Skip to content

chore(security): pin reusable publish workflow SHA (mini shai-hulud)#10

Merged
nmccready merged 1 commit into
masterfrom
chore/harden-publish-shai-hulud
May 13, 2026
Merged

chore(security): pin reusable publish workflow SHA (mini shai-hulud)#10
nmccready merged 1 commit into
masterfrom
chore/harden-publish-shai-hulud

Conversation

@nmccready
Copy link
Copy Markdown

@nmccready nmccready commented May 12, 2026

Summary

Pins the org-wide reusable publish workflow ref from `@main` to commit SHA `3c0bca8` to defeat tag/branch-rewrite attacks vs the Mini Shai-Hulud npm supply-chain campaign (2026-05-11).

Companion to brickhouse-tech/.github#7 (which hardens the actual reusable workflow). After that PR merges, follow up here to bump the pin to the new main SHA and inherit hardening.

Test plan

🤖 Generated with Claude Code

@nmccready @claude
chore(security): pin reusable publish workflow to SHA (mini shai-hulud)
ad3b4b0 
Pin brickhouse-tech/.github reusable workflow refs from @main to commit
SHA 3c0bca8 to defeat tag-rewrite attacks, vs Mini Shai-Hulud npm
supply-chain campaign (2026-05-11). Follow-up to bump to new SHA after
brickhouse-tech/.github hardening PR merges.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@nmccready nmccready enabled auto-merge May 12, 2026 19:54
@nmccready nmccready merged commit 33798a9 into master May 13, 2026
2 checks passed
This was referenced May 13, 2026
Merged
Merged
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nmccready