ci: SHA-pin all GitHub Actions and add CODEOWNERS (supply-chain hardening)#595
Conversation
Supply-chain hardening for external contributions: - Pin every third-party action across all workflows to a full commit SHA with a version comment. Dependabot's github-actions ecosystem understands SHA pins and keeps them current. Notably removes the two mutable *branch* refs: pypa/gh-action-pypi-publish@release/v1 (the PyPI OIDC publish path) and dtolnay/rust-toolchain@stable. - Add explicit `toolchain: stable` to all five dtolnay/rust-toolchain call sites: that action infers the toolchain from its action ref, so a SHA pin without the input would break toolchain resolution. - Add .github/CODEOWNERS mapping release/CI/build infrastructure (.github/, pyproject.toml, rust/) to @igerber so PRs touching those paths auto-request maintainer review. Advisory only; require_code_owner_reviews stays off. No runtime behavior change to any workflow. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Overall Assessment ✅ Looks good. No unmitigated P0/P1 findings. Executive Summary
Methodology No findings. The PR only changes Code Quality No findings. The workflow edits are consistent and line-scoped, e.g. Performance No findings. CI action pinning and CODEOWNERS do not affect runtime library performance. Maintainability No findings. Version comments beside SHA pins improve maintainability for future action updates. Tech Debt No findings. No new deferred work is introduced. Security No findings. The PR improves supply-chain posture by replacing mutable third-party action refs with full SHA pins, including the PyPI publish action at Documentation/Tests No findings. I validated the changed YAML shape with |
The Pure Python Fallback CI leg runs the workflow-contract tests, which asserted the old mutable-tag form: - test_run_codex_uses_pinned_action now requires openai/codex-action at a full 40-hex commit SHA with a `# v1` version comment, so the contract still fails on a floating ref, a different action, or a major-version bump. - _extract_open_pr_checkout_block now tolerates the trailing version comment after the checkout SHA pin. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
🔁 AI review rerun (requested by @igerber) Head SHA: Overall Assessment ✅ Looks good. No unmitigated P0/P1 findings. Executive Summary
Methodology No findings. The PR changes CI/CODEOWNERS and workflow contract tests only; no methodology registry entries, estimator code, docstrings, inference helpers, variance logic, or result fields are modified. Code Quality No findings. The test regex updates are scoped to the changed workflow syntax, including the Codex action SHA pin at Performance No findings. CI action pinning and CODEOWNERS do not affect runtime library performance. Maintainability No findings. Version comments beside SHA pins improve future update readability, e.g. Tech Debt No findings. No new deferred work is introduced. Security No findings. This improves supply-chain posture by pinning active third-party workflow actions to full commit SHAs, including the PyPI publish path at Documentation/Tests No findings. I could not run the pytest targets because |
Summary
uses:sites). Dependabot'sgithub-actionsecosystem understands SHA pins and will keep them current. Notably removes the two mutable branch refs:pypa/gh-action-pypi-publish@release/v1(the PyPI OIDC publish path) anddtolnay/rust-toolchain@stable.toolchain: stableto all fivedtolnay/rust-toolchaincall sites. That action infers the toolchain from its action ref (e.g.@stable), so pinning to a SHA without the explicit input would break toolchain resolution..github/CODEOWNERSmapping release/CI/build infrastructure (.github/,pyproject.toml,rust/) to @igerber so PRs touching those paths auto-request maintainer review. Advisory only -require_code_owner_reviewsremains off.No runtime behavior change to any workflow: same action versions resolve today, the Rust toolchain installed is unchanged (
stable), and only local reusable-workflow refs (./.github/workflows/build-wheels.yml) remain unpinned, as required for local calls.Methodology references (required if estimator / math changes)
Validation
Security / privacy
Generated with Claude Code