Skip to content

Improve supply chain security and fix secret sync command#10

Merged
nsheaps merged 1 commit intomainfrom
claude/1password-secrets-sync-gSdMW
Mar 8, 2026
Merged

Improve supply chain security and fix secret sync command#10
nsheaps merged 1 commit intomainfrom
claude/1password-secrets-sync-gSdMW

Conversation

@nsheaps
Copy link
Owner

@nsheaps nsheaps commented Mar 8, 2026

Summary

This PR improves the security posture of the 1Password secret sync action and fixes a bug in the secret synchronization command.

Key Changes

  • Pin 1Password CLI action to commit SHA: Updated the 1password/install-cli-action dependency from a floating version tag (v2) to a pinned commit SHA (9a0c9dd934086b7ab1d90115d455bda1c53c2bdb) with a comment indicating the version (v2.0.2). This prevents supply chain attacks by ensuring the exact version of the action is used rather than allowing automatic updates.

  • Fix gh secret set command: Removed the --body - flags from the gh secret set command. The --body - syntax is not a valid option for this command and was causing the secret synchronization to fail. The corrected command now properly sets secrets without these invalid flags.

Implementation Details

  • The commit SHA pinning follows GitHub's security best practices for using third-party actions
  • A comment has been added to document why the commit SHA is pinned and when it should be updated
  • The gh secret set command now relies on standard input piping (via echo "$value" |) without explicit flags, which is the correct usage pattern

https://claude.ai/code/session_01SvzkZUEyQnbHgMWodBoq65

@claude
fix: pin 1password CLI action and fix gh secret set stdin handling
d7d176d 
Pin 1password/install-cli-action to commit SHA (v2.0.2) for supply
chain security. Remove erroneous --body - flag from gh secret set
which passed the literal string "-" instead of reading piped stdin.

https://claude.ai/code/session_01SvzkZUEyQnbHgMWodBoq65
@nsheaps nsheaps marked this pull request as ready for review March 8, 2026 21:25
@nsheaps nsheaps enabled auto-merge (squash) March 8, 2026 21:25
@nsheaps nsheaps disabled auto-merge March 8, 2026 21:26
@nsheaps nsheaps merged commit fbb1c49 into main Mar 8, 2026
2 checks passed
@nsheaps nsheaps deleted the claude/1password-secrets-sync-gSdMW branch March 8, 2026 21:26
@automation-nsheaps automation-nsheaps bot mentioned this pull request Mar 9, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nsheaps @claude