fix(v0.19.1): supply-chain hardening remainder — ci.yml SHA-pin + dependabot + bun.lock placeholder

Follow-up to c27b626 (release.yml pinning). Finishes H4 + H5. ci.yml: - 11 third-party actions SHA-pinned with # vN.m.k comments - actions/checkout@34e114876b... (v4.3.1) - actions/setup-node@49933ea5288... (v4.4.0) - dtolnay/rust-toolchain@3c5f7ea28... (rust 1.94.1) - Swatinem/rust-cache@c19371144... (v2.9.1) .github/dependabot.yml (NEW): - 3 ecosystems weekly: github-actions, npm, cargo - PR cap 5, labels [dependencies, <ecosystem>] - Auto-opens update PRs for SHA bumps — human reviews, not silent churn _ts_packages/packages/mcp-server/bun.lock (NEW — placeholder): - 13-line comment explaining H4 gate - Instructs: 'cd _ts_packages/packages/mcp-server && bun install' before release - release.yml (since v0.19.1) uses --frozen-lockfile with NO fallback — missing real lockfile fails the build deliberately BUILD.md: - New 'Lockfile' section (19 LOC) documenting the pre-release workflow CHANGELOG.md: - [Unreleased] → Security: 3 bullets covering this + prior supply-chain commit All SHAs E1 (verified via api.github.com or reused from release.yml). NEXT STEP BEFORE TAGGING v0.19.1: Populate real bun.lock locally, commit, then tag. Workflow will fail on missing/stale lockfile — that's the point of H4 defense. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 17:12:15 +08:00 · 2026-04-22 17:12:15 +08:00 · ca046e61c1
commit ca046e61c1
parent 51715f2045
5 changed files with 81 additions and 11 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,26 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - github-actions
+  - package-ecosystem: npm
+    directory: /_ts_packages
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - npm
+  - package-ecosystem: cargo
+    directory: /_primitives/_rust
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - rust
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -5,6 +5,13 @@ on:
    branches: [main]
  pull_request:

+# v0.19.1 supply-chain hardening (H5): every third-party action is pinned
+# by full commit SHA. A floating tag like @v4 can be re-pointed by a
+# compromised maintainer (CVE-2025-30066 class). The `# vN.m.k` comment
+# next to each SHA is a human-readable hint only — the SHA is the load-
+# bearing identifier. When Dependabot proposes a bump, review the new SHA
+# against the release tag before merging.
+
 jobs:
  rust-assembler:
    runs-on: ${{ matrix.os }}
@ -12,9 +19,9 @@ jobs:
      matrix:
        os: [ubuntu-latest, macos-latest]
    steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
+      - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9  # rust 1.94.1 (dtolnay/rust-toolchain master)
+      - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4  # v2.9.1
        with:
          workspaces: _assembler
      - run: cd _assembler && cargo test --release
@ -25,9 +32,9 @@ jobs:
      matrix:
        os: [ubuntu-latest, macos-latest]
    steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
+      - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9  # rust 1.94.1 (dtolnay/rust-toolchain master)
+      - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4  # v2.9.1
        with:
          workspaces: _primitives/_rust
      - run: cd _primitives/_rust && cargo test --workspace --release
@ -39,8 +46,8 @@ jobs:
        os: [ubuntu-latest, macos-latest]
        node: ['20', '22']
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4.4.0
        with:
          node-version: ${{ matrix.node }}
      - run: cd _ts_packages && npm ci
@ -53,8 +60,8 @@ jobs:
      matrix:
        os: [ubuntu-latest, macos-latest]
    steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
+      - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9  # rust 1.94.1 (dtolnay/rust-toolchain master)
      - name: Install hard deps (Ubuntu)
        if: matrix.os == 'ubuntu-latest'
        run: sudo apt-get update && sudo apt-get install -y jq pandoc
@ -69,7 +76,7 @@ jobs:
  shell-lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
      - run: sudo apt-get update && sudo apt-get install -y shellcheck
      - name: shellcheck (advisory)
        run: find hooks _primitives -name '*.sh' -exec shellcheck -S warning {} +
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -41,6 +41,11 @@ _primitives/_rust/target/release/kei-changelog \
 - Placeholder: hook-bypass edge case follow-up to v0.15.1.
 - **primitives/keisei (v0.19 audit hardening):** close 3 Security HIGH + 3 Critic HIGH + 2 Critic MEDIUM findings. Path-escape guard on `mcp_server` + `memory/artifacts/manifests` (absolute / `..` / canonical-mismatch → `PathEscape`); brain-name regex `^[a-z][a-z0-9_-]{0,63}$` (`InvalidName`); symlink-rooted brain inputs rejected (`BrainIsSymlink` — closes USB → `$HOME` pivot); MCP-entry collision check across all 4 adapters (`NameConflict` instead of silent clobber); dropped unused `rusqlite` dep (no C toolchain tail); `BrainPaths.{memory,artifacts,manifests}` relaxed to `Option<String>`; `$KEISEI_HOME`/`$HOME` resolver deduped into `paths.rs` SSoT; `fsx::write_atomic` rewritten on `tempfile::NamedTempFile` for Windows + cross-fs correctness; 5 adversarial integration tests added (16 total pass).

+### Security
+- Pinned all GitHub Actions (`ci.yml`, `release.yml`) by full commit SHA to defend against CVE-2025-30066-class supply-chain attacks via mutable tag re-pointing.
+- Removed `|| bun install` fallback from `release.yml` build-mcp-binary job — lockfile is now strictly REQUIRED (H4 audit finding).
+- Added `.github/dependabot.yml` for weekly SHA update PRs on github-actions, npm, and cargo ecosystems.
+
 ## [0.15.0] — 2026-04-22

 ### Added
--- a/_ts_packages/packages/mcp-server/BUILD.md
+++ b/_ts_packages/packages/mcp-server/BUILD.md
@ -50,3 +50,22 @@ GitHub release. Runtime requirement: **none** (static).
 - **`.js` ESM imports fail** — the mcp-server source imports via `.js`
  suffix (ESM canonical). Bun resolves these from the sibling `.ts`
  file automatically; no `tsc` pre-step needed.
+
+## Lockfile
+
+Since v0.19.1 this package ships a `bun.lock` committed to the repo.
+The release workflow runs `bun install --frozen-lockfile` with NO
+fallback — a missing or out-of-date lockfile fails the build on
+purpose. This is H4 supply-chain defense: every release builds
+against the exact dependency tree recorded in `bun.lock`, not
+whatever the npm registry serves that day.
+
+**Before every release tag:**
+1. `cd _ts_packages/packages/mcp-server`
+2. `bun install` (regenerates `bun.lock` if `package.json` changed)
+3. Commit `bun.lock` if it changed
+4. Tag the release
+
+**If you see the build fail with "lockfile missing" on a tag push:**
+you pushed the tag before committing an updated `bun.lock`. Fix:
+generate the lockfile locally, commit, re-tag.
--- a/_ts_packages/packages/mcp-server/bun.lock
+++ b/_ts_packages/packages/mcp-server/bun.lock
@ -0,0 +1,13 @@
+# bun.lock placeholder — v0.19.1
+#
+# This file MUST be replaced with a real bun lockfile BEFORE any release tag
+# is pushed. The release.yml workflow (since v0.19.1) uses
+# `bun install --frozen-lockfile` with NO fallback — a missing real lockfile
+# will fail the build deliberately (H4 supply-chain defense).
+#
+# To populate:
+#   cd _ts_packages/packages/mcp-server && bun install
+# Then commit the generated bun.lock (overwrites this placeholder).
+#
+# Until populated, the release workflow will fail at the bun install step —
+# intentional gate to force the lockfile into the repo before first release.