Skip to content

security: add environment gate and tag validation to update-main-version (TeamPCP)#273

Merged
sgerlach merged 5 commits into
mainfrom
security/teampcp-update-main-version-hardening
Apr 2, 2026
Merged

security: add environment gate and tag validation to update-main-version (TeamPCP)#273
sgerlach merged 5 commits into
mainfrom
security/teampcp-update-main-version-hardening

Conversation

@sgerlach
Copy link
Copy Markdown
Contributor

@sgerlach sgerlach commented Apr 1, 2026

Summary

Addresses Finding 1 from the TeamPCP supply chain audit (March 2026), which identified update-main-version.yml as using the same force-push-to-mutable-tag pattern exploited in the Trivy compromise.

Changes

1. Environment gate (environment: tag-release)
Blocks the job from running until a required reviewer approves it in the GitHub UI. Prevents a compromised or stolen credential from silently moving v2 to a malicious commit.

⚠️ Action required: Create a tag-release environment in Settings → Environments and add required reviewers before merging.

2. Tag validation preflight step
Rejects any target input that is not an existing named tag in refs/tags/. This closes the exact TeamPCP attack vector — an attacker cannot point v2 at an arbitrary commit SHA or branch tip.

Risk if not fixed

Every repo using uses: stackhawk/hawkscan-action@v2 resolves at runtime to wherever v2 points. Without this gate, a single compromised workflow trigger could silently poison all customer CI pipelines.

References

@sgerlach
security: add environment gate and tag validation to update-main-version
49ebce0 
Addresses Finding 1 from the TeamPCP/GitHub Actions security audit (March 2026):

- Add `environment: tag-release` to require human approval before any force-push runs. Create this environment in Settings → Environments with required reviewers.
- Add preflight validation step that rejects any `target` input that is not an existing named tag in refs/tags/. This closes the exact attack vector used in the Trivy compromise — an attacker cannot point v2 at an arbitrary commit SHA or branch ref.
@sgerlach sgerlach requested a review from a team as a code owner April 1, 2026 16:40
Bwvolleyball and others added 4 commits April 2, 2026 11:17
@Bwvolleyball
Bump version: 2.4.0 → 2.5.0
bec712b
@Bwvolleyball @claude
docs: clarify that version bump is required for releases in CLAUDE.md
09f888d 
Without a bump2version call, the CI "Create Release" step is silently
skipped because version-check.sh finds the existing tag.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Bwvolleyball @claude
docs: add CONTRIBUTING.md reference back to release section
11923a3 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Bwvolleyball
Merge pull request #275 from stackhawk/bump/v2.5.0
93f5005 
Bump version: 2.4.0 → 2.5.0
@sgerlach sgerlach merged commit f7ffbb7 into main Apr 2, 2026
13 checks passed
@sgerlach sgerlach deleted the security/teampcp-update-main-version-hardening branch April 2, 2026 17:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Bwvolleyball Bwvolleyball Bwvolleyball approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sgerlach @Bwvolleyball