fix: supply chain hardening — pin actions, images, and fix secret logging#499
Merged
wshobson merged 1 commit intowshobson:mainfrom Apr 26, 2026
Merged
Conversation
…ging Supply chain: - Pin GitHub Actions to stable releases instead of @master/@main: trivy-action@0.28.0, snyk@0.4.0, sonarcloud@v3, dependency-check@v6 - Update EOL actions: upload-artifact v3→v4, codeql/upload-sarif v2→v3, codecov v3→v4 - Pin container images to specific tags instead of :latest: kubectl:1.31, vault:1.17, prometheus:v3.2, jaeger:1.62, tempo:2.7, sonarqube:10.8-community, trivy:0.58.0, trufflehog:3.88, uv:0.6, temporalio auto-setup:1.26, temporalio ui:2.33 Security: - Replace echo of secrets in CI examples with env var injection pattern (secrets-management SKILL.md) Misc: - Fix CRLF → LF line endings in deployment-engineer.md
Owner
|
Spot-checked the action and image pins (all real and current), and verified the deployment-engineer.md churn is purely CRLF→LF normalization with no hidden content edits. Solid cleanup — thanks for the thorough pass. Merging. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Comprehensive supply chain hardening across 15 plugin files. Supersedes #498.
@master/@mainto stable release tagsupload-artifact@v3→@v4,codeql@v2→@v3):latestcontainer images to specific version tagsdeployment-engineer.mdChanges
Actions pinned (supply chain risk)
aquasecurity/trivy-action@master@0.28.0snyk/actions/node@master@0.4.0SonarSource/sonarcloud-github-action@master@v3dependency-check/Dependency-Check_Action@main@v6actions/upload-artifact@v3(EOL)@v4github/codeql-action/upload-sarif@v2@v3codecov/codecov-action@v3@v4Images pinned (reproducibility)
bitnami/kubectl:latest:1.31prom/prometheus:latest:v3.2jaegertracing/all-in-one:latest:1.62grafana/tempo:latest:2.7vault:latest:1.17trufflesecurity/trufflehog:latest:3.88sonarqube:latest:10.8-communityaquasec/trivy:latest:0.58.0ghcr.io/astral-sh/uv:latest:0.6temporalio/auto-setup:latest:1.26temporalio/ui:latest:2.33Security fix
secrets-management/SKILL.mdexamples previously echoed secrets to CI logs:Motivation
@master/@mainrefs are mutable — a compromised upstream can inject malicious code (cf. tj-actions/changed-files compromise March 2025)upload-artifact@v3reached EOL November 2024 and now returns errors:latesttags make builds non-reproducible and can break silentlyecho ${{ secrets.X }}teaches unsafe patterns that bypass log maskingTest plan
@masteror@mainAction refs:latestin base images