Skip to content

Pin privileged release workflow refs to immutable SHAs#645

Open
argareksapati wants to merge 1 commit into
google:mainfrom
argareksapati:harden-release-workflow-pins-pr
Open

Pin privileged release workflow refs to immutable SHAs#645
argareksapati wants to merge 1 commit into
google:mainfrom
argareksapati:harden-release-workflow-pins-pr

Conversation

@argareksapati

Copy link
Copy Markdown

This hardens RE2's privileged release workflows by replacing mutable GitHub Action
and reusable workflow refs with immutable full commit SHAs.

Changed workflows:

  • .github/workflows/release.yml
  • .github/workflows/release-bazel.yml
  • .github/workflows/python.yml

Added regression guard:

  • .github/scripts/verify-release_workflow_pins.sh
  • .github/workflows/ci.yml

Why:

  • release.yml creates and uploads release artifacts with contents: write and id-token: write
  • release-bazel.yml invokes an external reusable workflow with contents: write, id-token: write, attestations: write, and BCR_PUBLISH_TOKEN
  • python.yml publishes to PyPI via trusted publishing with id-token: write

Pinning these refs reduces release-chain risk from mutable tags and improves auditability and reproducibility. The CI guard prevents regressions by rejecting non-local uses: refs in these release workflows unless they are pinned to full 40-character SHAs.

Validation:

  • local guard script passes:
    • .github/scripts/verify-release_workflow_pins.sh
  • git diff --check passes
  • not run end-to-end in GitHub Actions locally

@argareksapati argareksapati marked this pull request as ready for review July 1, 2026 04:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant