From e7c1e4bfab42f8e87b3560a1f185aa9d6ff4bb6f Mon Sep 17 00:00:00 2001 From: Steven Moy Date: Tue, 30 Jun 2026 11:14:54 -0700 Subject: [PATCH 1/2] Pin actions/checkout usage to avoid dependency confusion attack Signed-off-by: Steven Moy --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 816970cd..582cd3e4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,7 +42,7 @@ jobs: python-version: ["3.12", "3.13", "3.14"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up uv # Pinned to a full commit SHA (third-party action); comment tracks the tag. @@ -68,7 +68,7 @@ jobs: runs-on: ubuntu-latest if: github.event_name == 'pull_request' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 From 69a69bc7d6d10b65466b21bcd6d7f83785e17688 Mon Sep 17 00:00:00 2001 From: Steven Moy Date: Tue, 30 Jun 2026 11:20:19 -0700 Subject: [PATCH 2/2] Pin Docker file dependency to avoid dependency confusion Signed-off-by: Steven Moy --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 592e2eee..e185f882 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.12-slim-bookworm AS builder +FROM python:3.12-slim-bookworm@sha256:8a7e7cc04fd3e2bd787f7f24e22d5d119aa590d429b50c95dfe12b3abe52f48b AS builder WORKDIR /app COPY pyproject.toml README.md ./ @@ -6,7 +6,7 @@ COPY src/ src/ RUN python -m venv .venv RUN .venv/bin/pip install --no-cache-dir . -FROM python:3.12-slim-bookworm +FROM python:3.12-slim-bookworm@sha256:8a7e7cc04fd3e2bd787f7f24e22d5d119aa590d429b50c95dfe12b3abe52f48b RUN apt-get update \ && apt-get install --no-install-recommends -y git ca-certificates \