[AAASM-3998] 🔧 (ci): CI/metadata hardening#203
Merged
Chisanan232 merged 4 commits intoJul 2, 2026
Conversation
Homepage/Repository pointed at github.com/agent-assembly (nonexistent); the canonical GitHub org is AI-agent-assembly. Refs AAASM-3998 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01MvjnG3ysnqTY6Gu1wQ2h73
Deleted three commented-out placeholder job blocks that referenced unpinned @master reusable workflows for not-yet-implemented test types. Refs AAASM-3998 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01MvjnG3ysnqTY6Gu1wQ2h73
Pin actions/checkout@v7, actions/setup-python@v6, actions/upload-artifact@v7 and actions/download-artifact@v8 to their tag's 40-char commit SHA across all workflows so a moved tag cannot silently change the action run. Refs AAASM-3998 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01MvjnG3ysnqTY6Gu1wQ2h73
The backfill job deploys docs via mike (git push to gh-pages, needs contents:write); it uses no OIDC, so id-token:write was unused. Refs AAASM-3998 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01MvjnG3ysnqTY6Gu1wQ2h73
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Contributor
Author
|
🤖 Claude Code review — approve AAASM-3998 (python-sdk). Actions SHA-pinned (checkout/setup-python/upload-artifact/download-artifact), unused |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



What
CI/CD + metadata hardening for AAASM-3998 (LOW batch), python-sdk slice.
actions/checkout@v7,actions/setup-python@v6,actions/upload-artifact@v7,actions/download-artifact@v8across all workflows now pin the tag's 40-char commit SHA (with a# vXtrailing comment). A mutable tag can be repointed at malicious code; a SHA cannot.id-token: writeindocs-backfill.yaml— the backfill job deploys docs viamike(git push togh-pages, needscontents: write) and uses no OIDC, soid-token: writewas dead permission.@masterreusable-workflow refs inrw_build_and_test.yaml— three commented-out placeholder job blocks referencing unpinned@masterreusable workflows for not-yet-implemented test types.pyproject.toml—Homepage/Repositorypointed atgithub.com/agent-assembly(nonexistent org); corrected to the canonicalgithub.com/AI-agent-assembly.Why
Least-privilege + supply-chain hardening: SHA-pinned actions resist tag-hijack, scoped/removed permissions shrink token blast radius, and correct package metadata points users at the real repo.
How to verify
actionlint .github/workflows/*.yml .github/workflows/*.yaml— clean (pre-existing shellcheck info notes intype-check.ymlare unrelated to this change and present on master).python3 -c "import tomllib,yaml"parse checks pass.Deferred
aa-ebpf) is a deployment concern tracked under AAASM-3948. No change here.Refs AAASM-3998
🤖 Generated with Claude Code
https://claude.ai/code/session_01MvjnG3ysnqTY6Gu1wQ2h73