veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions 1

ci(bluebuild): pin blue-build/github-action to commit SHA #6

Merged
s8n merged 1 commit from feat/a1-bluebuild-pin into v0.7-bluebuild-spike 2026-05-06 13:53:16 +01:00
Conversation 0 Commits 1 Files changed 1 +4 -4
s8n commented 2026-05-06 10:40:10 +01:00
Owner
Copy link

Summary

Pin blue-build/github-action from the mutable tag @v1 to the commit
SHA 24d146df25adc2cf579e918efe2d9bff6adea408 (which v1 currently
resolves to). Tag pins on third-party actions are mutable — a maintainer
or attacker can re-point v1 at a malicious commit and silently change
what runs on every push.

The trailing # v1 comment preserves human readability for future bumps.

Provenance

$ curl -s "https://api.github.com/repos/blue-build/github-action/git/refs/tags/v1"
  -> annotated tag SHA = 8eadc6f365abfd10d6aaabfe2d015f20206396e9
$ curl -s "https://api.github.com/repos/blue-build/github-action/git/tags/8eadc..."
  -> commit object SHA = 24d146df25adc2cf579e918efe2d9bff6adea408 (2026-03-06)

Refs: 9-agent CI hardening wave (agent 8), 2026-05-05.

Out of scope (blocker found while testing)

The first run on the Forgejo runner failed before reaching the BlueBuild
action — actions/checkout@v4 declares runs.using: node24 which the
bundled act runtime in forgejo/runner:6.4.0 does not support (only up
to node20). That is a runner-version problem and needs operator action
(upgrade the runner or pin checkout to a node20-era v4.x). Not addressed
in this PR.

Test plan

  • After operator upgrades the runner / pins checkout, re-trigger this workflow and confirm BlueBuild succeeds with the SHA-pinned action.
  • Confirm cosign keyless signing still works (no behavioural change expected from a SHA pin alone).

🤖 Generated with Claude Code

## Summary Pin `blue-build/github-action` from the mutable tag `@v1` to the commit SHA `24d146df25adc2cf579e918efe2d9bff6adea408` (which `v1` currently resolves to). Tag pins on third-party actions are mutable — a maintainer or attacker can re-point `v1` at a malicious commit and silently change what runs on every push. The trailing `# v1` comment preserves human readability for future bumps. ## Provenance ``` $ curl -s "https://api.github.com/repos/blue-build/github-action/git/refs/tags/v1" -> annotated tag SHA = 8eadc6f365abfd10d6aaabfe2d015f20206396e9 $ curl -s "https://api.github.com/repos/blue-build/github-action/git/tags/8eadc..." -> commit object SHA = 24d146df25adc2cf579e918efe2d9bff6adea408 (2026-03-06) ``` Refs: 9-agent CI hardening wave (agent 8), 2026-05-05. ## Out of scope (blocker found while testing) The first run on the Forgejo runner failed before reaching the BlueBuild action — `actions/checkout@v4` declares `runs.using: node24` which the bundled act runtime in `forgejo/runner:6.4.0` does not support (only up to `node20`). That is a runner-version problem and needs operator action (upgrade the runner or pin checkout to a node20-era v4.x). Not addressed in this PR. ## Test plan - [ ] After operator upgrades the runner / pins checkout, re-trigger this workflow and confirm BlueBuild succeeds with the SHA-pinned action. - [ ] Confirm cosign keyless signing still works (no behavioural change expected from a SHA pin alone). 🤖 Generated with [Claude Code](https://claude.com/claude-code)
s8n added 1 commit 2026-05-06 10:40:10 +01:00
ci(bluebuild): pin blue-build/github-action to commit SHA
Some checks failed
Build veilor-os OCI (BlueBuild) / Build + sign + push OCI (pull_request) Failing after 12s
Details
Lint / Kickstart syntax (pull_request) Failing after 2s
Details
Lint / Shell scripts (pull_request) Failing after 38s
Details
Lint / No personal/onyx leaks (pull_request) Failing after 35s
Details
4b80d06fde 
Replace @v1 with @24d146df25adc2cf579e918efe2d9bff6adea408 (the commit
v1 currently resolves to). Tag pins on third-party actions are mutable
— a maintainer or attacker can re-point v1 at a malicious commit and
silently change what runs on every push.

Trailing comment '# v1' preserves human readability for future bumps.

Refs: 9-agent CI hardening wave (agent 8), 2026-05-05.
s8n merged commit 420bc08ecd into v0.7-bluebuild-spike 2026-05-06 13:53:16 +01:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: veilor-org/veilor-os#6
No description provided.
Delete branch "feat/a1-bluebuild-pin"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?