Skip to content

fix(security): pin etils-actions/pypi-auto-publish to commit SHA in publish workflows#3414

Open
XananasX7 wants to merge 1 commit into
google:mainfrom
XananasX7:fix/security-pin-etils-actions-sha
Open

fix(security): pin etils-actions/pypi-auto-publish to commit SHA in publish workflows#3414
XananasX7 wants to merge 1 commit into
google:mainfrom
XananasX7:fix/security-pin-etils-actions-sha

Conversation

@XananasX7

Copy link
Copy Markdown

Summary

The auto-publish.yml and auto-publish-dry-run.yml workflows use a mutable tag reference for a third-party action:

uses: etils-actions/pypi-auto-publish@v1   # ← tag-pinned, not SHA-pinned

etils-actions/pypi-auto-publish is a small third-party action (~10 GitHub stars). If the v1 tag is silently redirected — via a compromised maintainer account, a tag deletion + recreation, or a GitHub account takeover — the malicious version executes in the same job that holds PYPI_API_TOKEN and GH_PUBLISH_TOKEN.

Impact

  • PYPI_API_TOKEN_OBX_CKPT — publishes orbax-checkpoint to PyPI. A compromised token enables injecting backdoored releases into a package installed across the JAX ecosystem.
  • GH_PUBLISH_TOKEN — GitHub PAT; enables creating spurious tags/releases or further repo manipulation.
  • Trigger: every push to main — no manual approval gate.

Fix

Pin to the exact commit SHA of the current v1 tag:

Before After
etils-actions/pypi-auto-publish@v1 etils-actions/pypi-auto-publish@e3c4b4afc3a5b12a44734da938741995538e8223 # v1

The SHA pins the action code to a specific immutable commit. The # v1 comment preserves human readability. This is the approach recommended by the GitHub security hardening guide and enforced by tools like OpenSSF Scorecards and ratchet.

The auto-publish workflows use etils-actions/pypi-auto-publish@v1  — a
mutable tag reference on a third-party action.  If the tag is silently
moved (compromised maintainer, repo takeover, etc.) the new code runs
in the same job that holds PYPI_API_TOKEN and GH_PUBLISH_TOKEN, enabling
a supply-chain attack on every downstream user of orbax-checkpoint and
orbax-export.

Pin to the exact commit SHA so the workflow is tamper-proof:
  etils-actions/pypi-auto-publish@v1
    → @e3c4b4afc3a5b12a44734da938741995538e8223

The v1 comment preserves human readability while SHA ensures integrity.
@google-cla

google-cla Bot commented Jun 28, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant