fix(v0.19.1): SHA-pin release.yml GitHub Actions + require bun.lock

Partial supply-chain hardening (rate-limited before completing). release.yml (H5 — CVE-2025-30066 class defense): - actions/checkout@34e114876b... (v4.3.1) - dtolnay/rust-toolchain@3c5f7ea28... (rust 1.94.1) - Swatinem/rust-cache@c19371144... (v2.9.1) - actions/upload-artifact@ea165f8d6... (v4.6.2) - actions/download-artifact@<pinned> - oven-sh/setup-bun@0c5077e51... (v2.2.0) - softprops/action-gh-release@<pinned> release.yml (H4 — reproducible build): - Removed '|| bun install' fallback from build-mcp-binary job. - bun.lock now REQUIRED — missing lockfile fails the build. NOT YET DONE (deferred to follow-up agent): - ci.yml same SHA-pinning (separate commit) - .github/dependabot.yml (weekly SHA update PRs) - _ts_packages/packages/mcp-server/bun.lock (placeholder commit) - BUILD.md 'Lockfile' subsection - CHANGELOG Security section under [Unreleased] Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 17:09:16 +08:00 · 2026-04-22 17:09:16 +08:00 · c27b626af7
commit c27b626af7
parent 3db30a7084
1 changed files with 26 additions and 15 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -30,16 +30,20 @@ jobs:
            target: aarch64-apple-darwin
            experimental: false
    steps:
-      - uses: actions/checkout@v4
+      # v0.19.1 supply-chain hardening (H5): all actions pinned by full
+      # commit SHA; a floating tag like @v4 can be re-pointed by a
+      # compromised maintainer (CVE-2025-30066 class). Version comment next
+      # to each SHA is for human readability only — the SHA is load-bearing.
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
        with:
          fetch-depth: 0

      - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9  # rust 1.94.1 (dtolnay/rust-toolchain master)
        with:
          targets: ${{ matrix.target }}

-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4  # v2.9.1
        with:
          workspaces: _primitives/_rust

@ -90,7 +94,7 @@ jobs:
          echo "archive=$ARCHIVE" >> "$GITHUB_OUTPUT"

      - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
        with:
          name: binaries-${{ matrix.target }}
          path: |
@ -117,17 +121,22 @@ jobs:
          - { platform: darwin,  arch: arm64, runner: macos-latest,     bun_target: bun-darwin-arm64, ext: '' }
          - { platform: windows, arch: x64,   runner: windows-latest,   bun_target: bun-windows-x64,  ext: '.exe' }
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1

      - name: Install bun
-        uses: oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6  # v2.2.0
        with:
          bun-version: latest

+      # v0.19.1 supply-chain hardening (H4): lockfile is REQUIRED — the
+      # `|| bun install` fallback was removed so a missing bun.lock fails
+      # the build instead of resolving deps fresh against the live npm
+      # registry (tainted-binary window). bun.lock MUST be committed
+      # before any release tag. See BUILD.md §Lockfile.
      - name: Install mcp-server deps
        shell: bash
        working-directory: _ts_packages/packages/mcp-server
-        run: bun install --frozen-lockfile || bun install
+        run: bun install --frozen-lockfile

      - name: Compile single-binary
        shell: bash
@ -158,7 +167,7 @@ jobs:
          cat "${BIN_NAME}.sha256"

      - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
        with:
          name: kei-mcp-server-${{ matrix.target.platform }}-${{ matrix.target.arch }}
          path: |
@ -171,14 +180,14 @@ jobs:
    needs: [build-release, build-mcp-binary]
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
        with:
          fetch-depth: 0

      - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9  # rust 1.94.1 (dtolnay/rust-toolchain master)

-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4  # v2.9.1
        with:
          workspaces: _primitives/_rust

@ -186,7 +195,7 @@ jobs:
        working-directory: _primitives/_rust
        run: cargo build --release -p kei-changelog

-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
        with:
          path: dist/

@ -231,7 +240,9 @@ jobs:
          } >> "$GITHUB_OUTPUT"

      - name: Publish GitHub Release
-        uses: softprops/action-gh-release@v2
+        # HIGH priority pin: this action has `contents: write` — a compromised
+        # tag would let an attacker publish arbitrary releases under this repo.
+        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65  # v2.6.2
        with:
          name: ${{ github.ref_name }}
          tag_name: ${{ github.ref_name }}
@ -261,10 +272,10 @@ jobs:
            echo "::notice::NPM_TOKEN not set — skipping npm publish gracefully"
          fi

-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
        if: steps.have_token.outputs.present == '1'

-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4.4.0
        if: steps.have_token.outputs.present == '1'
        with:
          node-version: '20'