Skip to content

ci: SHA-pin all GitHub Actions and add CODEOWNERS (supply-chain hardening)#595

Merged
igerber merged 2 commits into
mainfrom
ci/sha-pin-actions-codeowners
Jul 2, 2026
Merged

ci: SHA-pin all GitHub Actions and add CODEOWNERS (supply-chain hardening)#595
igerber merged 2 commits into
mainfrom
ci/sha-pin-actions-codeowners

Conversation

@igerber

@igerber igerber commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Summary

  • Pin every third-party GitHub Action across all workflows to a full commit SHA with a version comment (38 uses: sites). Dependabot's github-actions ecosystem understands SHA pins and will keep them current. Notably removes the two mutable branch refs: pypa/gh-action-pypi-publish@release/v1 (the PyPI OIDC publish path) and dtolnay/rust-toolchain@stable.
  • Add explicit toolchain: stable to all five dtolnay/rust-toolchain call sites. That action infers the toolchain from its action ref (e.g. @stable), so pinning to a SHA without the explicit input would break toolchain resolution.
  • Add .github/CODEOWNERS mapping release/CI/build infrastructure (.github/, pyproject.toml, rust/) to @igerber so PRs touching those paths auto-request maintainer review. Advisory only - require_code_owner_reviews remains off.

No runtime behavior change to any workflow: same action versions resolve today, the Rust toolchain installed is unchanged (stable), and only local reusable-workflow refs (./.github/workflows/build-wheels.yml) remain unpinned, as required for local calls.

Methodology references (required if estimator / math changes)

  • Method name(s): N/A - no methodology changes
  • Paper / source link(s): N/A
  • Any intentional deviations from the source (and why): None

Validation

  • Tests added/updated: No test changes (CI configuration only)
  • Backtest / simulation / notebook evidence (if applicable): N/A. All 8 workflow files validated to parse as YAML; every pinned SHA resolved directly from the upstream repo's ref via the GitHub API at time of pinning.

Security / privacy

  • Confirm no secrets/PII in this PR: Yes

Generated with Claude Code

Supply-chain hardening for external contributions:

- Pin every third-party action across all workflows to a full commit
  SHA with a version comment. Dependabot's github-actions ecosystem
  understands SHA pins and keeps them current. Notably removes the two
  mutable *branch* refs: pypa/gh-action-pypi-publish@release/v1 (the
  PyPI OIDC publish path) and dtolnay/rust-toolchain@stable.
- Add explicit `toolchain: stable` to all five dtolnay/rust-toolchain
  call sites: that action infers the toolchain from its action ref, so
  a SHA pin without the input would break toolchain resolution.
- Add .github/CODEOWNERS mapping release/CI/build infrastructure
  (.github/, pyproject.toml, rust/) to @igerber so PRs touching those
  paths auto-request maintainer review. Advisory only;
  require_code_owner_reviews stays off.

No runtime behavior change to any workflow.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Overall Assessment

✅ Looks good. No unmitigated P0/P1 findings.

Executive Summary

  • No estimator, math, weighting, SE/variance, identification, or default-behavior changes are present.
  • Methodology registry/docstring cross-check found no affected method to validate.
  • All modified active workflow uses: references are pinned to 40-character SHA refs.
  • dtolnay/rust-toolchain call sites now pass toolchain: stable, preserving intended stable-toolchain behavior after SHA pinning.
  • CODEOWNERS is advisory and scoped to CI/build/release paths.

Methodology

No findings. The PR only changes .github/ workflow/CODEOWNERS files; no methodology registry entries, estimator code, result fields, inference helpers, or in-code references are modified.

Code Quality

No findings. The workflow edits are consistent and line-scoped, e.g. .github/workflows/build-wheels.yml:L43-L45 and .github/workflows/rust-test.yml:L84-L86.

Performance

No findings. CI action pinning and CODEOWNERS do not affect runtime library performance.

Maintainability

No findings. Version comments beside SHA pins improve maintainability for future action updates.

Tech Debt

No findings. No new deferred work is introduced.

Security

No findings. The PR improves supply-chain posture by replacing mutable third-party action refs with full SHA pins, including the PyPI publish action at .github/workflows/publish.yml:L31-L32.

Documentation/Tests

No findings. I validated the changed YAML shape with git diff --check and checked active workflow uses: refs for 40-character SHA pins. Upstream SHA-to-tag resolution was not independently verified in this read-only, restricted-network review environment.

@igerber igerber added the ready-for-ci Triggers CI test workflows label Jul 1, 2026
@igerber igerber assigned igerber and unassigned igerber Jul 1, 2026
The Pure Python Fallback CI leg runs the workflow-contract tests, which
asserted the old mutable-tag form:

- test_run_codex_uses_pinned_action now requires openai/codex-action at
  a full 40-hex commit SHA with a `# v1` version comment, so the
  contract still fails on a floating ref, a different action, or a
  major-version bump.
- _extract_open_pr_checkout_block now tolerates the trailing version
  comment after the checkout SHA pin.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

🔁 AI review rerun (requested by @igerber)

Head SHA: d888c06ba170073903e2118010feddcefc3e987e


Overall Assessment

✅ Looks good. No unmitigated P0/P1 findings.

Executive Summary

  • No estimator, math, weighting, SE/variance, identification, or default behavior changes are present.
  • Methodology Registry cross-check found no affected method to validate.
  • Active workflow uses: references are SHA-pinned; local reusable workflow refs remain local as expected.
  • dtolnay/rust-toolchain call sites preserve toolchain: stable after SHA pinning.
  • Contract tests were updated to recognize SHA-pinned action syntax and inline version comments.

Methodology

No findings. The PR changes CI/CODEOWNERS and workflow contract tests only; no methodology registry entries, estimator code, docstrings, inference helpers, variance logic, or result fields are modified.

Code Quality

No findings. The test regex updates are scoped to the changed workflow syntax, including the Codex action SHA pin at tests/test_openai_review.py:L2521-L2532 and checkout lines with comments at tests/test_openai_review.py:L3358-L3372.

Performance

No findings. CI action pinning and CODEOWNERS do not affect runtime library performance.

Maintainability

No findings. Version comments beside SHA pins improve future update readability, e.g. .github/workflows/ai_pr_review.yml:L509-L520, .github/workflows/build-wheels.yml:L42-L45, and .github/workflows/rust-test.yml:L83-L86.

Tech Debt

No findings. No new deferred work is introduced.

Security

No findings. This improves supply-chain posture by pinning active third-party workflow actions to full commit SHAs, including the PyPI publish path at .github/workflows/publish.yml:L25-L32. CODEOWNERS is advisory and scoped to infrastructure paths at .github/CODEOWNERS:L5-L7.

Documentation/Tests

No findings. I could not run the pytest targets because pytest is not installed in this read-only review environment, but I directly validated the updated regexes against the workflow text and checked active .github/workflows/*.yml third-party uses: refs for 40-character SHA pins.

@igerber igerber merged commit d895ade into main Jul 2, 2026
31 checks passed
@igerber igerber deleted the ci/sha-pin-actions-codeowners branch July 2, 2026 11:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ready-for-ci Triggers CI test workflows

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant