From 108d406c57f3be88a9e19acd2d0771a4302aad45 Mon Sep 17 00:00:00 2001 From: "Yann Esposito (Yogsototh)" Date: Tue, 16 Jun 2026 11:42:26 +0200 Subject: [PATCH 1/2] Harden GitHub Actions workflow (PSIRT-0328599349) Pin all actions to full commit SHAs and apply least-privilege token permissions, addressing the GitHub Actions vulnerability classes flagged by PSIRT-0328599349. - Pin every `uses:` to a commit SHA with a version comment, so a retagged or compromised upstream release cannot inject code into CI. This covers the third-party action DeLaGuardo/setup-clojure (the main supply-chain exposure) as well as the actions/* steps. - Add a top-level `permissions: contents: read` block so the default GITHUB_TOKEN is least-privilege. The workflow only builds, lints and tests; it performs no writes (deploy to Clojars is a manual lein task, not CI-driven). No behavior change: each SHA is the current tip of the version that was previously referenced (checkout v4.3.1, cache v4.3.0/v3.5.0, setup-java v3.14.1/v2.5.1, setup-clojure 3.7/12.1). Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/build.yml | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2e2333a3..54fc1ed4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -11,6 +11,10 @@ on: # 12:00AM on the first of every month - cron: "0 0 1 * *" +# Least-privilege default token: this workflow only builds, lints and tests. +permissions: + contents: read + jobs: setup: runs-on: ubuntu-latest @@ -19,13 +23,13 @@ jobs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install clojure tools - uses: DeLaGuardo/setup-clojure@3.7 + uses: DeLaGuardo/setup-clojure@fa522696baadfef7de0fe810135f446221e665c2 # 3.7 with: lein: 2.9.8 - name: Cache project dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.m2/repository @@ -51,16 +55,16 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install Java - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3.14.1 with: distribution: 'temurin' java-version: '8' - name: Install clojure tools - uses: DeLaGuardo/setup-clojure@12.1 + uses: DeLaGuardo/setup-clojure@0fc99a3bcdd086349bfb01a9262382fe3d37cd6d # 12.1 with: clj-kondo: '2023.12.15' @@ -75,9 +79,9 @@ jobs: timeout-minutes: 10 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Cache project dependencies - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3.5.0 with: path: | ~/.m2/repository @@ -86,12 +90,12 @@ jobs: restore-keys: | ${{ runner.os }}-clojure - name: Prepare java - uses: actions/setup-java@v2 + uses: actions/setup-java@91d3aa4956ec4a53e477c4907347b5e3481be8c9 # v2.5.1 with: distribution: 'temurin' java-version: ${{ matrix.jdk }} - name: Install clojure tools - uses: DeLaGuardo/setup-clojure@3.7 + uses: DeLaGuardo/setup-clojure@fa522696baadfef7de0fe810135f446221e665c2 # 3.7 with: lein: 2.9.8 - run: | From f51a69d3ed81cd4198d92c02c58f5c40fced4e5b Mon Sep 17 00:00:00 2001 From: "Yann Esposito (Yogsototh)" Date: Tue, 16 Jun 2026 14:47:45 +0200 Subject: [PATCH 2/2] ci: re-trigger Build workflow after re-enable (PSIRT-0328599349) The Build workflow was auto-disabled (disabled_inactivity) after 60+ days idle, so the required 'all-pr-checks' status never ran on this PR. Re-enabled the workflow; this empty commit re-fires the pull_request run. Co-Authored-By: Claude Opus 4.8 (1M context)