Skip to content

fix: pin and checksum-verify semver install#90

Merged
nathanklick merged 1 commit into
mainfrom
fix/pin-semver-supply-chain
Jul 15, 2026
Merged

fix: pin and checksum-verify semver install#90
nathanklick merged 1 commit into
mainfrom
fix/pin-semver-supply-chain

Conversation

@nathanklick

Copy link
Copy Markdown
Collaborator

Summary

The Setup Semver step in action.yml downloaded the semver-tool script from the mutable master branch and installed it with sudo, without any integrity check. Anyone who compromised (or re-pointed) that upstream ref could execute arbitrary code on every runner using this action.

This hardens the step to match the existing jq and gomplate installs, which already pin a version and verify a SHA-256 checksum.

Changes

  • Pin the download to the immutable commit 837ad91179c4126e3b7ff73c35091d5ef561d9a3 (release tag 3.4.0) instead of master. A commit SHA cannot be re-pointed by the upstream owner.
  • Verify SHA-256 (1ff4a97e…) with shasum -a 256 -c - before sudo install, failing closed on mismatch — a second, independent layer against CDN/MITM tampering.
  • Drop the unnecessary sudo on curl — only install needs root.
  • To bump the version later, update SEMVER_COMMIT and SEMVER_SHA256 together (documented inline).

Behavior is unchanged for callers; the semver-version output still reports the installed version.

Verification

  • Positive: pinned URL + hash verifies (OK) and the script runs (semver: 3.4.0).
  • Negative: a tampered hash makes the step exit non-zero (FAILED) — fails closed.
  • action.yml remains structurally valid YAML with no new lint findings in the edited region.

The Setup Semver step downloaded the semver-tool script from the mutable
'master' branch with no integrity check, then installed it with sudo. A
compromise (or repointing) of that upstream ref would execute arbitrary
code on the runner.

Pin the download to the immutable commit 837ad91 (tag 3.4.0) and verify
its SHA-256 before install, failing closed on mismatch. This mirrors the
existing jq and gomplate hardening in this action. Also drop the
unnecessary sudo on curl; only install needs root.

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
Copilot AI review requested due to automatic review settings July 15, 2026 21:52

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the composite action’s “Setup Semver” step by removing reliance on a mutable upstream ref and adding integrity verification, aligning the SemVer install flow with the action’s existing pinned-and-verified download patterns.

Changes:

  • Pins the semver-tool download to an immutable commit SHA rather than master.
  • Adds SHA-256 checksum verification (shasum -a 256 -c -) before installing the script.
  • Drops sudo from the curl download step (keeps sudo only for install).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@nathanklick
nathanklick merged commit 5dbfbc4 into main Jul 15, 2026
21 checks passed
@nathanklick
nathanklick deleted the fix/pin-semver-supply-chain branch July 15, 2026 21:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants