ci: pin all GitHub Actions to commit SHAs for supply-chain safety#5
Open
ci: pin all GitHub Actions to commit SHAs for supply-chain safety#5
Conversation
Signed-off-by: Rahul Tripathi <rahul@Rahuls-Mac-mini.local>
Signed-off-by: Rafael Belchior <rafael.belchior@tecnico.ulisboa.pt> fix(satp-hermes): fix getOAS Signed-off-by: Rafael Belchior <rafael.belchior@tecnico.ulisboa.pt> chore: update supported ledgers Signed-off-by: Rafael Belchior <rafael.belchior@tecnico.ulisboa.pt>
Signed-off-by: Rafael Belchior <rafael.belchior@tecnico.ulisboa.pt>
…acti#4150) Replaced vulnerable `pull_request_target` with `pull_request`. Wrapped `echo` arguments in quotes to guard against command injections. Signed-off-by: VRamakrishna <vramakr2@in.ibm.com>
Replace Promise.all with Promise.allSettled so a single plugin failure during shutdown does not abort HTTP/gRPC server cleanup. Log the plugin instance ID when a shutdown failure occurs. Fixes hyperledger-cacti#4160 Signed-off-by: mn-ram <235066282+mn-ram@users.noreply.github.com>
Signed-off-by: Dev10-sys <kalpanagola9897@gmail.com>
Consolidates 10 recent dependabot PRs (hyperledger-cacti#4228, hyperledger-cacti#4225, hyperledger-cacti#4224, hyperledger-cacti#4220, hyperledger-cacti#4219, and hyperledger-cacti#4218, hyperledger-cacti#4217, hyperledger-cacti#4214, hyperledger-cacti#4213, hyperledger-cacti#4210) into a single update. | Package | From | To | | --- | --- | --- | | [@angular/compiler](https://github.com/angular/angular) | 17.3.11 | 19.2.20 | | [@angular/core](https://github.com/angular/angular) | 17.3.11 | 19.2.20 | | [ajv](https://github.com/ajv-validator/ajv) | 8.17.1 | 8.18.0 | | [axios](https://github.com/axios/axios) | 1.13.4 | 1.15.0 | | [basic-ftp](https://github.com/patrickjuchli/basic-ftp) | 5.1.0 | 5.2.2 | | [diff](https://github.com/kpdecker/jsdiff) | - | (updated) | | [dompurify](https://github.com/cure53/DOMPurify) | 3.3.1 | 3.3.3 | | [fastify](https://github.com/fastify/fastify) | 4.28.1 | 5.8.3 | | [flatted](https://github.com/WebReflection/flatted) | 3.3.3 | 3.4.2 | | [immutable](https://github.com/immutable-js/immutable-js) | 4.3.7 | 4.3.8 | | [lodash](https://github.com/lodash/lodash) | 4.17.23 | 4.18.1 | | [markdown-it](https://github.com/markdown-it/markdown-it) | 14.1.0 | 14.1.1 | | [multer](https://github.com/expressjs/multer) | 1.4.5-lts.1 | 2.1.1 | | [picomatch](https://github.com/micromatch/picomatch) | - | (updated) | | [qs](https://github.com/ljharb/qs) | 6.13.0 | 6.14.2 | | [rollup](https://github.com/rollup/rollup) | 2.79.2 | 2.80.0 | | [simple-git](https://github.com/steveukx/git-js) | 3.19.1 | 3.32.3 | | [sjcl](https://github.com/bitwiseshiftleft/sjcl) | 1.0.8 | 1.0.9 | | [undici](https://github.com/nodejs/undici) | 7.8.0 | 7.24.0 | | [webpack](https://github.com/webpack/webpack) | 5.94.0 | 5.104.1 | | [yaml](https://github.com/eemeli/yaml) | 1.10.2 | 1.10.3 | All dependency updates from April 10-13, 2026 are included in this single commit. Supersedes PRs: hyperledger-cacti#4228, hyperledger-cacti#4225, hyperledger-cacti#4224, hyperledger-cacti#4220, hyperledger-cacti#4219, hyperledger-cacti#4218, hyperledger-cacti#4217, hyperledger-cacti#4214, hyperledger-cacti#4213, hyperledger-cacti#4210 Signed-off-by: Sandeep Nishad <sandeepn.official@gmail.com>
- Add pre-check step to display commit messages with line numbers and character counts - Fix config file reference from commitlint.config.mjs to commitlint.config.js - Add verbose logging and proper error handling - Fix shellcheck issues (use -r flag with read, proper variable quoting) - Increase header-max-length from 72 to 80 characters - Increase body-max-line-length from 80 to 102 characters - Increase footer-max-line-length from 80 to 102 characters This helps identify exactly which lines violate the character limits and provides more flexibility for detailed commit messages. Signed-off-by: Sandeep Nishad <sandeepn.official@gmail.com>
- Add `Discovery` tab to Fabric App for showing discovered
fabric network components by MSP.
- Update REAMDE.
- Fix responsiveness of main App selection screen.
Depends on hyperledger-cacti#3837
Closes hyperledger-cacti#3554
Signed-off-by: Michal Bajer <michal.bajer@fujitsu.com>
The mintAsset, burnAsset, and assignAsset methods in Stage 3 services were calling persistLogEntry() and storeProof() without await, causing fire-and-forget promises that lead to unhandled rejections, silent proof loss, and potential duplicate blockchain transactions on crash recovery. Also fix the inverted condition in stage3ServerService that was bypassing commonBodyVerifier on every real request. The three server-side validation functions (checkCommitPreparationRequest, checkCommitFinalAssertionRequest, checkTransferCompleteRequest) wrapped the commonBodyVerifier call inside if (request.common == undefined), so all Stage 3 protocol checks (version, sequence number, session id, gateway pubkeys, hash chain integrity, message type) were skipped before critical blockchain operations. Aligns stage3-server-service with the other stage services that call commonBodyVerifier unconditionally. Fixes hyperledger-cacti#4167 Signed-off-by: mn-ram <235066282+mn-ram@users.noreply.github.com>
…teps Signed-off-by: Dev10-sys <kalpanagola9897@gmail.com>
Signed-off-by: Rahul Tripathi <rahul@Rahuls-Mac-mini.local>
Signed-off-by: Sandeep Nishad <sandeepn.official@gmail.com>
mn-ram
force-pushed
the
ci/pin-actions-to-sha
branch
2 times, most recently
from
1e31d79 to
74944c0
Compare
Pins remaining floating `actions/*` and `docker/login-action` references under `.github/` to the exact commit SHAs this repository already uses where pinning is in place. Floating major/minor tags are mutable and represent a supply-chain hazard (see the March 2025 `tj-actions/changed-files` compromise); the majority of this repo already SHA-pins its actions, so this PR aligns the stragglers with the existing convention. Pins applied (pin target = SHA already running elsewhere in this repository): actions/cache -> d4323d4 #v4.2.2 actions/checkout -> 692973e #v4.1.7 actions/setup-node -> 1e60f62 #v4.0.3 actions/setup-go -> 4d34df0 #v4.0.0 actions/setup-java -> 5ffc13f #v3.11.0 actions/upload-artifact -> 6546280 #v4.3.3 actions/download-artifact -> fa0a91b #v4.1.8 actions/create-release -> 0cb9c9b #v1 docker/login-action -> 9780b0c #v3.3.0 Note on `actions/setup-node`: `.github/actions/copm_test/action.yaml` previously resolved `@v4.0.2`. That single patch is aligned here to `@v4.0.3` so the whole repository converges on one pin, matching every other `setup-node` reference already pinned in the tree. Explicitly out of scope in this PR (no established SHA pin exists in the repository yet, or the known candidate SHA is not viable at runtime): `foundry-rs/foundry-toolchain`, `docker/build-push-action`, `docker/setup-buildx-action`, `actions/configure-pages`, `actions/upload-pages-artifact`, `actions/deploy-pages`, and `dorny/test-reporter`. A follow-up PR will introduce initial pins for those once target versions are reviewed. No workflow or action semantics change; each replaced reference resolves to the same release this repository already ships with elsewhere. Signed-off-by: mn-ram <235066282+mn-ram@users.noreply.github.com>
mn-ram
force-pushed
the
ci/pin-actions-to-sha
branch
from
74944c0 to
b045871
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pins all remaining GitHub Actions in
.github/to fixed SHAs (64 refs, 15 files).Why
Floating tags (
@v4,@v5) are mutable. This aligns with existing SHA pinning and improves security.Changes
main)Out of scope
Will pin separately:
docker/build-push-action,docker/setup-buildx-action,actions/pages*,dorny/test-reporter.Test plan