Skip to content

feat: pin GitHub Actions to SHA hashes and add security linters#5

Merged
mpartipilo merged 2 commits intomainfrom
security/pin-actions-sha
Apr 1, 2026
Merged

feat: pin GitHub Actions to SHA hashes and add security linters#5
mpartipilo merged 2 commits intomainfrom
security/pin-actions-sha

Conversation

@mpartipilo
Copy link
Copy Markdown
Collaborator

@mpartipilo mpartipilo commented Apr 1, 2026

Summary

  • Pin all external GitHub Actions to immutable commit SHAs (instead of mutable tags) across all workflow files to prevent supply chain attacks
  • Add tools/linter_actions_pinned.sh as a CI step in the preflight job to enforce SHA pinning going forward
  • Add tools/linter_hidden_unicode.sh and a pull_request_target workflow to detect hidden/invisible Unicode characters in PR diffs (trojan-source prevention)

Motivation

Mutable tags can be moved to point at malicious commits — this happened in practice with tj-actions/changed-files (CVE-2025-30066). SHA pinning makes this impossible. The hidden Unicode linter guards against trojan-source attacks where invisible characters manipulate code rendering.

Based on patterns from weaviate/weaviate#10907 and weaviate/weaviate#10909.

Test plan

  • bash tools/linter_actions_pinned.sh passes locally (all actions verified as SHA-pinned)
  • linter_hidden_unicode.sh --stdin correctly detects zero-width space (U+200B) in test input
  • linter_hidden_unicode.sh --stdin passes clean input without false positives
  • CI pipeline runs successfully with SHA-pinned actions

🤖 Generated with Claude Code

@mpartipilo @claude
feat: pin GitHub Actions to SHA hashes and add security linters
3925a87 
Prevent supply chain attacks by replacing mutable tag references with
immutable commit SHAs across all workflow files. Add CI linter to
enforce SHA pinning and a PR security workflow to detect hidden Unicode
characters (trojan-source prevention).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
orca-security-eu[bot]
orca-security-eu Bot reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown

@orca-security-eu orca-security-eu Bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Orca Security Scan Summary

Status Check Issues by priority
Passed Passed Infrastructure as Code high 0   medium 0   low 0   info 0 View in Orca
Passed Passed SAST high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Secrets high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Vulnerabilities high 0   medium 0   low 0   info 0 View in Orca

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 1, 2026
edited
Loading

Summary - Weaviate C# Client Coverage

Summary
Generated on: 04/01/2026 - 21:36:35
Coverage date: 04/01/2026 - 21:35:21 - 04/01/2026 - 21:36:01
Parser: MultiReport (24x Cobertura)
Assemblies: 1
Classes: 109
Files: 79
Line coverage: 49.7% (3128 of 6285)
Covered lines: 3128
Uncovered lines: 3157
Coverable lines: 6285
Total lines: 15240
Branch coverage: 42.2% (1025 of 2428)
Covered branches: 1025
Total branches: 2428
Method coverage: Feature is only available for sponsors

Coverage

Weaviate.Client.Managed - 49.7%
Name Line Branch
Weaviate.Client.Managed 49.7% 42.2%
Weaviate.Client.Managed.Aggregates.AggregateStarter`1 35.2% 50%
Weaviate.Client.Managed.Aggregates.ContextAggregateBuilder`1 0% 0%
Weaviate.Client.Managed.Aggregates.GroupedAggregateStarter`1 0%
Weaviate.Client.Managed.Aggregates.GroupedContextAggregateBuilder`1 0%
Weaviate.Client.Managed.Aggregates.MetricsBuilder`1 0% 0%
Weaviate.Client.Managed.Attributes.EncodingAttribute 0%
Weaviate.Client.Managed.Attributes.GenerativeAttribute`1 100%
Weaviate.Client.Managed.Attributes.IndexAttribute 0%
Weaviate.Client.Managed.Attributes.InvertedIndexAttribute 0%
Weaviate.Client.Managed.Attributes.MapFromAttribute 100%
Weaviate.Client.Managed.Attributes.MetadataPropertyAttribute 100%
Weaviate.Client.Managed.Attributes.MetricsAttribute 100% 50%
Weaviate.Client.Managed.Attributes.NestedTypeAttribute 0%
Weaviate.Client.Managed.Attributes.OnCollectionConfig 100%
Weaviate.Client.Managed.Attributes.PropertyAttribute 100%
Weaviate.Client.Managed.Attributes.QuantizerAttribute 0%
Weaviate.Client.Managed.Attributes.QuantizerBQ 0%
Weaviate.Client.Managed.Attributes.QuantizerPQ 0%
Weaviate.Client.Managed.Attributes.QuantizerRQ 0%
Weaviate.Client.Managed.Attributes.QuantizerSQ 0%
Weaviate.Client.Managed.Attributes.QueryAggregateAttribute`1 0%
Weaviate.Client.Managed.Attributes.QueryProjectionAttribute`1 50%
Weaviate.Client.Managed.Attributes.ReferenceAttribute 20%
Weaviate.Client.Managed.Attributes.RerankerAttribute`1 85.7%
Weaviate.Client.Managed.Attributes.TokenizationAttribute 0%
Weaviate.Client.Managed.Attributes.VectorAttribute 100%
Weaviate.Client.Managed.Attributes.VectorAttribute`1 63.6%
Weaviate.Client.Managed.Attributes.VectorAttributeBase 100%
Weaviate.Client.Managed.Attributes.VectorIndexAttribute`1 0%
Weaviate.Client.Managed.Attributes.VectorIndexAttributeBase 0%
Weaviate.Client.Managed.Attributes.WeaviateCollectionAttribute 100%
Weaviate.Client.Managed.Context.BatchOperation 100%
Weaviate.Client.Managed.Context.CollectionSet`1 33.6% 47.2%
Weaviate.Client.Managed.Context.CollectionSetDiscovery 100% 100%
Weaviate.Client.Managed.Context.CollectionSetInfo 100%
Weaviate.Client.Managed.Context.DeleteOperation`1 100%
Weaviate.Client.Managed.Context.IdPropertyHelper 84.2% 80%
Weaviate.Client.Managed.Context.InsertOperation`1 100%
Weaviate.Client.Managed.Context.PendingBatch 34.8% 26.1%
Weaviate.Client.Managed.Context.PendingDelete`1 47% 0%
Weaviate.Client.Managed.Context.PendingInsert`1 100% 100%
Weaviate.Client.Managed.Context.PendingReference`1 0%
Weaviate.Client.Managed.Context.PendingUpdate`1 0% 0%
Weaviate.Client.Managed.Context.UpdateOperation`1 100%
Weaviate.Client.Managed.Context.WeaviateAdmin 45.4%
Weaviate.Client.Managed.Context.WeaviateContext 44.6% 18.1%
Weaviate.Client.Managed.Context.WeaviateContextOptions 100%
Weaviate.Client.Managed.Context.WeaviateContextOptionsBuilder 100%
Weaviate.Client.Managed.DependencyInjection.WeaviateContextInitializationSe
rvice`1		 0%
Weaviate.Client.Managed.DependencyInjection.WeaviateManagedServiceCollectio
nExtensions		 81.8% 80%
Weaviate.Client.Managed.Examples.Article 0%
Weaviate.Client.Managed.Examples.Author 0%
Weaviate.Client.Managed.Examples.BlogPost 0%
Weaviate.Client.Managed.Examples.Category 0%
Weaviate.Client.Managed.Examples.Comment 0%
Weaviate.Client.Managed.Examples.Product 0%
Weaviate.Client.Managed.Examples.ResearchPaper 0%
Weaviate.Client.Managed.Examples.UsageExamples 0%
Weaviate.Client.Managed.Examples.User 0%
Weaviate.Client.Managed.Extensions.CollectionClientExtensions 100%
Weaviate.Client.Managed.Extensions.CollectionMigrationExtensions 0% 0%
Weaviate.Client.Managed.Extensions.DataClientExtensions 32.8% 16%
Weaviate.Client.Managed.Extensions.GeoCoordinateExtensions 0%
Weaviate.Client.Managed.Extensions.ManagedCollectionExtensions 79.1% 100%
Weaviate.Client.Managed.Extensions.QueryResultExtensions 25% 16.6%
Weaviate.Client.Managed.Extensions.WeaviateClientExtensions 100% 50%
Weaviate.Client.Managed.GroupedAggregateBuilder`2 88%
Weaviate.Client.Managed.Internal.PropertyHelper 43.4% 17.8%
Weaviate.Client.Managed.ManagedCollection`1 21.6% 0%
Weaviate.Client.Managed.ManagedCollectionAggregateBuilder`1 0% 0%
Weaviate.Client.Managed.Mapping.ManagedObjectMapper 50% 44.4%
Weaviate.Client.Managed.Mapping.MetadataMapper 62.2% 39.2%
Weaviate.Client.Managed.Mapping.ProjectionMapper 53.4% 45.6%
Weaviate.Client.Managed.Mapping.PropertyMapper 61.5% 55.8%
Weaviate.Client.Managed.Mapping.ReferenceMapper 3.2% 2.2%
Weaviate.Client.Managed.Mapping.VectorMapper 21.9% 16.6%
Weaviate.Client.Managed.MetricsExtractor 50.7% 36.1%
Weaviate.Client.Managed.Migrations.MigrationPlan 0% 0%
Weaviate.Client.Managed.Migrations.SchemaChange 100%
Weaviate.Client.Managed.Migrations.SchemaDiffer 72.9% 75.4%
Weaviate.Client.Managed.Models.BatchInsertError`1 0%
Weaviate.Client.Managed.Models.BatchInsertException`1 0% 0%
Weaviate.Client.Managed.Models.GenerativeQueryResponse`1 60%
Weaviate.Client.Managed.Models.GenerativeQueryResult`1 50%
Weaviate.Client.Managed.Models.GroupByGroup`1 0%
Weaviate.Client.Managed.Models.GroupByQueryResponse`1 66.6%
Weaviate.Client.Managed.Models.GroupByQueryResult`1 0%
Weaviate.Client.Managed.Models.QueryResult`1 75%
Weaviate.Client.Managed.Query.CollectionMapperQueryClient`1 73.5% 52.7%
Weaviate.Client.Managed.Query.ExpressionToFilterConverter 53.9% 37.7%
Weaviate.Client.Managed.Query.GenerativeQueryExecutor`1 65.1%
Weaviate.Client.Managed.Query.GroupByQueryExecutor`1 44.1% 75%
Weaviate.Client.Managed.Query.HybridConfig 0%
Weaviate.Client.Managed.Query.NearMediaConfig 0%
Weaviate.Client.Managed.Query.NearObjectConfig 0%
Weaviate.Client.Managed.Query.NearTextConfig 0%
Weaviate.Client.Managed.Query.NearVectorConfig 0%
Weaviate.Client.Managed.Query.PendingOp 100%
Weaviate.Client.Managed.Query.ProjectedQueryClient`2 52.9% 62.5%
Weaviate.Client.Managed.Query.QueryConfig`1 44.4%
Weaviate.Client.Managed.Query.TargetVectorBuilder`1 48.9% 38.4%
Weaviate.Client.Managed.Query.WeaviateQueryable`1 41.3% 37.9%
Weaviate.Client.Managed.Query.WeaviateQueryableExtensions 21% 21.4%
Weaviate.Client.Managed.Query.WeaviateQueryConfig 40.9%
Weaviate.Client.Managed.Query.WeaviateQueryProvider`1 63.1% 42.7%
Weaviate.Client.Managed.Schema.CollectionSchemaBuilder 65.4% 60%
Weaviate.Client.Managed.Schema.VectorConfigBuilder 47.8% 50.8%
Weaviate.Client.Managed.TypedAggregateBuilder`2 78.9% 0%
Weaviate.Client.Managed.WeaviateManagedClient 0% 0%

@mpartipilo @claude
fix: harden hidden Unicode linter against bypass and injection
6fd6695 
- Narrow +++ exclusion to only match real diff headers, preventing
  attackers from evading scanning with +++prefixed lines
- Escape filenames in GitHub Actions annotations to prevent command
  injection via crafted PR filenames
- Add git ref validation with clear error on missing refs
- Add pull-requests: read permission required by gh pr diff

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mpartipilo mpartipilo enabled auto-merge (squash) April 1, 2026 21:37
@mpartipilo mpartipilo disabled auto-merge April 1, 2026 21:40
@mpartipilo mpartipilo merged commit 00ad45d into main Apr 1, 2026
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@orca-security-eu orca-security-eu[bot] orca-security-eu[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mpartipilo