Skip to content

chore: supply-chain hardening — lockfile enforcement + action SHA pins#91

Open
oz-sayari wants to merge 1 commit intomainfrom
oz-limiting-package-age
Open

chore: supply-chain hardening — lockfile enforcement + action SHA pins#91
oz-sayari wants to merge 1 commit intomainfrom
oz-limiting-package-age

Conversation

@oz-sayari
Copy link
Copy Markdown

@oz-sayari oz-sayari commented Apr 8, 2026

Supply Chain Hardening

Automated supply-chain security controls applied by supply-chain-pr.py.

Changes made

  • main.yaml: SHA-pinned 5 actions to full commit hash
  • publish.yaml: SHA-pinned 3 actions to full commit hash

Python ecosystem changes

  • main.yaml: pip install .[dev] → uv pip install (+ cooldown)
  • main.yaml: pip install pre-commit → uv pip install (+ cooldown)
  • main.yaml: pip install build twine → uv pip install (+ cooldown)
  • main.yaml: astral-sh/setup-uv@v5 step injected
  • publish.yaml: pip install build --user → uv pip install (+ cooldown)
  • publish.yaml: astral-sh/setup-uv@v5 step injected

Migration note: pip install has been replaced with uv pip sync --exclude-newer as an immediate security shim. Full migration to a uv-managed lockfile (uv lock + uv sync --frozen) is recommended as a follow-up for stronger supply-chain guarantees.

Why these controls

Control Threat mitigated
Action SHA pins Prevents tag-hijack (ref: aquasecurity/trivy-action, Mar 2026)
UV_EXCLUDE_NEWER / renovate.json cooldown 7-day PyPI cooldown prevents same-day version compromise
uv sync --frozen / poetry install --no-update CI installs exact lockfile versions — no silent drift

Testing checklist

  • CI passes on this branch (green)
  • Python install/sync step succeeds with no version changes

Generated by supply-chain-pr.py — part of the dependency-security-policy rollout.

@oz-sayari
Copy link
Copy Markdown
Author

oz-sayari commented Apr 8, 2026

📋 Follow-up checklist

Posted automatically by supply-chain-pr.py. The changes in this PR are complete and safe to merge. The items below are recommended follow-ups to reach a higher security baseline.

🐍 Next step: migrate to a proper uv lockfile

This PR applies an immediate security shimpip install is now routed through uv pip sync --exclude-newer which adds the 7-day cooldown. However, there is no lockfile yet, so installs are still not fully reproducible. The recommended follow-up is to generate a uv.lock:

1 — Initialise uv (run once in the repo root)

uv init --no-workspace   # creates pyproject.toml if missing

2 — Import existing requirements

uv add --requirements requirements.txt

3 — Commit the lockfile

git add pyproject.toml uv.lock
git commit -m "chore: migrate to uv lockfile"

4 — Switch CI to strict lockfile mode (follow-up PR)
Replace the uv pip sync lines added by this PR with:

- run: uv sync --frozen

Once uv sync --frozen is in place you can remove requirements.txt — the lockfile becomes the source of truth.

@oz-sayari oz-sayari requested a review from Laerte April 8, 2026 19:17
@Laerte Laerte requested a review from JSPromisel April 8, 2026 19:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Laerte Laerte Laerte approved these changes

@JSPromisel JSPromisel Awaiting requested review from JSPromisel

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@oz-sayari @Laerte