Skip to content

chore(ci): harden supply chain — pin actions to SHA + least-privilege permissions#5

Merged
mdheller merged 1 commit into
mainfrom
chore/harden-ci
Jul 4, 2026
Merged

chore(ci): harden supply chain — pin actions to SHA + least-privilege permissions#5
mdheller merged 1 commit into
mainfrom
chore/harden-ci

Conversation

@mdheller

@mdheller mdheller commented Jul 4, 2026

Copy link
Copy Markdown
Member

Supply-chain + least-privilege hardening of CI.

  • Pin actions to full commit SHA (with version comment) — floating @vN tags are a supply-chain injection vector.
  • Add permissions: contents: read at the workflow level (least privilege for the default GITHUB_TOKEN).
  • Add .github/dependabot.yml (github-actions, weekly) so the pins stay current.

Changed: .github/workflows/validate.yml +perms, .github/dependabot.yml (new)

🤖 Generated with Claude Code

… permissions

Pin every GitHub Action to its full commit SHA (floating tags are a supply-chain
injection vector), add top-level `permissions: contents: read` (least privilege), and
add dependabot to keep the pins maintained.
@mdheller mdheller merged commit 051f169 into main Jul 4, 2026
2 checks passed
@mdheller mdheller deleted the chore/harden-ci branch July 4, 2026 23:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant