(chore) pin dependencies for workflows and Docker base images#238
Conversation
rng1995
left a comment
There was a problem hiding this comment.
[Automated SkillSpector Review]
Approved. Both checkout uses are pinned to the immutable v4.2.2 commit, and both Docker stages pin the same immutable Python image digest. The diff is limited to supply-chain pinning and introduces no runtime/schema change. Current Python jobs fail formatting only in unchanged mcp_least_privilege.py, a known mainline drift outside this PR; DCO passes.
|
Fix linting issues @smoy |
69a69bc to
9b7546c
Compare
rebsed from upstream. make line is clean now |
rng1995
left a comment
There was a problem hiding this comment.
[Automated SkillSpector Review]
Re-review after new commits (prior approval at 9b7546c, 2026-07-09).
The PR pins all five actions/checkout uses in .github/workflows/ci.yml to 11bd71901bbe5b1630ceea73d27597364c9af683 (verified against the actions/checkout v4.2.2 tag) and pins both Dockerfile stages to the same immutable python:3.12-slim-bookworm digest. That content is unchanged from the previously approved head, so the prior approval's findings still hold for it.
Post-approval commits reviewed: the only new commit is 630bade ("Merge branch 'main' into chore/pin-dependencies", 2026-07-14). The merge is clean: the net PR diff against current main is still exactly the 7 pinning changes across 2 files, with no extraneous or reverted content smuggled in via the merge.
Blocker
- Merge commit
630badehas noSigned-off-by:trailer. The DCO check that this merge itself brings in from main iterates every commit inBASE..HEAD(including merge commits — there is no--no-mergesexemption) and exits 1 on any commit missing a sign-off. The two original commits are signed off, but the merge commit is not, so the DCO Check job will fail at the current head (combined status is currently pending/unstable). Fix: redo the sync with a signed-off merge (git merge main --signoff) or rebase onto main (git rebase mainkeeps the existing signed-off commits and drops the merge commit entirely).
Non-blocking
- The merged-in main added a
docker-smokeupload step usingactions/upload-artifact@v4(ci.yml line 104), which is unpinned — the same scorecardPinned-Dependenciesclass this PR addresses. It is outside this PR's diff (mainline drift), but since you will touch the branch anyway to fix the DCO issue, consider pinning it to the v4 tag's commit SHA here or in a quick follow-up.
Signed-off-by: Steven Moy <github@stevenmoy.com>
Signed-off-by: Steven Moy <github@stevenmoy.com>
630bade to
4fdab0e
Compare
|
I've revised the pull request to addressed the blocker. Also addressed the newly introduce tag issue after rebasing on latest upstream. |
Addressing two of the three issues from ossf/scorecard
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:45
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:71
Warn: containerImage not pinned by hash: Dockerfile:1
Warn: containerImage not pinned by hash: Dockerfile:9: pin your Docker image by updating python:3.12-slim-bookworm to python:3.12-slim-bookworm@sha256:8a7e7cc04fd3e2bd787f7f24e22d5d119aa590d429b50c95dfe12b3abe52f48b
Warn: pipCommand not pinned by hash: Dockerfile:7