Skip to content

[ci] harden GitHub Actions: SHA-pin all uses + dependabot#248

Open
haileyok wants to merge 2 commits into
mainfrom
harden-workflow-actions
Open

[ci] harden GitHub Actions: SHA-pin all uses + dependabot#248
haileyok wants to merge 2 commits into
mainfrom
harden-workflow-actions

Conversation

@haileyok
Copy link
Copy Markdown
Member

@haileyok haileyok commented May 12, 2026
edited
Loading

Summary

Pin every action in .github/workflows/ to a specific patch-release SHA.

Changes Made

Action Pinned to
actions/checkout v4.3.1
actions/setup-python v6.2.0
actions/setup-node v4.4.0
actions/cache v4.3.0
actions/upload-artifact v4.6.2
actions/configure-pages v5.0.0
actions/upload-pages-artifact v3.0.1
actions/deploy-pages v4.0.5
docker/setup-buildx-action v3.12.0
docker/login-action v3.7.0
docker/metadata-action v5.10.0
docker/build-push-action v5.4.0
astral-sh/setup-uv v7.6.0
softprops/action-gh-release v2.6.2
dtolnay/rust-toolchain @master SHA + toolchain: stable input (no tagged releases on this action)

Other changes bundled in:

  • .github/dependabot.yml: added github-actions ecosystem (weekly, grouped into one consolidated bump PR) so SHA pins stay current.

@haileyok @claude
[ci] harden GitHub Actions: SHA-pin all uses + dependabot
2527bcb 
Pin every action in .github/workflows/ to a specific patch-release SHA
with a tagged-version comment. Motivated by the May 2026 TanStack Mini
Shai-Hulud npm worm, which propagated via stolen npm OIDC tokens after
weaponizing floating tags in workflows holding credentials.

Also:
- Add github-actions ecosystem to .github/dependabot.yml (grouped) so
  the SHA pins don't bitrot.
- Replace archived actions-rs/toolchain@v1 with dtolnay/rust-toolchain
  pinned to master SHA, toolchain: stable as input.
- Add --ignore-scripts to npm ci in code-quality.yml as defense against
  postinstall-based typosquats (the secondary unscoped tanstack
  compromise).

No functional changes to workflow logic; every SHA is the latest patch
release within the major version already in use.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@haileyok haileyok marked this pull request as ready for review May 12, 2026 06:22
@haileyok haileyok requested review from a team, EXBreder, ayubun and vinaysrao1 as code owners May 12, 2026 06:22
@julietshen julietshen requested a review from cassidyjames May 15, 2026 17:44
juanmrad
juanmrad approved these changes May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@juanmrad juanmrad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juanmrad juanmrad juanmrad approved these changes

@ayubun ayubun Awaiting requested review from ayubun ayubun is a code owner

@EXBreder EXBreder Awaiting requested review from EXBreder EXBreder is a code owner

@vinaysrao1 vinaysrao1 Awaiting requested review from vinaysrao1 vinaysrao1 is a code owner

@cassidyjames cassidyjames Awaiting requested review from cassidyjames

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@haileyok @juanmrad @cassidyjames