Skip to content

security: SHA-pin GitHub Actions + add Dependabot#1

Open
herakles-dev wants to merge 1 commit into
mainfrom
security/pin-action-refs
Open

security: SHA-pin GitHub Actions + add Dependabot#1
herakles-dev wants to merge 1 commit into
mainfrom
security/pin-action-refs

Conversation

@herakles-dev

Copy link
Copy Markdown
Owner

Summary

Part of platform-wide workflow hardening (Supply Chain Audit Phase 1). Companion PR to herakles-dev/anvil#1 (pilot, merged).

Replaces tag-based action refs with immutable commit SHAs + adds Dependabot to keep pins fresh.

Why

Tag refs like uses: actions/checkout@v4 are mutable. Anyone with push access to the action repo can retarget v4 at a malicious commit; subsequent CI runs pick it up silently — the March 2026 reviewdog incident shape.

SHA-pinning makes the ref immutable. Dependabot keeps it current.

Changes

  • .github/workflows/test.yml — 2 action refs pinned:
    • actions/checkout@v4@34e114876b0b11c390a56381ad16ebd13914f8d5 (v4)
    • actions/setup-python@v5@a26af69be951a213d495a4c3e4e4022e16d87065 (v5)
  • .github/dependabot.yml — new; weekly bumps on github-actions ecosystem.

Verification

SHAs resolved via `gh api repos/actions/{action}/commits/{tag}`.

Test plan

  • CI passes with the pinned actions
  • Dependabot activates within 24h of merge

Reference: `herakles-linux-opus/supply-chain-audit/SYSTEMIC_HARDENING_PLAN.md`

🤖 Generated with Claude Code

Replaces tag-based uses: refs with immutable commit SHAs.
Closes the attack class where a compromised action tag
(e.g., the Mar 2026 reviewdog incident) gets picked up
automatically on next workflow run.

- actions/checkout@v4 -> @34e114876b0b11c390a56381ad16ebd13914f8d5
- actions/setup-python@v5 -> @a26af69be951a213d495a4c3e4e4022e16d87065

Adds .github/dependabot.yml to keep the pins fresh.

Part of platform-wide supply chain hardening Phase 1.
Plan: herakles-linux-opus/supply-chain-audit/SYSTEMIC_HARDENING_PLAN.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant