From d63f89a42302dbbc2d2dc0a7903cc08a07ea7495 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 4 Jul 2026 19:57:05 -0400 Subject: [PATCH] =?UTF-8?q?chore(ci):=20harden=20supply=20chain=20?= =?UTF-8?q?=E2=80=94=20pin=20actions=20to=20SHA=20+=20least-privilege=20pe?= =?UTF-8?q?rmissions?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pin every GitHub Action to its full commit SHA (floating tags are a supply-chain injection vector), add top-level `permissions: contents: read` (least privilege), and add dependabot to keep the pins maintained. --- .github/dependabot.yml | 6 ++++++ .github/workflows/validate.yml | 7 +++++-- 2 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..5ace460 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 8f8d0cb..36b5cb5 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -2,12 +2,15 @@ name: validate on: push: pull_request: +permissions: + contents: read + jobs: validate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.12" - name: Install strict-validation deps