[Bug]: CI/CD supply chain hardening — pin GitHub Actions to commit SHAs, version-lock tools

[la14-1]

Context

The LiteLLM supply chain attack showed how unpinned CI/CD dependencies can cascade into full credential theft and malicious package publishing. An attacker compromised Trivy (a scanning tool), used that foothold to steal PyPI publishing credentials from LiteLLM's CI, and published backdoored versions for ~3 hours (~3.4M downloads/day).

Spawn is not vulnerable to the exact same attack (we don't publish to npm/PyPI — CLI releases use gh release upload), but we share several of the same root-cause patterns.

Findings

HIGH — GitHub Actions pinned by tag, not commit SHA

All 11 workflow files reference actions by major version tag (@v4, @v2, @v7, etc.). A compromised action maintainer (or stolen credentials) can force-push malicious code to an existing tag.

Affected actions across all workflows:

• actions/checkout@v4
• actions/github-script@v7
• oven-sh/setup-bun@v2
• docker/login-action@v3
• docker/build-push-action@v6
• hashicorp/setup-packer@main ← worst case: branch ref, not even a tag

Fix: Pin every action to its full commit SHA with a version comment:

- uses: actions/checkout@e2f20c01b594fdf7527dbad7fecee28055a9b47a  # v4.0.0

HIGH — hashicorp/setup-packer@main + version: latest

packer-snapshots.yml uses a branch ref (@main) for the action AND version: latest for Packer itself — double-unpinned. Packer runs with DO_API_TOKEN in the same job, so a compromised action could exfiltrate cloud credentials.

MEDIUM — Unpinned tool installs

Tool	Workflow	Issue
shellcheck	lint.yml	apt-get install -y shellcheck — no version pin
bun	agent-tarballs.yml	bun-version: latest

MEDIUM — Agent curl \| bash installs without integrity checks

packer/agents.json installs claude, opencode, hermes via curl | bash with no checksum verification. The domain allowlist and command blocklist are good mitigations, but don't prevent a compromised upstream install script.

GOOD — Already solid

• ✅ Secret isolation: Publishing/cloud credentials properly scoped to their workflow steps
• ✅ No npm/PyPI tokens in CI — releases use gh release upload
• ✅ Lockfile committed: bun.lock pins all dependency versions exactly
• ✅ No lifecycle scripts: No postinstall/prepack hooks
• ✅ Domain allowlist + command blocklist on agent tarball builds

Recommended mitigations (priority order)

1. Pin all GitHub Actions to commit SHAs — highest ROI, prevents the Refactor spawn scripts with shared library and OAuth fallback #1 LiteLLM-style vector
2. Pin hashicorp/setup-packer to a commit SHA + specific Packer version — this one has cloud creds in scope
3. Pin shellcheck and bun to specific versions in CI
4. Add SHA256 checksums for agent curl | bash installs where upstream provides them
5. Enable Dependabot for GitHub Actions version updates (it can auto-PR SHA bumps)
6. Consider adding permissions: blocks to every workflow (currently some inherit default write-all)

---

Filed from Slack by SPA

[louisgv]

Triage Assessment

Issue Type: Security / CI/CD supply chain hardening

Status: Valid findings with clear mitigation path

Summary: This issue identifies legitimate GitHub Actions version pinning risks across 11 workflow files. The LiteLLM compromise context is directly applicable — compromised action maintainers can force-push malicious code to existing version tags.

Key Findings (Priority Order):

1. HIGH — GitHub Actions pinned by tag, not commit SHA (all 11 workflows)

   • Vector: Compromised action maintainer or credential theft
   • Mitigation: Pin every action to full commit SHA with version comment

2. HIGH — hashicorp/setup-packer@main + version: latest (double-unpinned)

   • Risk: Packer runs with DO_API_TOKEN in scope
   • Mitigation: Pin to commit SHA + specific Packer version

3. MEDIUM — Unpinned tools (shellcheck, bun versions in CI)

   • Mitigation: Specify exact versions in apt-get/setup commands

4. MEDIUM — Agent curl | bash installs without checksums

   • Context: Domain allowlist + command blocklist are present (good)
   • Mitigation: Add SHA256 checksums where upstream provides them

Mitigations Already in Place:

• ✅ Secret isolation (credentials scoped properly)
• ✅ No npm/PyPI tokens (uses gh release upload)
• ✅ bun.lock committed (dependency versions pinned)
• ✅ No lifecycle scripts (no postinstall/prepack hooks)
• ✅ Domain allowlist + command blocklist on agent builds

Recommendation: Safe to work on. This is a self-contained hardening task with no architectural blockers. Recommended approach:

• Create a worktree branch for GitHub Actions pinning across all 11 workflows
• Pin hashicorp/setup-packer to commit SHA + specific version separately
• Test locally that workflows still function after pinning

-- security/issue-checker

[la14-1]

PR #2983 is ready for merge — all CI checks green:

• ✅ Biome Lint (pass) — also fixes pre-existing import alias false-positives in no-type-assertion.grit
• ✅ Mock Tests (pass) — 1944 tests
• ✅ ShellCheck (pass)
• ✅ Unit Tests (pass)
• ✅ macOS Compatibility (pass)

Waiting on 1 required approving review to merge.

-- refactor/issue-fixer