Skip to content

ci(tbtc/signer): pin workflow actions to commit SHAs; disable checkout credential persistence#4127

Merged
mswilkison merged 2 commits into
extraction/frost-signer-mirror-2026-05-26from
ci/signer-formal-workflow-hardening
Jul 2, 2026
Merged

ci(tbtc/signer): pin workflow actions to commit SHAs; disable checkout credential persistence#4127
mswilkison merged 2 commits into
extraction/frost-signer-mirror-2026-05-26from
ci/signer-formal-workflow-hardening

Conversation

@mswilkison

Copy link
Copy Markdown
Contributor

Summary

Hardens .github/workflows/tbtc-signer-formal.yml (introduced in #4005) against supply-chain and credential-exposure risks:

  • Every actions/checkout step now sets persist-credentials: false, so the ephemeral GITHUB_TOKEN is not persisted into the local git config after checkout. None of the jobs perform authenticated git operations after checkout, so nothing relies on the persisted credential.
  • Every uses: reference is pinned to a full 40-hex commit SHA with a trailing comment recording the human-readable version, replacing mutable tag/branch refs. No action major versions were changed — each pin is the current commit behind the ref that was already in use.

This addresses the two open CodeRabbit review threads on #4005 (persisted checkout credentials + unpinned action refs on .github/workflows/tbtc-signer-formal.yml).

Pinned actions

Action Old ref Pinned SHA (version)
actions/checkout v4 34e114876b0b11c390a56381ad16ebd13914f8d5 (v4.3.1)
dtolnay/rust-toolchain stable 4be7066ada62dd38de10e7b70166bc74ed198c30 (stable branch head)
EmbarkStudios/cargo-deny-action v2 bb137d7af7e4fb67e5f82a49c4fce4fad40782fe (v2.0.20)
actions/setup-java v4 c1e323688fd81a25caa38c78aa6df2d33d3e20d9 (v4.8.0)

Notes

🤖 Generated with Claude Code

…t credential persistence

Resolves the zizmor/CodeRabbit findings on the signer formal-verification
workflow: unpinned mutable action tags and persisted git credentials in
checkout steps. All `uses:` references now pin full commit SHAs with
human-readable version comments (actions/checkout v4.3.1,
dtolnay/rust-toolchain stable head, EmbarkStudios/cargo-deny-action
v2.0.20, actions/setup-java v4.8.0), and every checkout step sets
persist-credentials: false so the ephemeral token is not written to the
local git config.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 2ca44e9d-f373-45c9-bc5d-509bd6c789a6

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/signer-formal-workflow-hardening

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

mswilkison added a commit that referenced this pull request Jul 2, 2026
…teps

Codex P2 review on #4127: dtolnay/rust-toolchain defaults its installed
toolchain to the action ref. Once the action is pinned by commit SHA (as this
workflow now does for supply-chain hardening) that ref is no longer "stable",
so the Setup Rust steps would try to install the SHA as a rustup toolchain and
the signer Rust/formal jobs fail. Keep the SHA pin and name the toolchain
explicitly (`toolchain: stable`) on both Setup Rust steps.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Codex P2 review on #4127 flagged that SHA-pinning dtolnay/rust-toolchain could
make it install the SHA as a toolchain, since older versions of the action
derive the default toolchain from the action ref. Verified against the pinned
version (4be7066): its action.yml already defaults `toolchain` to `stable`, so
the Setup Rust / formal jobs were not actually broken (they pass on this
branch). Still, name the toolchain explicitly on both Setup Rust steps: it is
self-documenting and independent of the pinned action's default, which is the
safe form for a SHA-pinned toolchain action.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@mswilkison mswilkison force-pushed the ci/signer-formal-workflow-hardening branch from 5cb4083 to 3010172 Compare July 2, 2026 15:52
@mswilkison mswilkison merged commit 911f3b6 into extraction/frost-signer-mirror-2026-05-26 Jul 2, 2026
20 checks passed
@mswilkison mswilkison deleted the ci/signer-formal-workflow-hardening branch July 2, 2026 16:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant