You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
## Summary
A supply chain security audit of the dbt-databricks CI/CD pipeline
identified **8 findings** across GitHub Actions workflows. This PR
addresses the critical and medium severity issues:
- **86% of GitHub Action references** used mutable tags (`@v4`, `@v5`)
instead of immutable commit SHAs — an attacker who compromises an
upstream action repo can silently change what code runs in CI, including
jobs with access to Databricks secrets
- **`pypa/hatch@install`** had zero version pinning (a branch ref, not
even a tag) and ran in 6 jobs
- **`conventional-commits-parser`** npm package was installed without
any version constraint
- **Dependabot config** was in the wrong directory
(`.github/ISSUE_TEMPLATE/dependabot.yml`) and was completely inactive
- **No lock file** — `uv.lock` was in `.gitignore`, making CI builds
non-deterministic
## Changes
### 1. Pin all GitHub Actions to immutable commit SHAs
- Replaced all 32 mutable tag references across `main.yml`,
`integration.yml`, `ci-pr-linting.yml`, and `coverage.yml` with full
40-character commit SHAs
- All SHAs verified via `gh api` to predate March 18, 2026
- `stale.yml` was already SHA-pinned — no change needed
- Trailing comments preserve the original tag for readability (e.g.,
`actions/checkout@34e11487... # v4`)
**SHA Reference:**
| Action | SHA | Commit Date |
|--------|-----|-------------|
| `actions/checkout` | `34e11487...` | 2025-11-13 |
| `actions/setup-python` | `a26af69b...` | 2025-04-24 |
| `actions/setup-node` | `49933ea5...` | 2025-04-02 |
| `actions/upload-artifact` | `ea165f8d...` | 2025-03-19 |
| `astral-sh/setup-uv` | `38f3f104...` | 2024-11-30 |
| `pypa/hatch` | `257e27e5...` | 2024-05-23 |
| `py-cov-action/python-coverage-comment-action` | `7188638f...` |
2026-01-06 |
### 2. Pin conventional-commits-parser to v6.3.0
- npm versions are immutable (can't be republished with different
content), so exact version pinning is sufficient
- v6.3.0 published 2026-03-01 (before March 18 cutoff)
- Note: Dependabot cannot auto-update this pin since it's an inline
workflow install, not a `package.json` dependency — updates must be
manual
### 3. Fix Dependabot config location and add github-actions ecosystem
- Moved from `.github/ISSUE_TEMPLATE/dependabot.yml` (wrong — GitHub
never reads this) to `.github/dependabot.yml`
- Added `github-actions` ecosystem with weekly schedule so SHA-pinned
actions get automatic update PRs
- Kept `pip` ecosystem with daily schedule
- No `npm` ecosystem — the npm dependency is an inline workflow install
that Dependabot cannot track
### 4. Commit uv.lock and enforce frozen installs in CI
- Removed `uv.lock` from `.gitignore` and committed the generated lock
file (82 resolved packages)
- Added `UV_FROZEN: "1"` environment variable to all 6 CI jobs (3 in
`main.yml`, 3 in `integration.yml`)
- When `UV_FROZEN=1` is set, uv refuses to install if the lock file
doesn't match `pyproject.toml`, failing CI loudly instead of silently
re-resolving
- **Developer impact:** when changing dependencies in `pyproject.toml`,
you must also run `uv lock` and commit the updated `uv.lock`
### 5. Enhance CODEOWNERS
- Added `@jprakash-db` as a code owner
- Added explicit `/.github/workflows/` rule to make CI security review
governance explicit
## Files Modified
| File | Change |
|------|--------|
| `.github/workflows/main.yml` | 14 action refs SHA-pinned, `UV_FROZEN:
"1"` added to 3 jobs |
| `.github/workflows/integration.yml` | 15 action refs SHA-pinned,
`UV_FROZEN: "1"` added to 3 jobs |
| `.github/workflows/ci-pr-linting.yml` | 2 action refs SHA-pinned, npm
pinned to `@6.3.0` |
| `.github/workflows/coverage.yml` | 1 action ref SHA-pinned |
| `.github/ISSUE_TEMPLATE/dependabot.yml` | Deleted |
| `.github/dependabot.yml` | Created (correct location) |
| `.gitignore` | Removed `uv.lock` line |
| `uv.lock` | Created (82 resolved packages) |
| `.github/CODEOWNERS` | Added `@jprakash-db`, added workflow rule |
## Local Validation Results
- **actionlint:** no new errors (only pre-existing warnings about
`linux-ubuntu-latest` custom runner label)
- **grep audit:** 0 unpinned action refs remaining
- **SHA resolution:** all 7 SHAs verified via `gh api`
- **All SHAs predate March 18, 2026**
- **npm pin:** `conventional-commits-parser@6.3.0` installs and parses
correctly
- **Frozen mode:** env resolution, code-quality, and 719 unit tests all
pass with `UV_FROZEN=1`
- **Drift test:** frozen mode correctly fails when lock file is stale
## Test plan
- [ ] CI workflows pass with SHA-pinned actions
- [ ] `Check PR title format` workflow validates PR titles correctly
with pinned npm package
- [ ] Unit tests pass with `UV_FROZEN=1` and committed `uv.lock`
- [ ] After merge: verify Dependabot activates (Security > Dependabot
tab) for pip and github-actions ecosystems
- [ ] After merge: verify correct reviewers are auto-requested on
workflow file changes
## Audit Findings Addressed
| # | Finding | Severity | Status |
|---|---------|----------|--------|
| 1 | `pypa/hatch@install` — no version constraint | HIGH | Fixed |
| 2 | 19/22 GitHub Actions pinned to tags, not SHAs | MEDIUM | Fixed |
| 3 | `npm install conventional-commits-parser` unpinned | MEDIUM |
Fixed |
| 4 | No `uv.lock` committed — non-deterministic CI | MEDIUM | Fixed |
| 5 | Dependabot config in wrong directory | MEDIUM | Fixed |
| 6 | 8/11 dev dependencies unpinned | LOW | Deferred (uv.lock covers
this) |
| 7 | Build verification tools unpinned | LOW | Deferred (uv.lock covers
this) |
| 8 | `contents: write` on unit test job | INFO | Acceptable — already
scoped |
---
JIRA:
[PECOBLR-2368](https://databricks.atlassian.net/browse/PECOBLR-2368)
This pull request was AI-assisted by Isaac.
[PECOBLR-2368]:
https://databricks.atlassian.net/browse/PECOBLR-2368?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
0 commit comments