Merge fix/v0.19.1-supply-chain-release-yml — partial SHA-pin (release.yml only)
This commit is contained in:
Parfii-bot
commit
51715f2045
1 changed files with 26 additions and 15 deletions
41
.github/workflows/release.yml
vendored
41
.github/workflows/release.yml
vendored
|
|
@ -30,16 +30,20 @@ jobs:
|
|||
target: aarch64-apple-darwin
|
||||
experimental: false
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
# v0.19.1 supply-chain hardening (H5): all actions pinned by full
|
||||
# commit SHA; a floating tag like @v4 can be re-pointed by a
|
||||
# compromised maintainer (CVE-2025-30066 class). Version comment next
|
||||
# to each SHA is for human readability only — the SHA is load-bearing.
|
||||
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Install Rust toolchain
|
||||
uses: dtolnay/rust-toolchain@stable
|
||||
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # rust 1.94.1 (dtolnay/rust-toolchain master)
|
||||
with:
|
||||
targets: ${{ matrix.target }}
|
||||
|
||||
- uses: Swatinem/rust-cache@v2
|
||||
- uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
|
||||
with:
|
||||
workspaces: _primitives/_rust
|
||||
|
||||
|
|
@ -90,7 +94,7 @@ jobs:
|
|||
echo "archive=$ARCHIVE" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Upload artifact
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
with:
|
||||
name: binaries-${{ matrix.target }}
|
||||
path: |
|
||||
|
|
@ -117,17 +121,22 @@ jobs:
|
|||
- { platform: darwin, arch: arm64, runner: macos-latest, bun_target: bun-darwin-arm64, ext: '' }
|
||||
- { platform: windows, arch: x64, runner: windows-latest, bun_target: bun-windows-x64, ext: '.exe' }
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
|
||||
|
||||
- name: Install bun
|
||||
uses: oven-sh/setup-bun@v2
|
||||
uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
|
||||
with:
|
||||
bun-version: latest
|
||||
|
||||
# v0.19.1 supply-chain hardening (H4): lockfile is REQUIRED — the
|
||||
# `|| bun install` fallback was removed so a missing bun.lock fails
|
||||
# the build instead of resolving deps fresh against the live npm
|
||||
# registry (tainted-binary window). bun.lock MUST be committed
|
||||
# before any release tag. See BUILD.md §Lockfile.
|
||||
- name: Install mcp-server deps
|
||||
shell: bash
|
||||
working-directory: _ts_packages/packages/mcp-server
|
||||
run: bun install --frozen-lockfile || bun install
|
||||
run: bun install --frozen-lockfile
|
||||
|
||||
- name: Compile single-binary
|
||||
shell: bash
|
||||
|
|
@ -158,7 +167,7 @@ jobs:
|
|||
cat "${BIN_NAME}.sha256"
|
||||
|
||||
- name: Upload artifact
|
||||
uses: actions/upload-artifact@v4
|
||||
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
|
||||
with:
|
||||
name: kei-mcp-server-${{ matrix.target.platform }}-${{ matrix.target.arch }}
|
||||
path: |
|
||||
|
|
@ -171,14 +180,14 @@ jobs:
|
|||
needs: [build-release, build-mcp-binary]
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Install Rust toolchain
|
||||
uses: dtolnay/rust-toolchain@stable
|
||||
uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # rust 1.94.1 (dtolnay/rust-toolchain master)
|
||||
|
||||
- uses: Swatinem/rust-cache@v2
|
||||
- uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
|
||||
with:
|
||||
workspaces: _primitives/_rust
|
||||
|
||||
|
|
@ -186,7 +195,7 @@ jobs:
|
|||
working-directory: _primitives/_rust
|
||||
run: cargo build --release -p kei-changelog
|
||||
|
||||
- uses: actions/download-artifact@v4
|
||||
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
|
||||
with:
|
||||
path: dist/
|
||||
|
||||
|
|
@ -231,7 +240,9 @@ jobs:
|
|||
} >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Publish GitHub Release
|
||||
uses: softprops/action-gh-release@v2
|
||||
# HIGH priority pin: this action has `contents: write` — a compromised
|
||||
# tag would let an attacker publish arbitrary releases under this repo.
|
||||
uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
|
||||
with:
|
||||
name: ${{ github.ref_name }}
|
||||
tag_name: ${{ github.ref_name }}
|
||||
|
|
@ -261,10 +272,10 @@ jobs:
|
|||
echo "::notice::NPM_TOKEN not set — skipping npm publish gracefully"
|
||||
fi
|
||||
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
|
||||
if: steps.have_token.outputs.present == '1'
|
||||
|
||||
- uses: actions/setup-node@v4
|
||||
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
|
||||
if: steps.have_token.outputs.present == '1'
|
||||
with:
|
||||
node-version: '20'
|
||||
|
|
|
|||
Loading…
Reference in a new issue