Pin actions to SHAs and add zizmor CI#443
Merged
Merged
Conversation
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
bschwedler
force-pushed
the
security/sha-pinning-and-zizmor
branch
from
c13aba5 to
e832a0e
Compare
bschwedler
force-pushed
the
security/sha-pinning-and-zizmor
branch
from
c08a903 to
8add83d
Compare
bschwedler
force-pushed
the
security/sha-pinning-and-zizmor
branch
2 times, most recently
from
df68c38 to
3f3e7a9
Compare
2 tasks
Replace mutable version tags with full commit SHAs for all third-party GitHub Actions to prevent supply-chain attacks via tag mutation. Each pinned reference includes a version comment for readability. Internal posit-dev/images-shared/* refs are left unpinned since they are first-party actions under our control.
Add zizmor workflow security scanner as a CI job to detect common GitHub Actions misconfigurations and vulnerabilities. Uses SARIF output for GitHub security tab integration. A .github/zizmor.yml config allows ref-pinned refs for our own posit-dev/images-shared/* composite actions while requiring hash-pinning for all third-party actions.
Annotated git tags have their own object SHA distinct
from the commit they point to. GitHub Actions requires
the commit SHA. Dereference with ^{} to get the correct
value for actions/upload-artifact, astral-sh/setup-uv,
aws-actions/configure-aws-credentials, and
EnricoMi/publish-unit-test-result-action.
Major version tags (v6, v7) are mutable — they float forward with each release. Version comments must reference the exact release (v6.0.2, v7.6.0) so Dependabot can correctly identify and propose updates.
bschwedler
force-pushed
the
security/sha-pinning-and-zizmor
branch
from
3f3e7a9 to
4332983
Compare
A malicious PR could poison the uv cache and affect subsequent runs. Disable caching on both the test and release jobs — the ~10s install time is not worth the attack surface.
bschwedler
force-pushed
the
security/sha-pinning-and-zizmor
branch
from
4332983 to
1406831
Compare
bschwedler
added a commit
that referenced
this pull request
Apr 13, 2026
bakery-build-pr.yml was added in #442 but missed the SHA-pinning pass in #443. Pin all third-party actions to full-length commit SHAs matching bakery-build-native.yml, and add timeout-minutes to all three jobs (detect: 5m, matrix: 10m, build-test: 120m). - Upgrade oras-project/setup-oras from v1 to v2.0.0 for consistency with the native build workflow - First-party composite actions (setup-bakery, setup-goss) intentionally kept at @main per zizmor ref-pin policy
ianpittwood
pushed a commit
that referenced
this pull request
Apr 28, 2026
Completes the SHA pinning started in PR #443. The core build workflows (ci.yml, bakery-build-*.yml) were already pinned; this covers the auxiliary workflows that were missed: docs.yml, hadolint.yml, and the slack-build-notify composite action. Mutable git tags are the exact vector exploited in the tj-actions supply chain attack (Unit 42, March 2025) — attackers overwrote tags to point to malicious commits.
bschwedler
added a commit
that referenced
this pull request
Apr 28, 2026
Completes the SHA pinning started in PR #443. The core build workflows (ci.yml, bakery-build-*.yml) were already pinned; this covers the auxiliary workflows that were missed: docs.yml, hadolint.yml, and the slack-build-notify composite action. Mutable git tags are the exact vector exploited in the tj-actions supply chain attack (Unit 42, March 2025) — attackers overwrote tags to point to malicious commits.
bschwedler
added a commit
that referenced
this pull request
Apr 30, 2026
Completes the SHA pinning started in PR #443. The core build workflows (ci.yml, bakery-build-*.yml) were already pinned; this covers the auxiliary workflows that were missed: docs.yml, hadolint.yml, and the slack-build-notify composite action. Mutable git tags are the exact vector exploited in the tj-actions supply chain attack (Unit 42, March 2025) — attackers overwrote tags to point to malicious commits.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ci.ymlmatching Astral's pattern (zizmorcore/zizmor-action@v0.5.2).github/zizmor.ymlpolicy allowing ref-pinned first-party composite actions (posit-dev/images-shared/*@main) while enforcing hash-pinning for everything elseAddresses action pinning and static analysis gaps identified in rstudio/platform-team#435.
Test plan
uses:lines reference full 40-char SHAs