From 77873dc10427e2705a06f4d2a9bb30586d56af4e Mon Sep 17 00:00:00 2001 From: Patrick Kaeding Date: Mon, 23 Mar 2026 13:56:15 -0400 Subject: [PATCH 1/3] [SEC-7924] chore: pin third-party GitHub Actions to commit SHAs Pin all third-party GitHub Actions to full-length commit SHAs to prevent supply chain attacks. Addresses findings from the third-party-action-not-pinned-to-commit-sha Semgrep rule. --- .github/workflows/release-please.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index eb6d555..f0f1c68 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -47,7 +47,7 @@ jobs: package-server-ai-openai-released: ${{ steps.release.outputs['packages/ai-providers/server-ai-openai--release_created'] }} package-server-ai-openai-tag-name: ${{ steps.release.outputs['packages/ai-providers/server-ai-openai--tag_name'] }} steps: - - uses: googleapis/release-please-action@v4 + - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4 id: release release-server-ai: @@ -68,7 +68,7 @@ jobs: python-version: '3.11' - name: Install poetry - uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 + uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # 7b6d33e44b4f08d7021a1dee3c044e9c253d6439 - uses: ./.github/actions/ci with: @@ -109,7 +109,7 @@ jobs: python-version: '3.11' - name: Install poetry - uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 + uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # 7b6d33e44b4f08d7021a1dee3c044e9c253d6439 - uses: ./.github/actions/ci with: @@ -146,7 +146,7 @@ jobs: python-version: '3.11' - name: Install poetry - uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 + uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # 7b6d33e44b4f08d7021a1dee3c044e9c253d6439 - uses: ./.github/actions/ci with: @@ -178,7 +178,7 @@ jobs: actions: read # Needed for detecting the GitHub Actions environment. id-token: write # Needed for provenance signing. contents: write # Needed for uploading assets to the release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0 with: base64-subjects: "${{ needs.release-server-ai.outputs.package-hashes }}" upload-assets: true @@ -191,7 +191,7 @@ jobs: actions: read # Needed for detecting the GitHub Actions environment. id-token: write # Needed for provenance signing. contents: write # Needed for uploading assets to the release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0 with: base64-subjects: "${{ needs.release-server-ai-langchain.outputs.package-hashes }}" upload-assets: true @@ -215,7 +215,7 @@ jobs: python-version: '3.11' - name: Install poetry - uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 + uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # 7b6d33e44b4f08d7021a1dee3c044e9c253d6439 - uses: ./.github/actions/ci with: @@ -245,7 +245,7 @@ jobs: actions: read # Needed for detecting the GitHub Actions environment. id-token: write # Needed for provenance signing. contents: write # Needed for uploading assets to the release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0 with: base64-subjects: "${{ needs.release-server-ai-openai.outputs.package-hashes }}" upload-assets: true From fa3b801e31e2c16f07d0ba7f7c4fd5c9f55fdea0 Mon Sep 17 00:00:00 2001 From: Patrick Kaeding Date: Mon, 23 Mar 2026 17:13:52 -0400 Subject: [PATCH 2/3] Apply suggestion from @pkaeding --- .github/workflows/release-please.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index f0f1c68..fd1fa84 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -178,7 +178,7 @@ jobs: actions: read # Needed for detecting the GitHub Actions environment. id-token: write # Needed for provenance signing. contents: write # Needed for uploading assets to the release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: base64-subjects: "${{ needs.release-server-ai.outputs.package-hashes }}" upload-assets: true From 18643107384306aee47616aef3eaa1bf46b0921f Mon Sep 17 00:00:00 2001 From: Patrick Kaeding Date: Mon, 23 Mar 2026 17:14:29 -0400 Subject: [PATCH 3/3] Apply suggestion from @pkaeding --- .github/workflows/release-please.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index fd1fa84..5169de5 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -245,7 +245,7 @@ jobs: actions: read # Needed for detecting the GitHub Actions environment. id-token: write # Needed for provenance signing. contents: write # Needed for uploading assets to the release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: base64-subjects: "${{ needs.release-server-ai-openai.outputs.package-hashes }}" upload-assets: true