ci(bluebuild): pin actions to node20-safe tags

forgejo-runner v6.4.0 javascript runtime is node20. Pin every javascript action used in the spike branch's workflows to the last release that ships node20. - actions/checkout v4 -> v4.1.7 (3 files) - softprops/action-gh-release v2 -> v2.0.4 (build-iso) - anchore/sbom-action v0 -> v0.17.2 - actions/attest-build-provenance v2 -> v2.2.3 - blue-build/github-action@v1 unchanged (TODO: SHA pin) This is the spike-branch counterpart of the main-branch fix in feat/runner-fix-docker-sock-and-node20. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Merge pull request 'ci(bluebuild): pin blue-build/github-action to commit SHA' (#6 ) from feat/a1-bluebuild-pin into v0.7-bluebuild-spike
2026-05-06 13:54:12 +01:00 · 2026-05-06 13:53:15 +01:00 · 2026-05-06 10:32:13 +01:00
1 changed files with 4 additions and 7 deletions
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@ -59,15 +59,12 @@ jobs:
          df -h

      # BlueBuild action wraps: image build, cosign sign (keyless via
-      # Sigstore), GHCR push. To pin to a commit SHA in a follow-up
-      # once the workflow shape stabilises (CI hardening agent 8,
-      # 2026-05-05 wave).
+      # Sigstore), GHCR push. Pinned to a commit SHA per CI hardening
+      # agent 8 (2026-05-05 wave). The trailing comment records the
+      # tag the SHA resolved from, so future bumps stay legible.
      - name: Build + push veilor-os OCI
        id: bluebuild
-        # TODO(infra): pin to specific node20-safe tag once confirmed. v1
-        # is the upstream-recommended floating tag; runner is currently on
-        # node20 so any recent v1.x SHA should still work.
-        uses: blue-build/github-action@v1
+        uses: blue-build/github-action@24d146df25adc2cf579e918efe2d9bff6adea408 # v1
        with:
          recipe: bluebuild/recipe.yml
          registry_token: ${{ secrets.GITHUB_TOKEN }}
Author	SHA1	Message	Date
claude-veilor-bot	04aa56a865	ci(bluebuild): pin actions to node20-safe tags Some checks failed Build veilor-os OCI (BlueBuild) / Build + sign + push OCI (pull_request) Failing after 0s Details Lint / Kickstart syntax (pull_request) Failing after 0s Details Lint / Shell scripts (pull_request) Failing after 0s Details Lint / No personal/onyx leaks (pull_request) Failing after 0s Details forgejo-runner v6.4.0 javascript runtime is node20. Pin every javascript action used in the spike branch's workflows to the last release that ships node20. - actions/checkout v4 -> v4.1.7 (3 files) - softprops/action-gh-release v2 -> v2.0.4 (build-iso) - anchore/sbom-action v0 -> v0.17.2 - actions/attest-build-provenance v2 -> v2.2.3 - blue-build/github-action@v1 unchanged (TODO: SHA pin) This is the spike-branch counterpart of the main-branch fix in feat/runner-fix-docker-sock-and-node20. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-06 13:54:12 +01:00
s8n-ru	420bc08ecd	Merge pull request 'ci(bluebuild): pin blue-build/github-action to commit SHA' (#6 ) from feat/a1-bluebuild-pin into v0.7-bluebuild-spike Some checks failed Build veilor-os OCI (BlueBuild) / Build + sign + push OCI (push) Failing after 0s Details	2026-05-06 13:53:15 +01:00
s8n-ru	4b80d06fde	ci(bluebuild): pin blue-build/github-action to commit SHA Some checks failed Build veilor-os OCI (BlueBuild) / Build + sign + push OCI (pull_request) Failing after 12s Details Lint / Kickstart syntax (pull_request) Failing after 2s Details Lint / Shell scripts (pull_request) Failing after 38s Details Lint / No personal/onyx leaks (pull_request) Failing after 35s Details Replace @v1 with @24d146df25adc2cf579e918efe2d9bff6adea408 (the commit v1 currently resolves to). Tag pins on third-party actions are mutable — a maintainer or attacker can re-point v1 at a malicious commit and silently change what runs on every push. Trailing comment '# v1' preserves human readability for future bumps. Refs: 9-agent CI hardening wave (agent 8), 2026-05-05.	2026-05-06 10:32:13 +01:00