ci: SHA-pin secret-bearing third-party actions + audit the web dep tree
- Pin android-actions/setup-android, appleboy/scp-action, and appleboy/ssh-action to commit SHAs (version kept in a trailing comment). These run in jobs holding the Android signing keystore, Play service-account, and deploy SSH key, so a moved tag on a third-party action could exfiltrate them. - Add a bun-audit job to audit.yml over web/bun.lock — the console holds the login gate, session sealing, and mgmt token, so its deps matter too — and trigger the workflow on web/bun.lock changes alongside Cargo.lock. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -25,7 +25,8 @@ jobs:
|
||||
java-version: "21"
|
||||
|
||||
- name: Android SDK
|
||||
uses: android-actions/setup-android@v3
|
||||
# SHA-pinned for parity with android.yml (third-party action). v3 = 9fc6c4e.
|
||||
uses: android-actions/setup-android@9fc6c4e9069bf8d3d10b2204b1fb8f6ef7065407 # v3
|
||||
|
||||
# No NDK/CMake — the screenshot unit tests are pure JVM. compileSdk 37 auto-downloads via AGP
|
||||
# if the platform channel lacks it (same note as android.yml).
|
||||
|
||||
Reference in New Issue
Block a user