdin-upload.yml` and `validate-strings-no-translations.yml` already SHA-pinned. Additionally, `release.yml`'s OSV-Scanner step downloaded the v2.0.2 binary via curl without SHA-256 verification — a CDN-level swap would similarly run unverified code on the runner. |
| 13 | + |
| 14 | +### Changes |
| 15 | + |
| 16 | +- **SHA-pinned every third-party action across all 8 workflows.** The mapping (each replacement is exact `action@tag` → `action@<sha> # tag`): |
| 17 | + - `actions/checkout@v4` → `@34e114876b0b11c390a56381ad16ebd13914f8d5` |
| 18 | + - `actions/setup-java@v4` → `@c1e323688fd81a25caa38c78aa6df2d33d3e20d9` |
| 19 | + - `actions/upload-artifact@v4` → `@ea165f8d65b6e75b540449e92b4886f43607fa02` |
| 20 | + - `actions/dependency-review-action@v4` → `@4901385134134e04cec5fbe5ddfe3b2c5bd5d976` |
| 21 | + - `gradle/actions/wrapper-validation@v4` → `@48b5f213c81028ace310571dc5ec0fbbca0b2947` |
| 22 | + - `gradle/actions/setup-gradle@v4` → `@48b5f213c81028ace310571dc5ec0fbbca0b2947` |
| 23 | + - `lukka/get-cmake@v4.0.2` → `@ea004816823209b8d1211e47b216185caee12cc5` |
| 24 | + - `google/osv-scanner-action/osv-scanner-action@v2.0.2` → `@e69cc6c86b31f1e7e23935bbe7031b50e51082de` |
| 25 | + - `reactivecircus/android-emulator-runner@v2` → `@e89f39f1abbbd05b1113a29cf4db69e7540cae5a` |
| 26 | + SHAs were resolved via `gh api repos/<owner>/<repo>/git/refs/tags/<tag>` against the live GitHub API on the run date; annotated tags were dereferenced one level to the underlying commit object. |
| 27 | +- **SHA-256-pinned the `osv-scanner` v2.0.2 binary in `.github/workflows/release.yml`.** Added an `OSV_BINARY_SHA256` env on the OSV scan step (value `3abcfd7126c453a00421487e721b296e0cb68085bd431d6cef60872774170fc8`); the step now runs `sha256sum` against the downloaded binary and refuses to execute on mismatch with a clear `::error::` message. A future bump to `v2.x.y` requires re-recording the digest alongside the URL bump. |
| 28 | + |
| 29 | +### Verification |
| 30 | + |
| 31 | +- `grep -rn "uses: [a-zA-Z0-9_/.-]\+@v" .github/workflows/` returns no matches (no unpinned actions remain at HEAD). |
| 32 | +- `grep -rn "uses: " .github/workflows/` returns 41 references, all carrying `@<sha> # <tag>` form. |
| 33 | +- `curl -sSL .../osv-scanner_linux_amd64 | sha256sum` was computed off-runner to confirm the env value: `3abcfd7126c453a00421487e721b296e0cb68085bd431d6cef60872774170fc8`. |
| 34 | +- `bash scripts/check-repo-hygiene.sh` → OK. |
| 35 | +- `bash scripts/check-fastlane-metadata.sh` → OK (versionCode 1977). |
| 36 | + |
| 37 | +### Bump guidance |
| 38 | + |
| 39 | +To bump an action across the project: |
| 40 | +1. Pick the new version tag. |
| 41 | +2. Resolve the commit SHA via `gh api repos/<owner>/<repo>/git/refs/tags/<tag>` (dereference annotated tags). |
| 42 | +3. Replace every occurrence of the old SHA with the new SHA; update the trailing `# vN.Y` comment to match. |
| 43 | +4. If the new tag changes major version, treat as a breaking change and run the workflow on a draft branch first. |
| 44 | + |
| 45 | +### Files Touched |
| 46 | + |
| 47 | +- `.github/workflows/android.yml` |
| 48 | +- `.github/workflows/dependency-scan.yml` |
| 49 | +- `.github/workflows/emulator-smoke.yml` |
| 50 | +- `.github/workflows/reproducible-build.yml` |
| 51 | +- `.github/workflows/release.yml` (SHA-pins + OSV binary verification) |
| 52 | +- `.github/workflows/roborazzi-baseline.yml` |
| 53 | +- `.github/workflows/crowdin-upload.yml` |
| 54 | +- `.github/workflows/validate-strings-no-translations.yml` |
| 55 | +- `fastlane/metadata/android/en-US/changelogs/1977.txt` (new) |
| 56 | +- `gradle.properties` (versionCode 1976→1977, versionName 1.8.176→1.8.177) |
| 57 | +- `README.md` (version badge) |
| 58 | +- `CHANGELOG.md` (this section) |
| 59 | +- `RESEARCH_FEATURE_PLAN.md` (tick F19 + F20) |
| 60 | + |
5 | 61 | <a id="v1.8.176"></a> |
6 | 62 | ## v1.8.176 |
7 | 63 |
|
|
0 commit comments