ci: harden supply chain security for release pipelines

zhukaihan · claude · zhukaihan · commit fe2befc8d4ef · 2026-03-30T21:00:18.000-07:00
- SHA pin all external GitHub Actions to full commit SHAs
- Migrate PyPI publishing from token-based auth to OIDC trusted publishers
- Migrate TestPyPI publishing from token-based auth to OIDC trusted publishers
- Disable semantic-release's built-in PyPI upload in favor of pypa/gh-action-pypi-publish with OIDC
- Add CODEOWNERS file requiring SDK team review for workflows, build config, and package metadata
- Add id-token: write permission for OIDC token minting

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,7 @@
+# Workflow and release automation files require review from SDK team
+/.github/workflows/ @amplitude/sdk
+/.github/CODEOWNERS @amplitude/sdk
+
+# Package metadata and build configuration
+/setup.py @amplitude/sdk
+/pyproject.toml @amplitude/sdk
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -7,10 +7,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
 
       - name: Set up pdoc
         run:  pip install pdoc3
@@ -19,7 +19,7 @@ jobs:
         run:  pdoc ./src/amplitude_experiment -o ./docs --html
 
       - name: Deploy
-        uses: JamesIves/github-pages-deploy-action@4.1.5
+        uses: JamesIves/github-pages-deploy-action@0f24da7de3e7e135102609a4c9633b025be8411b # 4.1.5
         with:
           branch: gh-pages
           folder: docs/amplitude_experiment
diff --git a/.github/workflows/jira-issue-create.yml b/.github/workflows/jira-issue-create.yml
@@ -12,15 +12,15 @@ jobs:
     name: SDK Bot Jira Issue Creation
     steps:
       - name: Login
-        uses: atlassian/gajira-login@master
+        uses: atlassian/gajira-login@c22a5debd482401472b285de4f6deedf70ddbb92 # master
         env:
           JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
           JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
           JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
 
       - name: Create issue
         id: create
-        uses: atlassian/gajira-create@master
+        uses: atlassian/gajira-create@1c54357fdde9dab6273a0e26d67cb175ffffe498 # master
         with:
           project: ${{ secrets.JIRA_PROJECT }}
           issuetype: Task
diff --git a/.github/workflows/publish-to-pypi.yml b/.github/workflows/publish-to-pypi.yml
@@ -14,25 +14,28 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: ${{ github.actor }} permission check to do a release
-        uses: "lannonbr/repo-permission-check-action@2.0.2"
+        uses: lannonbr/repo-permission-check-action@2bb8c89ba8bf115c4bfab344d6a6f442b24c9a1f # 2.0.2
         with:
           permission: "write"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   build-n-publish:
-    environment: Unit Test
+    environment: pypi
     name: Build and publish to PyPI
     runs-on: ubuntu-latest
     needs: [authorize]
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - name: Checkout for release to PyPI
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
         with:
           fetch-depth: 0
 
       - name: Set up Python 3.8
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: 3.8
 
@@ -56,13 +59,20 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           semantic-release publish --noop
-      - name: Publish distribution PyPI
+
+      - name: Version, tag, and release
         if: ${{ github.event.inputs.dryRun == 'false'}}
         run: |
           git config user.name amplitude-sdk-bot
           git config user.email amplitude-sdk-bot@users.noreply.github.com
           semantic-release publish
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          REPOSITORY_USERNAME: __token__
-          REPOSITORY_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+
+      - name: Build package
+        if: ${{ github.event.inputs.dryRun == 'false'}}
+        run: python -m build
+
+      - name: Publish to PyPI
+        if: ${{ github.event.inputs.dryRun == 'false'}}
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
diff --git a/.github/workflows/publish-to-test-pypi.yml b/.github/workflows/publish-to-test-pypi.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: ${{ github.actor }} permission check to do a release
-        uses: "lannonbr/repo-permission-check-action@2.0.2"
+        uses: lannonbr/repo-permission-check-action@2bb8c89ba8bf115c4bfab344d6a6f442b24c9a1f # 2.0.2
         with:
           permission: "write"
         env:
@@ -18,11 +18,14 @@ jobs:
     name: Build and publish to TestPyPI
     runs-on: ubuntu-latest
     needs: [authorize]
+    environment: testpypi
+    permissions:
+      id-token: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
       - name: Set up Python 3.8
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: 3.8
 
@@ -33,8 +36,6 @@ jobs:
         run: python -m build --sdist --wheel --outdir dist/ .
 
       - name: Publish distribution Test PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
-          user: __token__
-          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
-          repository_url: https://test.pypi.org/legacy/
+          repository-url: https://test.pypi.org/legacy/
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -11,10 +11,10 @@ jobs:
         python-version: [ "3.8" ]
     steps:
       - name: Checkout source code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: ${{ matrix.python-version }}
           cache: 'pip'
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ version_variable = [
 ]
 major_on_zero = true
 branch = "main"
-upload_to_PyPI = true
+upload_to_PyPI = false
 upload_to_release = true
 build_command = "pip install build && python -m build"
 version_source = "commit"

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ version_variable = [`
`4`	`4`	`]`
`5`	`5`	`major_on_zero = true`
`6`	`6`	`branch = "main"`
`7`		`-upload_to_PyPI = true`
	`7`	`+upload_to_PyPI = false`
`8`	`8`	`upload_to_release = true`
`9`	`9`	`build_command = "pip install build && python -m build"`
`10`	`10`	`version_source = "commit"`