Skip to content

chore: supply-chain hardening — lockfile enforcement + action SHA pins#9

Open
oz-sayari wants to merge 1 commit intomainfrom
oz-limiting-package-age
Open

chore: supply-chain hardening — lockfile enforcement + action SHA pins#9
oz-sayari wants to merge 1 commit intomainfrom
oz-limiting-package-age

Conversation

@oz-sayari
Copy link
Copy Markdown

@oz-sayari oz-sayari commented Apr 6, 2026

Supply Chain Hardening

Automated supply-chain security controls applied by supply-chain-pr.py.

Changes made

  • publish_package.yml: SHA-pinned 3 actions to full commit hash
  • style.yml: SHA-pinned 3 actions to full commit hash
  • test.yml: SHA-pinned 2 actions to full commit hash

Python ecosystem changes

  • publish_package.yml: pip install build → uv pip install (+ cooldown)
  • publish_package.yml: astral-sh/setup-uv@v5 step injected
  • style.yml: pip install pre-commit → uv pip install (+ cooldown)
  • style.yml: astral-sh/setup-uv@v5 step injected

Migration note: pip install has been replaced with uv pip sync --exclude-newer as an immediate security shim. Full migration to a uv-managed lockfile (uv lock + uv sync --frozen) is recommended as a follow-up for stronger supply-chain guarantees.

Why these controls

Control Threat mitigated
Action SHA pins Prevents tag-hijack (ref: aquasecurity/trivy-action, Mar 2026)
UV_EXCLUDE_NEWER / renovate.json cooldown 7-day PyPI cooldown prevents same-day version compromise
uv sync --frozen / poetry install --no-update CI installs exact lockfile versions — no silent drift

Testing checklist

  • CI passes on this branch (green)
  • Python install/sync step succeeds with no version changes

Generated by supply-chain-pr.py — part of the dependency-security-policy rollout.

@oz-sayari
Copy link
Copy Markdown
Author

oz-sayari commented Apr 6, 2026

📋 Follow-up checklist

Posted automatically by supply-chain-pr.py. The changes in this PR are complete and safe to merge. The items below are recommended follow-ups to reach a higher security baseline.

🐍 Next step: migrate to a proper uv lockfile

This PR applies an immediate security shimpip install is now routed through uv pip sync --exclude-newer which adds the 7-day cooldown. However, there is no lockfile yet, so installs are still not fully reproducible. The recommended follow-up is to generate a uv.lock:

1 — Initialise uv (run once in the repo root)

uv init --no-workspace   # creates pyproject.toml if missing

2 — Import existing requirements

uv add --requirements requirements.txt

3 — Commit the lockfile

git add pyproject.toml uv.lock
git commit -m "chore: migrate to uv lockfile"

4 — Switch CI to strict lockfile mode (follow-up PR)
Replace the uv pip sync lines added by this PR with:

- run: uv sync --frozen

Once uv sync --frozen is in place you can remove requirements.txt — the lockfile becomes the source of truth.

@oz-sayari oz-sayari requested a review from nyoungstudios April 7, 2026 19:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nyoungstudios nyoungstudios Awaiting requested review from nyoungstudios

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@oz-sayari