From 33de2cff52d101a625a856266ece0af61242a1d1 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Tue, 12 May 2026 00:02:13 +0600 Subject: [PATCH 1/3] Harden GitHub Actions workflows - Pin every action ref to a full-length commit SHA with a trailing version comment, so floating tags like @v4 can't be re-pointed at malicious code. - Bump outdated actions/checkout@v1 to @v4.3.1 (where present). - Tag-triggered workflows now check out with fetch-depth: 1 and fetch-tags: true so the tag ref is available downstream. - release-tracker.yml grants contents: write at the job level so the default GITHUB_TOKEN can push commits/tags back to the repo. Signed-off-by: Tamal Saha --- .github/workflows/release.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8193b01d9..da554887c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -13,12 +13,18 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 1 + fetch-tags: true - name: check format run: make check_format build: runs-on: ubuntu-latest steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 1 + fetch-tags: true - name: Set up QEMU uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 From 1a5c5080e141d22026a1976532675492fc2cff52 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 10:36:48 +0600 Subject: [PATCH 2/3] Normalize Prepare git user, fetch-depth, drop permission-issues Signed-off-by: Tamal Saha --- .github/workflows/release.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index da554887c..fe0a67abe 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -14,8 +14,7 @@ jobs: steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: - fetch-depth: 1 - fetch-tags: true + fetch-depth: 0 - name: check format run: make check_format build: @@ -23,8 +22,7 @@ jobs: steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: - fetch-depth: 1 - fetch-tags: true + fetch-depth: 0 - name: Set up QEMU uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 From fd45c06d04e92d2fec416232e5ff242e8acbc5d2 Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Thu, 14 May 2026 18:56:29 +0600 Subject: [PATCH 3/3] Rename .yaml workflow files to .yml for consistency Signed-off-by: Tamal Saha --- .github/workflows/{main.yaml => main.yml} | 0 .github/workflows/{pullrequest.yaml => pullrequest.yml} | 0 .github/workflows/{release.yaml => release.yml} | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{main.yaml => main.yml} (100%) rename .github/workflows/{pullrequest.yaml => pullrequest.yml} (100%) rename .github/workflows/{release.yaml => release.yml} (100%) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yml similarity index 100% rename from .github/workflows/main.yaml rename to .github/workflows/main.yml diff --git a/.github/workflows/pullrequest.yaml b/.github/workflows/pullrequest.yml similarity index 100% rename from .github/workflows/pullrequest.yaml rename to .github/workflows/pullrequest.yml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yml similarity index 100% rename from .github/workflows/release.yaml rename to .github/workflows/release.yml