Skip to content

[AAASM-3998] 🔧 (ci): CI/metadata hardening#203

Merged
Chisanan232 merged 4 commits into
masterfrom
v0.0.1/AAASM-3998/config/ci_metadata_hardening
Jul 2, 2026
Merged

[AAASM-3998] 🔧 (ci): CI/metadata hardening#203
Chisanan232 merged 4 commits into
masterfrom
v0.0.1/AAASM-3998/config/ci_metadata_hardening

Conversation

@Chisanan232

Copy link
Copy Markdown
Contributor

What

CI/CD + metadata hardening for AAASM-3998 (LOW batch), python-sdk slice.

  • Pin official GitHub Actions to full commit SHAactions/checkout@v7, actions/setup-python@v6, actions/upload-artifact@v7, actions/download-artifact@v8 across all workflows now pin the tag's 40-char commit SHA (with a # vX trailing comment). A mutable tag can be repointed at malicious code; a SHA cannot.
  • Drop unused id-token: write in docs-backfill.yaml — the backfill job deploys docs via mike (git push to gh-pages, needs contents: write) and uses no OIDC, so id-token: write was dead permission.
  • Remove dead commented @master reusable-workflow refs in rw_build_and_test.yaml — three commented-out placeholder job blocks referencing unpinned @master reusable workflows for not-yet-implemented test types.
  • Fix project URLs in pyproject.tomlHomepage/Repository pointed at github.com/agent-assembly (nonexistent org); corrected to the canonical github.com/AI-agent-assembly.

Why

Least-privilege + supply-chain hardening: SHA-pinned actions resist tag-hijack, scoped/removed permissions shrink token blast radius, and correct package metadata points users at the real repo.

How to verify

  • actionlint .github/workflows/*.yml .github/workflows/*.yaml — clean (pre-existing shellcheck info notes in type-check.yml are unrelated to this change and present on master).
  • python3 -c "import tomllib,yaml" parse checks pass.

Deferred

  • (f) eBPF loaderd control-plane authz (agent-assembly aa-ebpf) is a deployment concern tracked under AAASM-3948. No change here.

Refs AAASM-3998

🤖 Generated with Claude Code

https://claude.ai/code/session_01MvjnG3ysnqTY6Gu1wQ2h73

Chisanan232 and others added 4 commits July 2, 2026 15:03
Homepage/Repository pointed at github.com/agent-assembly (nonexistent);
the canonical GitHub org is AI-agent-assembly.

Refs AAASM-3998
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01MvjnG3ysnqTY6Gu1wQ2h73
Deleted three commented-out placeholder job blocks that referenced
unpinned @master reusable workflows for not-yet-implemented test types.

Refs AAASM-3998
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01MvjnG3ysnqTY6Gu1wQ2h73
Pin actions/checkout@v7, actions/setup-python@v6, actions/upload-artifact@v7
and actions/download-artifact@v8 to their tag's 40-char commit SHA across all
workflows so a moved tag cannot silently change the action run.

Refs AAASM-3998
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01MvjnG3ysnqTY6Gu1wQ2h73
The backfill job deploys docs via mike (git push to gh-pages, needs
contents:write); it uses no OIDC, so id-token:write was unused.

Refs AAASM-3998
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01MvjnG3ysnqTY6Gu1wQ2h73
@sonarqubecloud

sonarqubecloud Bot commented Jul 2, 2026

Copy link
Copy Markdown

@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@Chisanan232

Copy link
Copy Markdown
Contributor Author

🤖 Claude Code review — approve

AAASM-3998 (python-sdk). Actions SHA-pinned (checkout/setup-python/upload-artifact/download-artifact), unused id-token: write dropped from docs-backfill, dead @master reusable-wf blocks deleted, pyproject Homepage/Repository fixed to canonical org. YAML+toml validated. CI green.

@Chisanan232 Chisanan232 merged commit 27acc6e into master Jul 2, 2026
30 checks passed
@Chisanan232 Chisanan232 deleted the v0.0.1/AAASM-3998/config/ci_metadata_hardening branch July 2, 2026 12:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant