From 0e196e11a11ca7f6d59a2f3aa5ab455083e0efe1 Mon Sep 17 00:00:00 2001 From: Scott Gerlach Date: Wed, 1 Apr 2026 10:41:14 -0600 Subject: [PATCH 1/4] security: pin tibdex/github-app-token to SHA (TeamPCP finding 2) --- .github/workflows/ci.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4026cf6..7dbadf4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,7 +54,10 @@ jobs: persist-credentials: 'false' - name: Generate GitHub App token id: generate_token - uses: tibdex/github-app-token@v2 + # SECURITY FIX (Finding 2 - TeamPCP audit): Pinned to commit SHA instead of + # mutable @v2 tag. Mutable tags can be silently redirected to malicious commits. + # Pin: v2.1.0 -> sha 3beb63f4bd073e61482598c45c71c1019b59b73a + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 with: app_id: ${{ secrets.HAWKY_APP_ID }} private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }} @@ -96,7 +99,10 @@ jobs: persist-credentials: 'false' - name: Generate GitHub App token id: generate_token - uses: tibdex/github-app-token@v2 + # SECURITY FIX (Finding 2 - TeamPCP audit): Pinned to commit SHA instead of + # mutable @v2 tag. + # Pin: v2.1.0 -> sha 3beb63f4bd073e61482598c45c71c1019b59b73a + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 with: app_id: ${{ secrets.HAWKY_APP_ID }} private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }} From 40c3894bad041b6696b036238c044a103866ce24 Mon Sep 17 00:00:00 2001 From: Scott Gerlach Date: Wed, 1 Apr 2026 10:42:35 -0600 Subject: [PATCH 2/4] security: pin tibdex/github-app-token to SHA in prepare-release.yml --- .github/workflows/prepare-release.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml index c6a7ae0..ed678f6 100644 --- a/.github/workflows/prepare-release.yml +++ b/.github/workflows/prepare-release.yml @@ -52,7 +52,10 @@ jobs: pip install . - name: Generate GitHub App token id: generate_token - uses: tibdex/github-app-token@v2 + # SECURITY FIX (Finding 2 - TeamPCP audit): Pinned to commit SHA instead of + # mutable @v2 tag. Mutable tags can be silently redirected to malicious commits. + # Pin: v2.1.0 -> sha 3beb63f4bd073e61482598c45c71c1019b59b73a + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 with: app_id: ${{ secrets.HAWKY_APP_ID }} private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }} @@ -87,7 +90,9 @@ jobs: fetch-depth: 0 - name: Generate GitHub App token id: generate_token - uses: tibdex/github-app-token@v2 + # SECURITY FIX (Finding 2 - TeamPCP audit): Pinned to commit SHA. + # Pin: v2.1.0 -> sha 3beb63f4bd073e61482598c45c71c1019b59b73a + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 with: app_id: ${{ secrets.HAWKY_APP_ID }} private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }} @@ -132,7 +137,9 @@ jobs: pip install . - name: Generate GitHub App token id: generate_token - uses: tibdex/github-app-token@v2 + # SECURITY FIX (Finding 2 - TeamPCP audit): Pinned to commit SHA. + # Pin: v2.1.0 -> sha 3beb63f4bd073e61482598c45c71c1019b59b73a + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 with: app_id: ${{ secrets.HAWKY_APP_ID }} private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }} @@ -151,4 +158,4 @@ jobs: run: bumpver update --patch --commit - name: Push patch version bump commit run: | - git push origin HEAD:main \ No newline at end of file + git push origin HEAD:main From 4cd7e59fb1da075cc165dd783e6affae99427e77 Mon Sep 17 00:00:00 2001 From: Scott Gerlach Date: Wed, 1 Apr 2026 11:30:40 -0600 Subject: [PATCH 3/4] security: switch to actions/create-github-app-token (official) in ci.yml --- .github/workflows/ci.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7dbadf4..9b2b283 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,13 +54,13 @@ jobs: persist-credentials: 'false' - name: Generate GitHub App token id: generate_token - # SECURITY FIX (Finding 2 - TeamPCP audit): Pinned to commit SHA instead of - # mutable @v2 tag. Mutable tags can be silently redirected to malicious commits. - # Pin: v2.1.0 -> sha 3beb63f4bd073e61482598c45c71c1019b59b73a - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + # SECURITY FIX (Finding 2 - TeamPCP audit): Using official GitHub-maintained action + # instead of third-party tibdex. Pinned to SHA for supply chain safety. + # actions/create-github-app-token v3 -> sha f8d387b68d61c58ab83c6c016672934102569859 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3 with: - app_id: ${{ secrets.HAWKY_APP_ID }} - private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }} + app-id: ${{ secrets.HAWKY_APP_ID }} + private-key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }} - name: Set up git for pushing run: | git remote set-url origin https://x-access-token:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git @@ -102,10 +102,10 @@ jobs: # SECURITY FIX (Finding 2 - TeamPCP audit): Pinned to commit SHA instead of # mutable @v2 tag. # Pin: v2.1.0 -> sha 3beb63f4bd073e61482598c45c71c1019b59b73a - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3 with: - app_id: ${{ secrets.HAWKY_APP_ID }} - private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }} + app-id: ${{ secrets.HAWKY_APP_ID }} + private-key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }} - name: Set up git for pushing run: | git remote set-url origin https://x-access-token:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git From 181be4311bc4011962aa2eefa7191d4e8f92195d Mon Sep 17 00:00:00 2001 From: Scott Gerlach Date: Wed, 1 Apr 2026 11:31:25 -0600 Subject: [PATCH 4/4] security: switch to actions/create-github-app-token (official) in prepare-release.yml --- .github/workflows/prepare-release.yml | 32 +++++++++++++-------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml index ed678f6..7f08608 100644 --- a/.github/workflows/prepare-release.yml +++ b/.github/workflows/prepare-release.yml @@ -52,13 +52,13 @@ jobs: pip install . - name: Generate GitHub App token id: generate_token - # SECURITY FIX (Finding 2 - TeamPCP audit): Pinned to commit SHA instead of - # mutable @v2 tag. Mutable tags can be silently redirected to malicious commits. - # Pin: v2.1.0 -> sha 3beb63f4bd073e61482598c45c71c1019b59b73a - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + # SECURITY FIX (Finding 2 - TeamPCP audit): Using official GitHub-maintained action + # instead of third-party tibdex. Pinned to SHA for supply chain safety. + # actions/create-github-app-token v3 -> sha f8d387b68d61c58ab83c6c016672934102569859 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3 with: - app_id: ${{ secrets.HAWKY_APP_ID }} - private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }} + app-id: ${{ secrets.HAWKY_APP_ID }} + private-key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }} - name: Set up git for pushing run: | git remote set-url origin https://x-access-token:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git @@ -90,12 +90,12 @@ jobs: fetch-depth: 0 - name: Generate GitHub App token id: generate_token - # SECURITY FIX (Finding 2 - TeamPCP audit): Pinned to commit SHA. - # Pin: v2.1.0 -> sha 3beb63f4bd073e61482598c45c71c1019b59b73a - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + # SECURITY FIX (Finding 2 - TeamPCP audit): Using official GitHub-maintained action. + # actions/create-github-app-token v3 -> sha f8d387b68d61c58ab83c6c016672934102569859 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3 with: - app_id: ${{ secrets.HAWKY_APP_ID }} - private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }} + app-id: ${{ secrets.HAWKY_APP_ID }} + private-key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }} - name: Set up git for pulling latest run: | git remote set-url origin https://x-access-token:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git @@ -137,12 +137,12 @@ jobs: pip install . - name: Generate GitHub App token id: generate_token - # SECURITY FIX (Finding 2 - TeamPCP audit): Pinned to commit SHA. - # Pin: v2.1.0 -> sha 3beb63f4bd073e61482598c45c71c1019b59b73a - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 + # SECURITY FIX (Finding 2 - TeamPCP audit): Using official GitHub-maintained action. + # actions/create-github-app-token v3 -> sha f8d387b68d61c58ab83c6c016672934102569859 + uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3 with: - app_id: ${{ secrets.HAWKY_APP_ID }} - private_key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }} + app-id: ${{ secrets.HAWKY_APP_ID }} + private-key: ${{ secrets.HAWKY_APP_PRIVATE_KEY }} - name: Set up git for pushing run: | git remote set-url origin https://x-access-token:${{ steps.generate_token.outputs.token }}@github.com/${{ github.repository }}.git