Conversation
sobolevn
requested review from
AA-Turner,
AlexWaygood,
ezio-melotti and
hugovk
as code owners
|
Are there any other hooks we can also update at the same time? |
|
|
We should consider pinning all our actions to specific hashes for CPython IMO. We've done this for our flagship repos at Astral following https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066 -- the attack there edited existing tags so that they pointed to different commits, meaning that pinning an action to a tag was not sufficient to defend against the attack. I'm okay with changing the configured zizmor policy for now, though; we can consider pinning to specific hashes as a followup! |
Agreed! 👍 |
sobolevn
requested review from
brandtbucher and
savannahostrowski
as code owners
| ) as hole if ( | ||
| _signed(addend) == -4 | ||
| ): |
There was a problem hiding this comment.
It fails with the updated lint: https://github.com/python/cpython/actions/runs/14595721490/job/40941024229
|
Thanks @sobolevn for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13. |
|
Sorry, @sobolevn, I could not cleanly backport this to |
(cherry picked from commit 87b1ea0) Co-authored-by: sobolevn <mail@sobolevn.me>
|
GH-132804 is a backport of this pull request to the 3.13 branch. |
(cherry picked from commit 87b1ea0)
5 participants
I've updated this in many projects today. Now in CPython as well.
Docs: https://woodruffw.github.io/zizmor/audits/#unpinned-uses-configuration