From a21bc7285c03f1cc3bd2a982eab4a41a3d9ea18e Mon Sep 17 00:00:00 2001 From: XananasX7 Date: Sun, 28 Jun 2026 02:03:32 +0000 Subject: [PATCH] fix(security): pin GitHub Actions to commit SHAs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Tag-pinned actions can be silently redirected to malicious code. Pin each action to its immutable commit SHA: - actions/checkout@v4 → @34e114876b0b11c390a56381ad16ebd13914f8d5 - actions/setup-python@v5 → @a26af69be951a213d495a4c3e4e4022e16d87065 - etils-actions/pypi-auto-publish@v1 → @e3c4b4afc3a5b12a44734da938741995538e8223 The pypi-auto-publish action has PYPI_API_TOKEN; a compromised tag would enable a supply-chain attack on every downstream user of mediapy. --- .github/workflows/pytest_and_autopublish.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pytest_and_autopublish.yml b/.github/workflows/pytest_and_autopublish.yml index 9dc8110..2099183 100644 --- a/.github/workflows/pytest_and_autopublish.yml +++ b/.github/workflows/pytest_and_autopublish.yml @@ -19,14 +19,14 @@ jobs: python-version: ['3.10', '3.x'] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - run: sudo apt-get update - run: sudo apt-get install -y ffmpeg # Install deps - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: ${{ matrix.python-version }} - run: pip --version @@ -53,7 +53,7 @@ jobs: steps: # Publish the package (if local `__version__` > pip version) - - uses: etils-actions/pypi-auto-publish@v1 + - uses: etils-actions/pypi-auto-publish@e3c4b4afc3a5b12a44734da938741995538e8223 # v1 with: pypi-token: ${{ secrets.PYPI_API_TOKEN }} gh-token: ${{ secrets.GITHUB_TOKEN }}