Skip to content

security: SHA-pin GitHub Actions + add Dependabot#1

Merged
herakles-dev merged 1 commit into
mainfrom
security/pin-action-refs
Apr 18, 2026
Merged

security: SHA-pin GitHub Actions + add Dependabot#1
herakles-dev merged 1 commit into
mainfrom
security/pin-action-refs

Conversation

@herakles-dev

Copy link
Copy Markdown
Owner

Summary

Pilot PR for platform-wide workflow hardening (Supply Chain Audit Phase 1).

Replaces tag-based action refs with immutable commit SHAs + adds Dependabot to keep pins fresh.

Why

Tag-based uses: actions/checkout@v4 is mutable — anyone with push access to actions/checkout can retarget v4 at a malicious commit. Subsequent CI runs pick it up silently. This is exactly the failure class behind the March 2026 reviewdog incident.

SHA-pinning makes the action immutable. Dependabot keeps it fresh.

Changes

  • .github/workflows/test.yml — 2 action refs pinned:
    • actions/checkout@v4@34e114876b0b11c390a56381ad16ebd13914f8d5 (v4)
    • actions/setup-python@v5@a26af69be951a213d495a4c3e4e4022e16d87065 (v5)
  • .github/dependabot.yml — new; weekly bumps on github-actions ecosystem.

Verification

SHAs resolved via gh api repos/actions/{action}/commits/{tag}. Reviewers can re-verify:

gh api repos/actions/checkout/commits/v4 --jq .sha
gh api repos/actions/setup-python/commits/v5 --jq .sha

Test plan

  • CI passes (pytest runs under the new pinned actions)
  • Dependabot activates within 24h of merge (check Insights → Dependency graph)

Reference

  • Scoping doc: herakles-linux-opus/supply-chain-audit/SYSTEMIC_HARDENING_PLAN.md
  • Parent session: sessions/hercules-supply-chain-audit/

🤖 Generated with Claude Code

Replaces tag-based `uses:` refs with immutable commit SHAs.
Closes the attack class where a compromised action tag
(e.g., the Mar 2026 reviewdog incident) gets picked up
automatically on next workflow run.

- actions/checkout@v4 -> @34e114876b0b11c390a56381ad16ebd13914f8d5
- actions/setup-python@v5 -> @a26af69be951a213d495a4c3e4e4022e16d87065

Adds .github/dependabot.yml to keep the pins fresh:
Dependabot opens a PR when the underlying tag moves,
so pinning doesn't become freeze.

Part of platform-wide supply chain hardening Phase 1.
Plan: herakles-linux-opus/supply-chain-audit/SYSTEMIC_HARDENING_PLAN.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@herakles-dev herakles-dev merged commit e524c30 into main Apr 18, 2026
1 check passed
@herakles-dev herakles-dev deleted the security/pin-action-refs branch April 18, 2026 23:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant