Skip to content

fix(security): pin GitHub Actions to commit SHAs in publish workflow#67

Open
XananasX7 wants to merge 1 commit into
google:mainfrom
XananasX7:fix/security-pin-etils-actions-sha
Open

fix(security): pin GitHub Actions to commit SHAs in publish workflow#67
XananasX7 wants to merge 1 commit into
google:mainfrom
XananasX7:fix/security-pin-etils-actions-sha

Conversation

@XananasX7

Copy link
Copy Markdown

Summary

The pytest_and_autopublish.yml workflow uses mutable tag references for all three of its actions, including etils-actions/pypi-auto-publish@v1 — a third-party action with minimal vetting (~10 GitHub stars). If any tag is silently redirected, the malicious code runs in the job that holds PYPI_API_TOKEN, enabling a backdoored release of mediapy on PyPI.

Changes

Action Before After
actions/checkout @v4 @34e11487…
actions/setup-python @v5 @a26af69b…
etils-actions/pypi-auto-publish @v1 @e3c4b4af…

SHA-pinning is recommended by the GitHub security hardening guide.

Tag-pinned actions can be silently redirected to malicious code.
Pin each action to its immutable commit SHA:
- actions/checkout@v4       → @34e114876b0b11c390a56381ad16ebd13914f8d5
- actions/setup-python@v5   → @a26af69be951a213d495a4c3e4e4022e16d87065
- etils-actions/pypi-auto-publish@v1 → @e3c4b4afc3a5b12a44734da938741995538e8223

The pypi-auto-publish action has PYPI_API_TOKEN; a compromised tag would
enable a supply-chain attack on every downstream user of mediapy.
@google-cla

google-cla Bot commented Jun 28, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant