From 59823fe36aff2dbb4910d07bb78842f357cc1f01 Mon Sep 17 00:00:00 2001 From: maclane Date: Wed, 1 Jul 2026 15:56:52 -0500 Subject: [PATCH 1/2] ci(tbtc/signer): pin workflow actions to commit SHAs; disable checkout credential persistence Resolves the zizmor/CodeRabbit findings on the signer formal-verification workflow: unpinned mutable action tags and persisted git credentials in checkout steps. All `uses:` references now pin full commit SHAs with human-readable version comments (actions/checkout v4.3.1, dtolnay/rust-toolchain stable head, EmbarkStudios/cargo-deny-action v2.0.20, actions/setup-java v4.8.0), and every checkout step sets persist-credentials: false so the ephemeral token is not written to the local git config. Co-Authored-By: Claude Fable 5 --- .github/workflows/tbtc-signer-formal.yml | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/.github/workflows/tbtc-signer-formal.yml b/.github/workflows/tbtc-signer-formal.yml index c9120f6c74..7be5e8e06e 100644 --- a/.github/workflows/tbtc-signer-formal.yml +++ b/.github/workflows/tbtc-signer-formal.yml @@ -23,10 +23,12 @@ jobs: timeout-minutes: 30 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Setup Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@4be7066ada62dd38de10e7b70166bc74ed198c30 # stable with: components: rustfmt, clippy @@ -47,13 +49,15 @@ jobs: timeout-minutes: 15 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Check RustSec advisories # Blocking gate: a newly-published advisory against any locked # dependency fails the build. Accepted/unfixable advisories are # recorded with rationale in pkg/tbtc/signer/deny.toml. - uses: EmbarkStudios/cargo-deny-action@v2 + uses: EmbarkStudios/cargo-deny-action@bb137d7af7e4fb67e5f82a49c4fce4fad40782fe # v2.0.20 with: manifest-path: pkg/tbtc/signer/Cargo.toml command: check advisories @@ -64,10 +68,12 @@ jobs: timeout-minutes: 30 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Setup Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@4be7066ada62dd38de10e7b70166bc74ed198c30 # stable - name: Run signer formal invariant tests # Filters cargo test by the formal_verification_ prefix so only @@ -82,10 +88,12 @@ jobs: timeout-minutes: 20 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Setup Java - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: temurin java-version: "17" From 3010172ad2232d2b4b0654d0d20a472599d428a5 Mon Sep 17 00:00:00 2001 From: maclane Date: Thu, 2 Jul 2026 11:48:11 -0400 Subject: [PATCH 2/2] ci(tbtc/signer): make Setup Rust toolchain explicit (toolchain: stable) Codex P2 review on #4127 flagged that SHA-pinning dtolnay/rust-toolchain could make it install the SHA as a toolchain, since older versions of the action derive the default toolchain from the action ref. Verified against the pinned version (4be7066): its action.yml already defaults `toolchain` to `stable`, so the Setup Rust / formal jobs were not actually broken (they pass on this branch). Still, name the toolchain explicitly on both Setup Rust steps: it is self-documenting and independent of the pinned action's default, which is the safe form for a SHA-pinned toolchain action. Co-Authored-By: Claude Fable 5 --- .github/workflows/tbtc-signer-formal.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/tbtc-signer-formal.yml b/.github/workflows/tbtc-signer-formal.yml index 7be5e8e06e..5952291a85 100644 --- a/.github/workflows/tbtc-signer-formal.yml +++ b/.github/workflows/tbtc-signer-formal.yml @@ -30,6 +30,12 @@ jobs: - name: Setup Rust uses: dtolnay/rust-toolchain@4be7066ada62dd38de10e7b70166bc74ed198c30 # stable with: + # Name the toolchain explicitly so it is self-documenting and + # independent of the pinned action's default. (This action version + # already defaults `toolchain` to `stable`; older versions instead + # derived it from the action ref, which would resolve to the SHA + # under this supply-chain pin -- so being explicit is the safe form.) + toolchain: stable components: rustfmt, clippy - name: Check formatting @@ -74,6 +80,10 @@ jobs: - name: Setup Rust uses: dtolnay/rust-toolchain@4be7066ada62dd38de10e7b70166bc74ed198c30 # stable + with: + # Explicit toolchain, independent of the pinned action's default + # (see the Setup Rust step above). + toolchain: stable - name: Run signer formal invariant tests # Filters cargo test by the formal_verification_ prefix so only