From ea45c19e9e964a16d54b4dabe58d95fa64be8ee3 Mon Sep 17 00:00:00 2001
From: Zack Koppert <zkoppert@github.com>
Date: Tue, 21 Apr 2026 19:15:35 -0700
Subject: [PATCH 1/3] fix: remediate supply chain security findings

Address 4 high-severity code scanning findings from vuln-mgmt#195573:

1. Pin Docker base image to SHA256 digest (code-scanning/14)
2. Pin bundler gem to exact version 2.4.10 (code-scanning/16)
3. Add hash verification for pip install in Dockerfile (code-scanning/15)
4. Add hash verification for pip install in CI workflow (code-scanning/12)

Additionally pin all GitHub Actions to full commit SHAs for
supply chain integrity.

Uses requirements file syntax for pip hash verification since
--hash is a per-requirement option, not a CLI flag.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Zack Koppert <zkoppert@github.com>
---
 .github/workflows/ci.yml | 10 ++++++----
 Dockerfile               |  7 ++++---
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c82bf650..1de8421f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,7 +21,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 10
 
@@ -30,12 +30,12 @@ jobs:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true
 
-      - uses: actions/setup-python@v6.2.0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           # This should match lib/github/markups.rb GitHub::Markups::MARKUP_RST
           python-version: "3.x"
 
-      - uses: actions/cache@v5.0.4
+      - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: ~/.cache/pip
           key: ${{ runner.os }}-pip
@@ -52,7 +52,9 @@ jobs:
           sudo cpanm --installdeps --notest Pod::Simple
 
       - name: Install Python dependencies
-        run: python -m pip install docutils
+        run: |
+          echo 'docutils==0.22.4 --hash=sha256:d0013f540772d1420576855455d050a2180186c91c15779301ac2ccb3eeb68de' > /tmp/requirements.txt
+          python -m pip install -r /tmp/requirements.txt
 
       - name: Run rake
         run: |
diff --git a/Dockerfile b/Dockerfile
index aa0f09aa..f6bd6b86 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:trusty
+FROM ubuntu:trusty@sha256:64483f3496c1373bfd55348e88694d1c4d0c9b660dee6bfef5e12f43b9933b30 # trusty
 
 RUN apt-get update -qq
 RUN apt-get install -y apt-transport-https
@@ -18,7 +18,8 @@ RUN install-zef-as-user && zef install Pod::To::HTML
 RUN curl -L http://cpanmin.us | perl - App::cpanminus
 RUN cpanm --installdeps --notest Pod::Simple
 
-RUN pip install docutils
+RUN echo 'docutils==0.22.4 --hash=sha256:d0013f540772d1420576855455d050a2180186c91c15779301ac2ccb3eeb68de' > /tmp/requirements.txt && \
+    pip install -r /tmp/requirements.txt
 
 ENV PATH $PATH:/root/.rbenv/bin:/root/.rbenv/shims
 RUN curl -fsSL https://github.com/rbenv/rbenv-installer/raw/master/bin/rbenv-installer | bash
@@ -26,7 +27,7 @@ RUN rbenv install 2.4.1
 RUN rbenv global 2.4.1
 RUN rbenv rehash
 
-RUN gem install bundler
+RUN gem install bundler -v 2.4.10
 
 WORKDIR /data/github-markup
 COPY github-markup.gemspec .

From aeab80d03ea4cf0ce8bdeb1e6c2b620440624486 Mon Sep 17 00:00:00 2001
From: Zack Koppert <zkoppert@github.com>
Date: Tue, 21 Apr 2026 19:31:18 -0700
Subject: [PATCH 2/3] fix: pin docutils to 0.18.1 in Dockerfile for Python 2
 compat

docutils 0.22.4 requires Python >= 3.9 but the Dockerfile uses Python 2.
Pin to 0.18.1 (last py2-compatible release) with its py2.py3 wheel hash.
CI workflow keeps 0.22.4 since it uses Python 3.x.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Zack Koppert <zkoppert@github.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index f6bd6b86..ec2a2637 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,7 +18,7 @@ RUN install-zef-as-user && zef install Pod::To::HTML
 RUN curl -L http://cpanmin.us | perl - App::cpanminus
 RUN cpanm --installdeps --notest Pod::Simple
 
-RUN echo 'docutils==0.22.4 --hash=sha256:d0013f540772d1420576855455d050a2180186c91c15779301ac2ccb3eeb68de' > /tmp/requirements.txt && \
+RUN echo 'docutils==0.18.1 --hash=sha256:23010f129180089fbcd3bc08cfefccb3b890b0050e1ca00c867036e9d161b98c' > /tmp/requirements.txt && \
     pip install -r /tmp/requirements.txt
 
 ENV PATH $PATH:/root/.rbenv/bin:/root/.rbenv/shims

From c1a036340ce5518d5e78472afa5e1dd1ac473f95 Mon Sep 17 00:00:00 2001
From: Zack Koppert <zkoppert@github.com>
Date: Tue, 21 Apr 2026 20:38:00 -0700
Subject: [PATCH 3/3] fix: address review feedback on Dockerfile compatibility

- Drop pip hash verification in Dockerfile (Trusty's pip ~1.5 predates
  --hash support added in pip 8.0); version pin alone addresses the
  code scanning finding
- Pin bundler to 2.3.26 instead of 2.4.10 (Bundler 2.4.x requires
  Ruby >= 2.6.0, but the Dockerfile installs Ruby 2.4.1); update
  Gemfile.lock BUNDLED WITH to match
- Fix CI comment to reference the actual Python 3 dependency
  (rest2html script) instead of the MARKUP_RST Ruby constant

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Zack Koppert <zkoppert@github.com>
---
 .github/workflows/ci.yml | 2 +-
 Dockerfile               | 5 ++---
 Gemfile.lock             | 2 +-
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1de8421f..25fb1457 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -32,7 +32,7 @@ jobs:
 
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          # This should match lib/github/markups.rb GitHub::Markups::MARKUP_RST
+          # Required by lib/github/commands/rest2html (RST rendering)
           python-version: "3.x"
 
       - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
diff --git a/Dockerfile b/Dockerfile
index ec2a2637..eade13c8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,8 +18,7 @@ RUN install-zef-as-user && zef install Pod::To::HTML
 RUN curl -L http://cpanmin.us | perl - App::cpanminus
 RUN cpanm --installdeps --notest Pod::Simple
 
-RUN echo 'docutils==0.18.1 --hash=sha256:23010f129180089fbcd3bc08cfefccb3b890b0050e1ca00c867036e9d161b98c' > /tmp/requirements.txt && \
-    pip install -r /tmp/requirements.txt
+RUN pip install docutils==0.18.1
 
 ENV PATH $PATH:/root/.rbenv/bin:/root/.rbenv/shims
 RUN curl -fsSL https://github.com/rbenv/rbenv-installer/raw/master/bin/rbenv-installer | bash
@@ -27,7 +26,7 @@ RUN rbenv install 2.4.1
 RUN rbenv global 2.4.1
 RUN rbenv rehash
 
-RUN gem install bundler -v 2.4.10
+RUN gem install bundler -v 2.3.26
 
 WORKDIR /data/github-markup
 COPY github-markup.gemspec .
diff --git a/Gemfile.lock b/Gemfile.lock
index 23b61036..525e2c94 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -138,4 +138,4 @@ DEPENDENCIES
   wikicloth (= 0.8.3)
 
 BUNDLED WITH
-   2.4.10
+   2.3.26