From c8f7c906795f63325f8e998805b5e79d659ffb93 Mon Sep 17 00:00:00 2001 From: "D. Michael Piscitelli" Date: Sun, 19 Apr 2026 01:14:12 +0200 Subject: [PATCH] security: SHA-pin GitHub Actions + add Dependabot Replaces tag-based uses: refs with immutable commit SHAs. Closes the attack class where a compromised action tag (e.g., the Mar 2026 reviewdog incident) gets picked up automatically on next workflow run. - actions/checkout@v4 -> @34e114876b0b11c390a56381ad16ebd13914f8d5 - actions/setup-python@v5 -> @a26af69be951a213d495a4c3e4e4022e16d87065 Adds .github/dependabot.yml to keep the pins fresh. Part of platform-wide supply chain hardening Phase 1. Plan: herakles-linux-opus/supply-chain-audit/SYSTEMIC_HARDENING_PLAN.md Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/dependabot.yml | 11 +++++++++++ .github/workflows/test.yml | 4 ++-- 2 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..d064279 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 +updates: + # Keep SHA-pinned GitHub Actions fresh without losing the pin. + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 5 + labels: + - "dependencies" + - "security" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c4eb3d7..bc4c8cd 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -14,10 +14,10 @@ jobs: python-version: ["3.11", "3.12"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: ${{ matrix.python-version }}