From 56eb1bd630b88385d0d36171c171fafbb03730d0 Mon Sep 17 00:00:00 2001 From: XananasX7 Date: Sun, 28 Jun 2026 02:15:22 +0000 Subject: [PATCH] fix(security): pin etils-actions/pypi-auto-publish and other Actions to SHAs Tag-pinned third-party actions (etils-actions/pypi-auto-publish@v1) in publish workflows can be redirected to malicious code. A compromised tag would execute with PYPI_API_TOKEN access, enabling a supply-chain attack on every downstream user. Pin to immutable commit SHA. --- .github/workflows/pytest_and_autopublish.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pytest_and_autopublish.yml b/.github/workflows/pytest_and_autopublish.yml index 25e32f95..28e5d779 100644 --- a/.github/workflows/pytest_and_autopublish.yml +++ b/.github/workflows/pytest_and_autopublish.yml @@ -13,10 +13,10 @@ jobs: cancel-in-progress: true steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # Install deps - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.12" # Uncomment to cache of pip dependencies (if tests too slow) @@ -61,7 +61,7 @@ jobs: steps: # Publish the package (if local `__version__` > pip version) - - uses: etils-actions/pypi-auto-publish@v1 + - uses: etils-actions/pypi-auto-publish@e3c4b4afc3a5b12a44734da938741995538e8223 # v1 with: pypi-token: ${{ secrets.PYPI_API_TOKEN }} gh-token: ${{ secrets.GITHUB_TOKEN }}