Skip to content

chore(ci): harden supply chain — pin actions to SHA + least-privilege permissions#11

Merged
mdheller merged 1 commit into
mainfrom
chore/harden-ci
Jul 5, 2026
Merged

chore(ci): harden supply chain — pin actions to SHA + least-privilege permissions#11
mdheller merged 1 commit into
mainfrom
chore/harden-ci

Conversation

@mdheller

@mdheller mdheller commented Jul 5, 2026

Copy link
Copy Markdown
Member

Supply-chain + least-privilege hardening (opened by a keeper pass — for your review, not auto-merged).

  • Pin actions to full commit SHA (version comment retained) — floating @vN tags are a supply-chain injection vector.
  • Add least-privilege permissions: contents: read where absent.
  • Add .github/dependabot.yml (github-actions, weekly) to keep pins current.

Changed: validate.yml +perms, dependabot.yml (new)

🤖 Generated with Claude Code

… permissions

Pin GitHub Actions to full commit SHA (floating tags are a supply-chain injection
vector), add least-privilege permissions, and add dependabot to maintain the pins.
@mdheller mdheller merged commit c90d0f4 into main Jul 5, 2026
5 checks passed
@mdheller mdheller deleted the chore/harden-ci branch July 5, 2026 01:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant