From 50e5c333c4329d39d7310f769d7ec2e54cfcc08f Mon Sep 17 00:00:00 2001 From: RodrigoSobral2000 Date: Mon, 27 Apr 2026 14:34:34 +0200 Subject: [PATCH 1/9] ci: Address code scan reports (unpinned action reference) Co-authored-by: Copilot --- .github/workflows/build.yml | 10 +++++----- .github/workflows/checks.yml | 6 +++--- .github/workflows/publish.yml | 12 ++++++------ .github/workflows/release.yml | 6 +++--- 4 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 09f461b..554fe06 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -11,7 +11,7 @@ jobs: steps: # 1 – Check out the code - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # 2 – Expose the version tag as $PACKAGE_VERSION (only if this is a v* tag ref) - name: Set environment package version from tag @@ -25,20 +25,20 @@ jobs: fi # 3 – Set up Python - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' cache: 'pip' # 4 – Set up Node.js - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: '24.x' cache: 'npm' # 5 – Set up JDK 17 and enable sbt cache - name: Set up JDK 17 - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' java-version: '17' @@ -46,7 +46,7 @@ jobs: # 6 – Install sbt 1.12.4 - name: Set up sbt - uses: sbt/setup-sbt@v1 + uses: sbt/setup-sbt@508b753e53cb6095967669e0911487d2b9bc9f41 # v1.1.22 with: sbt-runner-version: '1.12.4' diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index b0a9653..9c0d7dc 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -15,17 +15,17 @@ jobs: check-code: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Node.js environment - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24.x cache: yarn cache-dependency-path: yarn.lock - name: Setup Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 132a6b3..16d783b 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -14,7 +14,7 @@ jobs: steps: # 1 – Check out the repo - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # 2 – Expose the tag (e.g. 1.2.3) as $PACKAGE_VERSION - name: Set environment package version from tag @@ -24,20 +24,20 @@ jobs: echo "PACKAGE_VERSION=${ref#v}" >> "$GITHUB_ENV" # 3 – Set up Python - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' cache: 'pip' # 4 – Set up Node.js - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: '24.x' cache: 'npm' # 5 – Set up JDK 17 and enable sbt cache - name: Set up JDK 17 - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: distribution: 'temurin' java-version: '17' @@ -45,7 +45,7 @@ jobs: # 6 – Install sbt 1.12.4 - name: Set up sbt - uses: sbt/setup-sbt@v1 + uses: sbt/setup-sbt@508b753e53cb6095967669e0911487d2b9bc9f41 # v1.1.22 with: sbt-runner-version: '1.12.4' @@ -59,4 +59,4 @@ jobs: # 9 – Publish to PyPI (Trusted Publishing) - name: Publish distribution to PyPI 🚀 - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 118856a..c193dc2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,10 +12,10 @@ jobs: bump-version: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions/setup-python@v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - name: Install release tooling @@ -26,7 +26,7 @@ jobs: git config --local user.name "swan-admins[bot]" bump2version ${{ github.event.inputs.bump }} - name: Push changes - uses: ad-m/github-push-action@master + uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # v1.1.0 with: github_token: ${{ secrets.WORKFLOW_ACCESS_TOKEN }} tags: true From a96e978a4fcba3f59b33ab2a715e6b60f34ba66b Mon Sep 17 00:00:00 2001 From: RodrigoSobral2000 Date: Mon, 27 Apr 2026 14:37:46 +0200 Subject: [PATCH 2/9] ci: Address code scan reports (overly broad permissions) --- .github/workflows/build.yml | 2 ++ .github/workflows/checks.yml | 2 ++ .github/workflows/publish.yml | 2 ++ .github/workflows/release.yml | 2 ++ 4 files changed, 8 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 554fe06..ee7f058 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,6 +5,8 @@ on: branches: [ master ] workflow_dispatch: +permissions: {} # Deny all permissions by default at workflow level + jobs: test-build: runs-on: ubuntu-latest diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 9c0d7dc..360dc19 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -11,6 +11,8 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: +permissions: {} # Deny all permissions by default at workflow level + jobs: check-code: runs-on: ubuntu-latest diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 16d783b..c16d8f2 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,6 +5,8 @@ on: tags: - 'v*' # runs only when you push tags like v1.2.3 +permissions: {} # Deny all permissions by default at workflow level + jobs: build-publish: runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c193dc2..38525eb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,6 +8,8 @@ on: required: true default: "patch" +permissions: {} # Deny all permissions by default at workflow level + jobs: bump-version: runs-on: ubuntu-latest From 24a5b6c07ae1af7bc9fbcd426099c879ad950cd1 Mon Sep 17 00:00:00 2001 From: RodrigoSobral2000 Date: Mon, 27 Apr 2026 14:39:18 +0200 Subject: [PATCH 3/9] ci: Address code scan reports (insufficient job-level concurrency limits) --- .github/workflows/build.yml | 4 ++++ .github/workflows/checks.yml | 4 ++++ .github/workflows/publish.yml | 4 ++++ .github/workflows/release.yml | 4 ++++ 4 files changed, 16 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ee7f058..37ed084 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,6 +5,10 @@ on: branches: [ master ] workflow_dispatch: +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: {} # Deny all permissions by default at workflow level jobs: diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 360dc19..4e25d7f 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -11,6 +11,10 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: {} # Deny all permissions by default at workflow level jobs: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index c16d8f2..f9233b8 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,6 +5,10 @@ on: tags: - 'v*' # runs only when you push tags like v1.2.3 +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: {} # Deny all permissions by default at workflow level jobs: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 38525eb..07d8200 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,6 +8,10 @@ on: required: true default: "patch" +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + permissions: {} # Deny all permissions by default at workflow level jobs: From 4d81a05a708347852ca3d61056e2d6180f07ebda Mon Sep 17 00:00:00 2001 From: RodrigoSobral2000 Date: Mon, 27 Apr 2026 14:41:07 +0200 Subject: [PATCH 4/9] ci: Address code scan reports (secrets referenced without a dedicated environment) Co-authored-by: Copilot --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 07d8200..f0dbfbd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,6 +17,7 @@ permissions: {} # Deny all permissions by default at workflow level jobs: bump-version: runs-on: ubuntu-latest + environment: tag-release steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: From 8c3592f9f496a5b7fc1382807c4ecdfcd1c30a85 Mon Sep 17 00:00:00 2001 From: RodrigoSobral2000 Date: Mon, 27 Apr 2026 14:43:07 +0200 Subject: [PATCH 5/9] ci: Address code scan reports (code injection via template expansion) Co-authored-by: Copilot --- .github/workflows/release.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f0dbfbd..4a0cc3d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -28,10 +28,12 @@ jobs: - name: Install release tooling run: python -m pip install bump2version - name: Bump and tag + env: + BUMP: ${{ github.event.inputs.bump }} run: | git config --local user.email "swan-admins@cern.ch" git config --local user.name "swan-admins[bot]" - bump2version ${{ github.event.inputs.bump }} + bump2version ${BUMP} - name: Push changes uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # v1.1.0 with: From d0ba1577547c6df9cce24d88dbecbddbdc9f7cd7 Mon Sep 17 00:00:00 2001 From: RodrigoSobral2000 Date: Mon, 27 Apr 2026 14:46:53 +0200 Subject: [PATCH 6/9] ci: Address code scan reports (credential persistence through GitHub Actions artifacts) --- .github/workflows/build.yml | 2 ++ .github/workflows/checks.yml | 2 ++ .github/workflows/publish.yml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 37ed084..b731c62 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,8 @@ jobs: steps: # 1 – Check out the code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # 2 – Expose the version tag as $PACKAGE_VERSION (only if this is a v* tag ref) - name: Set environment package version from tag diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 4e25d7f..e73fa11 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -22,6 +22,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js environment uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f9233b8..df55542 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -21,6 +21,8 @@ jobs: steps: # 1 – Check out the repo - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false # 2 – Expose the tag (e.g. 1.2.3) as $PACKAGE_VERSION - name: Set environment package version from tag From 98982c4b519524907dd976d3baee7ad1db48dfe9 Mon Sep 17 00:00:00 2001 From: RodrigoSobral2000 Date: Mon, 27 Apr 2026 15:29:35 +0200 Subject: [PATCH 7/9] ci: Address code scan reports (runtime artifacts potentially vulnerable to a cache poisoning attack) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 'npm', 'sbt', 'pip' removed — caching disabled in publish workflows to prevent cache poisoning --- .github/workflows/publish.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index df55542..5ba42a2 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -35,13 +35,12 @@ jobs: - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.13' - cache: 'pip' # 4 – Set up Node.js - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: '24.x' - cache: 'npm' + package-manager-cache: false # 5 – Set up JDK 17 and enable sbt cache - name: Set up JDK 17 @@ -49,7 +48,6 @@ jobs: with: distribution: 'temurin' java-version: '17' - cache: 'sbt' # 6 – Install sbt 1.12.4 - name: Set up sbt From c6392dec597b6f4ed0d27d9f69ab4a2bebd17d81 Mon Sep 17 00:00:00 2001 From: RodrigoSobral2000 Date: Wed, 29 Apr 2026 08:57:48 +0200 Subject: [PATCH 8/9] ci: Push using command line instead of an action --- .github/workflows/release.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4a0cc3d..f4d20a3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -35,7 +35,8 @@ jobs: git config --local user.name "swan-admins[bot]" bump2version ${BUMP} - name: Push changes - uses: ad-m/github-push-action@4cc74773234f74829a8c21bc4d69dd4be9cfa599 # v1.1.0 - with: - github_token: ${{ secrets.WORKFLOW_ACCESS_TOKEN }} - tags: true + env: + WORKFLOW_ACCESS_TOKEN: ${{ secrets.WORKFLOW_ACCESS_TOKEN }} + run: | + git remote set-url origin "https://x-access-token:${WORKFLOW_ACCESS_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" + git push origin "${{ github.ref_name }}" From 7bb865b6a28d45081e416c984c97cc0e8e59df19 Mon Sep 17 00:00:00 2001 From: RodrigoSobral2000 Date: Wed, 29 Apr 2026 08:59:51 +0200 Subject: [PATCH 9/9] ci: Address code scan report (code injection via template expansion) Co-authored-by: Copilot --- .github/workflows/release.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f4d20a3..6b43d4f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -37,6 +37,7 @@ jobs: - name: Push changes env: WORKFLOW_ACCESS_TOKEN: ${{ secrets.WORKFLOW_ACCESS_TOKEN }} + REF_NAME: ${{ github.ref_name }} run: | git remote set-url origin "https://x-access-token:${WORKFLOW_ACCESS_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" - git push origin "${{ github.ref_name }}" + git push origin "${REF_NAME}" --tags --atomic