From b6996e49e7d2c34569c0bc1d50e4c5f863d48ae7 Mon Sep 17 00:00:00 2001 From: Nathan Sportsman Date: Tue, 2 Jun 2026 19:00:56 -0500 Subject: [PATCH 1/2] fix(ci): re-pin titus-scan to real tag v2.6.0 --- .github/workflows/secrets-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml index f266fca..9e02acb 100644 --- a/.github/workflows/secrets-scan.yml +++ b/.github/workflows/secrets-scan.yml @@ -18,7 +18,7 @@ permissions: jobs: scan: - uses: praetorian-inc/public-workflows/.github/workflows/titus-scan.yml@e2da966933b2c8f02a32540e7bd5812f93a056fb # v2.2.1 + uses: praetorian-inc/public-workflows/.github/workflows/titus-scan.yml@23254e12b026871dd9bbf2bad4ef6fee29910fb1 # v2.6.0 permissions: contents: read security-events: write From 769fc557ee350860f32ee2c158d1d535ec821fef Mon Sep 17 00:00:00 2001 From: Nathan Sportsman Date: Tue, 2 Jun 2026 19:00:57 -0500 Subject: [PATCH 2/2] ci: adopt verify-pins gate (reject dishonest first-party pins) --- .github/workflows/verify-pins.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 .github/workflows/verify-pins.yml diff --git a/.github/workflows/verify-pins.yml b/.github/workflows/verify-pins.yml new file mode 100644 index 0000000..2c48afa --- /dev/null +++ b/.github/workflows/verify-pins.yml @@ -0,0 +1,16 @@ +name: Verify Pins +# Fails CI if any first-party praetorian-inc/public-workflows `uses:` pin carries a +# dishonest version comment (missing tag, nonexistent tag, or SHA != that tag). +on: + pull_request: + paths: ['.github/workflows/**'] + push: + branches: [main] + paths: ['.github/workflows/**'] +permissions: + contents: read +jobs: + verify: + uses: praetorian-inc/public-workflows/.github/workflows/verify-pins.yml@23254e12b026871dd9bbf2bad4ef6fee29910fb1 # v2.6.0 + permissions: + contents: read