Skip to content

Re-apply hardened Actions policy (selected + SHA-pinning) after workflow compliance sweep #182

Description

@hyperpolymath

What happened

Repo Actions policy was set to `allowed_actions: selected` (GitHub-owned + verified creators only, `patterns_allowed: []`) with `sha_pinning_required: true` — matching `standards` — but the workflows were never made compliant. Result: 9 of the push-triggered workflows on main hit `startup_failure` and nothing ran (Rust CI, Governance, Secret Scanner, Mirror, Instant Sync, Provable, ABI-FFI Gate, GitHub Pages, Push email). The web UI's "workflow file issue" message was a red herring — the YAML is valid (actionlint-clean); the policy blocked the runs.

On 2026-07-07 the policy was reset to the family norm (`allowed_actions: all`, `sha_pinning_required: false`) — same as verisimdb / vcl-ut / verisimdb-data — to unbreak main CI.

To re-harden (do these BEFORE flipping the policy back)

  1. SHA-pin every `uses:` in `.github/workflows/` — currently unpinned: `rust-ci.yml` (`actions/checkout@v4`, `dtolnay/rust-toolchain@stable|master`, `Swatinem/rust-cache@v2`), `abi-ffi-gate.yml` (`actions/checkout@v4`).
  2. Curate `patterns_allowed` for the non-verified third-party actions in use: `dtolnay/rust-toolchain@`, `Swatinem/rust-cache@`, `peter-evans/repository-dispatch@`, `dawidd6/action-send-mail@`, `mlugg/setup-zig@`, `haskell-actions/setup@`, plus whatever the standards reusables pinned by `mirror.yml`/`secret-scanner.yml`/`governance.yml` use internally (verify against their pinned SHAs).
  3. Bump the stale standards pins while at it: `mirror.yml` and `secret-scanner.yml` still pin `d135b05` (the known estate CI-red master-cause SHA); current canon is `d7c2271`.
  4. Fix `dogfood-gate.yml` — invalid YAML around line 261 (strict parsers reject it; it runs but shows its path as its name).
  5. Then: `PUT /repos/hyperpolymath/verisimiser/actions/permissions` back to `selected` + `sha_pinning_required: true` and add the allowlist via `/actions/permissions/selected-actions`.

Related: #169 (scorecard-enforcer retirement + pin refresh), #170 (abi-ffi-gate Python migration).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions