Skip to content

ci: Supply Chain Hardening#81

Open
HackingRepo wants to merge 16 commits intocoreruleset:mainfrom
HackingRepo:patch-1
Open

ci: Supply Chain Hardening#81
HackingRepo wants to merge 16 commits intocoreruleset:mainfrom
HackingRepo:patch-1

Conversation

@HackingRepo
Copy link

@HackingRepo HackingRepo commented Mar 24, 2026

No description provided.

@HackingRepo HackingRepo changed the title Harden Github Actions Supply Chain Hardening Mar 24, 2026
@fzipi fzipi changed the title Supply Chain Hardening ci: Supply Chain Hardening Mar 24, 2026
@fzipi fzipi requested a review from Copilot March 24, 2026 16:32
Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates CI/publishing to harden the supply chain by pinning dependencies and GitHub Actions, and by restricting GitHub token permissions.

Changes:

  • Add permissions: contents: read and pin actions/checkout / actions/setup-python to specific SHAs.
  • Switch CI and publish workflows to install Python dependencies using pip --require-hashes.
  • Update runtime requirements and introduce requirements-build.txt; change publish to use python -m build.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 5 comments.

File Description
requirements.txt Pins/test dependencies to newer versions and adds hashes.
requirements-build.txt Introduces pinned build/publish tooling with hashes.
.github/workflows/ci.yml Pins actions, reduces Python matrix, enables pip caching, and installs deps with --require-hashes.
.github/workflows/publish.yml Pins actions, restricts permissions, installs build deps from requirements-build.txt, and uses python -m build.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@HackingRepo
Copy link
Author

HackingRepo commented Mar 24, 2026

@copilot i updated setup.py to use 3.10

HackingRepo and others added 6 commits March 24, 2026 11:29
@HackingRepo
Add --no-deps for pip install .
94f70e4 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@HackingRepo
Pin the version
25e929c 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@HackingRepo
Add build
3a6322d
@HackingRepo
Fix yaml identation
a6d0cf8
@HackingRepo
Update pinning to use SHA512
bb7d86b 
Because of quantum future attacks will reduce SHA256 collision to 64 bit via Grover but SHA512 will be reduced to 128 bit and it still strong
@HackingRepo
Update pinning to use SHA512
45d25cb 
Because of quantum future attacks will reduce SHA256 collision to 64 bit via Grover but SHA512 will be reduced to 128 bit and it still strong
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HackingRepo