Skip to content

Harden release workflow: pin actions, split build/publish, add Dependabot#225

Open
temporaer wants to merge 2 commits into
microsoft:mainfrom
temporaer:pin-actions-sha
Open

Harden release workflow: pin actions, split build/publish, add Dependabot#225
temporaer wants to merge 2 commits into
microsoft:mainfrom
temporaer:pin-actions-sha

Conversation

@temporaer

@temporaer temporaer commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Hardens the release/supply-chain posture of the workflows.

Changes

  • Pin all GitHub Actions to full commit SHAs (ci.yml, codeql.yml, publish.yml) — mutable tags like @v4 / @release/v1 can be repointed to malicious code.
  • Separate build and publish in publish.yml:
    • build job runs with contents: read only (no id-token), builds the wheel, and uploads it as an artifact.
    • publish job needs: build, runs under the publish-to-pypi environment, holds id-token: write, and downloads the artifact instead of rebuilding.
    • Keeps OIDC publishing identity off the build step so a compromised build can't publish.
  • Add .github/dependabot.yml — weekly github-actions and pip update PRs.

Related hardening (applied directly, outside this PR)

  • publish-to-pypi environment now requires review by ai4s-bioemu (prevent_self_review, no admin bypass).
  • Added a v* tag protection ruleset (creation restricted to ai4s-bioemu).
  • Enabled require_last_push_approval on the main branch ruleset.

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@temporaer temporaer requested a review from sarahnlewis June 29, 2026 11:44
Split the PyPI publish workflow into an isolated build job (no id-token,
uploads the dist artifact) and a publish job that needs it, downloads the
artifact, and holds id-token: write under the publish-to-pypi environment.
This keeps OIDC publishing credentials off the build step and prevents a
compromised build from publishing.

Also add .github/dependabot.yml to enable weekly github-actions and pip
update PRs.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@temporaer temporaer changed the title Pin GitHub Actions to commit SHAs Harden release workflow: pin actions, split build/publish, add Dependabot Jul 7, 2026
@temporaer temporaer enabled auto-merge (squash) July 7, 2026 12:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants