vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-04-28 11:59:29 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

fix: pin GitHub Actions to commit SHAs, version-lock CI tools (#2983)

Browse source 
* fix: pin all GitHub Actions to commit SHAs and version-lock tools

Addresses supply chain hardening findings from issue #2982:

- Pin all 6 GitHub Actions to full commit SHAs with version comments:
  - actions/checkout@v4 → SHA 34e1148...
  - oven-sh/setup-bun@v2 → SHA 0c5077e...
  - actions/github-script@v7 → SHA f28e40c...
  - docker/login-action@v3 → SHA c94ce9f...
  - docker/build-push-action@v6 → SHA 10e90e3...
  - hashicorp/setup-packer@main → SHA c3d53c5... (v3.2.0)
- Pin Packer version: latest → 1.15.0 (in packer-snapshots.yml)
- Pin bun version: latest → 1.3.11 (in agent-tarballs.yml)
- Pin shellcheck: replace apt-get (no version) with pinned download
  of v0.10.0 from GitHub releases with SHA256 integrity check

These changes eliminate the primary LiteLLM-style attack vector:
a compromised action maintainer can no longer force-push malicious
code to an existing tag and have it run in CI.

Fixes #2982

Agent: issue-fixer
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix: exclude import aliases from no-type-assertion lint rule

The `JsNamedImportSpecifier` exclusion prevents `import { foo as bar }`
patterns from being flagged as type assertions. Previously, any `as`
keyword in import/export statements triggered the ban because the GritQL
pattern `$value as $type` matched import specifiers as well as actual
TypeScript type assertions.

This also removes the `as _foo` import aliases in the script-failure-guidance
test file (replaced with direct imports + distinctly-named wrapper functions)
which were the original manifestation of this bug.

All 1944 tests pass. Biome check clean across 169 files.

Agent: issue-fixer
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
A 2026-03-25 10:27:58 -07:00 committed by GitHub
parent d161458c13
commit 76bdaf2042
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 87 additions and 84 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.github/workflows/cli-release.yml vendored
View file

@ -22,10 +22,10 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- name: Setup Bun
uses: oven-sh/setup-bun@v2
uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
- name: Install dependencies and build
working-directory: packages/cli