From 54874f954ea9580bbc4c10258a36222b67fe3bfe Mon Sep 17 00:00:00 2001 From: laughingman7743 Date: Sun, 29 Mar 2026 23:23:21 +0900 Subject: [PATCH 1/2] Pin GitHub Actions to commit SHAs for supply chain security Pin all GitHub Actions in workflow files to full commit hashes using pinact, mitigating supply chain attacks via mutable tags. Also add a pinact CI workflow that automatically pins actions on PRs that modify workflow files, using a GitHub App for authentication. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/docs-trigger.yaml | 2 +- .github/workflows/docs.yaml | 10 +++++----- .github/workflows/pinact.yaml | 23 +++++++++++++++++++++++ .github/workflows/release.yaml | 8 ++++---- .github/workflows/test-suite.yaml | 8 ++++---- 5 files changed, 37 insertions(+), 14 deletions(-) create mode 100644 .github/workflows/pinact.yaml diff --git a/.github/workflows/docs-trigger.yaml b/.github/workflows/docs-trigger.yaml index db3523f1..6c016ba3 100644 --- a/.github/workflows/docs-trigger.yaml +++ b/.github/workflows/docs-trigger.yaml @@ -11,7 +11,7 @@ jobs: trigger-docs: runs-on: ubuntu-latest steps: - - uses: actions/github-script@v7 + - uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 with: script: | await github.rest.actions.createWorkflowDispatch({ diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 4f534bbe..11faa4ce 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -21,12 +21,12 @@ jobs: PYTHON_VERSION: '3.12' steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 # Fetch all history for sphinx-multiversion - name: Setup Pages - uses: actions/configure-pages@v5 - - uses: astral-sh/setup-uv@v5 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0 + - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: python-version: ${{ matrix.python-version }} enable-cache: true @@ -34,7 +34,7 @@ jobs: uv sync --group dev make docs - name: Upload artifact - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 with: path: './docs/_build/html' @@ -47,4 +47,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 diff --git a/.github/workflows/pinact.yaml b/.github/workflows/pinact.yaml new file mode 100644 index 00000000..37a52b56 --- /dev/null +++ b/.github/workflows/pinact.yaml @@ -0,0 +1,23 @@ +name: Pinact + +on: + pull_request: + paths: + - '.github/workflows/**' + - 'action.yml' + - 'action.yaml' + +permissions: + contents: read + +jobs: + pinact: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false + - uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0 + with: + app_id: ${{ vars.BOT_APP_ID }} + app_private_key: ${{ secrets.BOT_APP_PRIVATE_KEY }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c57860da..6597866d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -18,9 +18,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - uses: astral-sh/setup-uv@v5 + - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: python-version: ${{ matrix.python-version }} enable-cache: true @@ -29,9 +29,9 @@ jobs: run: | uv build -v - name: Publish release distributions to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 - name: Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 with: files: | dist/*.whl diff --git a/.github/workflows/test-suite.yaml b/.github/workflows/test-suite.yaml index 5c2a4599..cd80c3da 100644 --- a/.github/workflows/test-suite.yaml +++ b/.github/workflows/test-suite.yaml @@ -26,16 +26,16 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - uses: astral-sh/setup-uv@v5 + - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2 with: python-version: ${{ matrix.python-version }} enable-cache: true # TODO: In the case of Python 3.13+, the following error occurs, so install Python using setup-python. # ../meson.build:44:2: ERROR: Problem encountered: Cannot compile # `Python.h`. Perhaps you need to install python-dev|python-devel - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ matrix.python-version }} if: matrix.python-version == '3.13' || matrix.python-version == '3.14' @@ -43,7 +43,7 @@ jobs: make tool - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: role-to-assume: arn:aws:iam::676287850544:role/github-actions-oidc-pyathena role-session-name: PyAthenaTestSession From 8ff34fb6d0e4ae85d661b21332ebd9b5f4ae0f69 Mon Sep 17 00:00:00 2001 From: laughingman7743 Date: Sun, 29 Mar 2026 23:50:59 +0900 Subject: [PATCH 2/2] Update pinact workflow path filters Remove root action.yml/action.yaml filters (not a composite action repo) and add .github/actions/** for local composite actions. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/pinact.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/pinact.yaml b/.github/workflows/pinact.yaml index 37a52b56..8072ee89 100644 --- a/.github/workflows/pinact.yaml +++ b/.github/workflows/pinact.yaml @@ -4,8 +4,7 @@ on: pull_request: paths: - '.github/workflows/**' - - 'action.yml' - - 'action.yaml' + - '.github/actions/**' permissions: contents: read