feat(security): publish-side hardening — SHA256SUMS, tags, pinned actions#3
Merged
Conversation
…ned actions, threat model Publish-side security plumbing. Consume-side (TF module hash verification) follows in a separate PR. Workflow changes (.github/workflows/update.yml): - Pin actions/checkout and actions/setup-python by commit SHA with version comments. Prevents transitive action supply-chain attacks. - Verify SHA256SUMS in-place after generation (sha256sum -c) — catches local corruption before push. - Tag every successful publication with v<YYYY.MM.DD>. Consumers pin a stable ?ref= instead of tracking main. Skip tag if it already exists (multiple runs same day). - terraform.yml: pin actions/checkout + hashicorp/setup-terraform by SHA. update_outputs.py: - Generate docs/output/SHA256SUMS in GNU sha256sum format alongside the txt files. One line per .txt file: "<64-hex-digest> <filename>". - Compatible with `sha256sum -c SHA256SUMS` and `shasum -a 256 -c`. - Excludes SHA256SUMS itself (no chicken-and-egg). - Directory index now links SHA256SUMS and shows the verify command. Tests (test_update_outputs.py): 6 new — file emitted, GNU format, hashes match on-disk content, no self-reference, every txt file covered, index links it. 12/12 passing (was 6/6). SECURITY.md: explicit threat model. Trust boundary (5 things you trust when consuming). Highest-leverage defense: pin to tag/SHA, never main. Defenses already in place. Recommended consumption patterns by paranoia level: default (tag pin), strict (SHA pin + hash verify), paranoid (vendor into your own repo). Manual integrity verification recipe. Reproducible-build verification recipe. Out-of-scope failure modes (GitHub itself, upstream Databricks compromise, solo-maintainer account takeover) named honestly. Total tests: 39 Python (was 33) + 9 Terraform = 48/48 passing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Publish-side security plumbing. Consume-side hardening (TF module hash verification with mock-based tests) follows in PR 4 — splitting because hash verification is cleanly testable only once SHA256SUMS is actually being published.
What changes
Workflow hardening
update.yml— pinactions/checkoutandactions/setup-pythonby commit SHA with version comments. VerifySHA256SUMSin-place after generation. Tag every successful publication asv<YYYY.MM.DD>. Skip tag if it already exists (multiple same-day runs).terraform.yml— pinactions/checkoutandhashicorp/setup-terraformby commit SHA.Integrity manifest
update_outputs.pygeneratesdocs/output/SHA256SUMSin GNU sha256sum format (<64-hex> <filename>).sha256sum -c SHA256SUMS(Linux) andshasum -a 256 -c(macOS).SHA256SUMSfrom itself (no chicken-and-egg).Threat model
SECURITY.md— explicit trust boundary (5 things you trust when consuming), highest-leverage defense (pin to tag/SHA, nevermain), defenses already in place, recommended consumption patterns by paranoia level (default → strict → vendored), manual integrity verification recipe, reproducible-build verification recipe, honestly named out-of-scope failure modes.Tests
test_update_outputs.pycovering: file emitted, GNU format regex, recorded hashes match on-disk content, no self-reference, every txt file covered, index links it.Test plan
python -m pytest39/39 passingterraform test9/9 passing (no regression)sha256sum -c SHA256SUMSagainst the locally-generated manifest succeeds for all 89 entriesterraform.yml(pinned SHAs) on this PRupdate.ymlpost-merge generates SHA256SUMS + tagsFollow-up (PR 4)
TF module hash verification: optional
verify_checksumsinput (default true) that fetchesSHA256SUMSat plan time and compares againstsha256(self.response_body)of each fetched feed via postcondition. Mock-based unit tests for the verification logic.