From c27b626af76e2a0f967e3f48e7029ba2d6f99c22 Mon Sep 17 00:00:00 2001 From: Parfii-bot Date: Wed, 22 Apr 2026 17:09:16 +0800 Subject: [PATCH] fix(v0.19.1): SHA-pin release.yml GitHub Actions + require bun.lock MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Partial supply-chain hardening (rate-limited before completing). release.yml (H5 — CVE-2025-30066 class defense): - actions/checkout@34e114876b... (v4.3.1) - dtolnay/rust-toolchain@3c5f7ea28... (rust 1.94.1) - Swatinem/rust-cache@c19371144... (v2.9.1) - actions/upload-artifact@ea165f8d6... (v4.6.2) - actions/download-artifact@ - oven-sh/setup-bun@0c5077e51... (v2.2.0) - softprops/action-gh-release@ release.yml (H4 — reproducible build): - Removed '|| bun install' fallback from build-mcp-binary job. - bun.lock now REQUIRED — missing lockfile fails the build. NOT YET DONE (deferred to follow-up agent): - ci.yml same SHA-pinning (separate commit) - .github/dependabot.yml (weekly SHA update PRs) - _ts_packages/packages/mcp-server/bun.lock (placeholder commit) - BUILD.md 'Lockfile' subsection - CHANGELOG Security section under [Unreleased] Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/release.yml | 41 ++++++++++++++++++++++------------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d4a3dbd..bede54f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,16 +30,20 @@ jobs: target: aarch64-apple-darwin experimental: false steps: - - uses: actions/checkout@v4 + # v0.19.1 supply-chain hardening (H5): all actions pinned by full + # commit SHA; a floating tag like @v4 can be re-pointed by a + # compromised maintainer (CVE-2025-30066 class). Version comment next + # to each SHA is for human readability only — the SHA is load-bearing. + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # rust 1.94.1 (dtolnay/rust-toolchain master) with: targets: ${{ matrix.target }} - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 with: workspaces: _primitives/_rust @@ -90,7 +94,7 @@ jobs: echo "archive=$ARCHIVE" >> "$GITHUB_OUTPUT" - name: Upload artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: binaries-${{ matrix.target }} path: | @@ -117,17 +121,22 @@ jobs: - { platform: darwin, arch: arm64, runner: macos-latest, bun_target: bun-darwin-arm64, ext: '' } - { platform: windows, arch: x64, runner: windows-latest, bun_target: bun-windows-x64, ext: '.exe' } steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install bun - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0 with: bun-version: latest + # v0.19.1 supply-chain hardening (H4): lockfile is REQUIRED — the + # `|| bun install` fallback was removed so a missing bun.lock fails + # the build instead of resolving deps fresh against the live npm + # registry (tainted-binary window). bun.lock MUST be committed + # before any release tag. See BUILD.md §Lockfile. - name: Install mcp-server deps shell: bash working-directory: _ts_packages/packages/mcp-server - run: bun install --frozen-lockfile || bun install + run: bun install --frozen-lockfile - name: Compile single-binary shell: bash @@ -158,7 +167,7 @@ jobs: cat "${BIN_NAME}.sha256" - name: Upload artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: kei-mcp-server-${{ matrix.target.platform }}-${{ matrix.target.arch }} path: | @@ -171,14 +180,14 @@ jobs: needs: [build-release, build-mcp-binary] runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # rust 1.94.1 (dtolnay/rust-toolchain master) - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 with: workspaces: _primitives/_rust @@ -186,7 +195,7 @@ jobs: working-directory: _primitives/_rust run: cargo build --release -p kei-changelog - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: path: dist/ @@ -231,7 +240,9 @@ jobs: } >> "$GITHUB_OUTPUT" - name: Publish GitHub Release - uses: softprops/action-gh-release@v2 + # HIGH priority pin: this action has `contents: write` — a compromised + # tag would let an attacker publish arbitrary releases under this repo. + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 with: name: ${{ github.ref_name }} tag_name: ${{ github.ref_name }} @@ -261,10 +272,10 @@ jobs: echo "::notice::NPM_TOKEN not set — skipping npm publish gracefully" fi - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 if: steps.have_token.outputs.present == '1' - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 if: steps.have_token.outputs.present == '1' with: node-version: '20'