Skip to content

fix(ci): SHA-pin actions to satisfy org policy (clears startup_failure) + pin guard#5

Open
rayketcham wants to merge 2 commits into
mainfrom
fix/ci-sha-pin
Open

fix(ci): SHA-pin actions to satisfy org policy (clears startup_failure) + pin guard#5
rayketcham wants to merge 2 commits into
mainfrom
fix/ci-sha-pin

Conversation

@rayketcham

Copy link
Copy Markdown
Collaborator

Root cause: the org enforces sha_pinning_required=true, but ci.yml pinned actions by tag (actions/checkout@v4, actions/setup-python@v5). GitHub rejects tag-pinned actions before any job starts, so every run was a startup_failure (main too - the old green predates the 2026-04-16 org hardening).

Fix: pin actions/checkout to 11bd719 (v4.2.2) and actions/setup-python to 0b93645 (v5.3.0), all 5 occurrences.

Reciprocal guard: new workflow-lint job fails the build if any uses: in .github/workflows is not pinned to a 40-char commit SHA.

Deferred (intentionally NOT here): the lint (ruff) job keeps continue-on-error and the security job is warn-only - both fake-green. Enforcing them needs care: the secret / dangerous-function greps currently match benign honeypot code (LDAP password= capture, a _handle_exec Docker emulation, os.urandom secret, SQL token= clause), so flipping to exit 1 as-is would red CI on false positives. That hardening is a separate focused change; this PR avoids a 40-file ruff reformat to keep the startup_failure fix reviewable.

Generated with Claude Code

rayketcham and others added 2 commits June 29, 2026 06:00
…e) + pin guard

CI startup_failed because actions were tag-pinned (@v4/@v5) while the org enforces sha_pinning_required - GitHub rejects tag pins before any job starts. Pinned actions/checkout (v4.2.2) and actions/setup-python (v5.3.0) to commit SHAs, and added a workflow-lint job that fails if any uses: is not SHA-pinned.

Co-Authored-By: Claude <noreply@anthropic.com>
The workflow-lint guard greps for uses:...@ across .github/workflows and matched the literal regex text inside its own grep command. Anchored the pattern to real YAML uses: keys (optionally after a dash) so it only inspects actual action references.

Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant