Skip to content

ci: SHA-pin all actions, add dependency review and Dependabot#81

Merged
stevenobiajulu merged 1 commit intomainfrom
ci/sha-pin-actions
Apr 7, 2026
Merged

ci: SHA-pin all actions, add dependency review and Dependabot#81
stevenobiajulu merged 1 commit intomainfrom
ci/sha-pin-actions

Conversation

@stevenobiajulu
Copy link
Copy Markdown
Member

@stevenobiajulu stevenobiajulu commented Apr 7, 2026

Summary

  • SHA-pin 14 unique GitHub Actions across 5 workflow files to prevent tag-based supply chain attacks
  • Add .github/CODEOWNERS workflow protection (.github/workflows/** @UseJunior)
  • Add .github/dependabot.yml for weekly automated GitHub Actions updates
  • Add dependency-review-action job to ci.yml for PR dependency scanning
  • Tighten top-level permissions to contents: read, elevate per-job only where needed

Test plan

  • Verify all CI jobs pass on this branch
  • Confirm Dependabot opens its first PR for github-actions updates after merge
  • Confirm dependency-review-action runs on a test PR

@stevenobiajulu
ci: SHA-pin all GitHub Actions, add dependency review and Dependabot
3beb4b6 
Supply chain hardening for CI/CD workflows:

- Pin all GitHub Actions to full SHA hashes across all 5 workflow files
  (ci.yml, mcpb-smoke.yml, pr-title.yml, release.yml, semgrep.yml)
- Add dependency-review-action job to ci.yml for PR vulnerability scanning
- Add .github/dependabot.yml for weekly GitHub Actions update PRs
- Add explicit .github/workflows/** entry to CODEOWNERS
- Add top-level `permissions: contents: read` to ci.yml, mcpb-smoke.yml,
  and release.yml to enforce least-privilege defaults

Pinned actions:
  actions/checkout@v4, actions/setup-node@v4, actions/upload-artifact@v4,
  actions/download-artifact@v4, actions/upload-pages-artifact@v3,
  actions/deploy-pages@v4, actions/github-script@v7,
  actions/create-github-app-token@v2, actions/dependency-review-action@v4.9.0,
  rhysd/actionlint@v1.7.11, github/codeql-action@v3,
  codecov/codecov-action@v5, softprops/action-gh-release@v2,
  amannn/action-semantic-pull-request@v5
@github-actions github-actions bot added the ci label Apr 7, 2026
@vercel
Copy link
Copy Markdown

vercel bot commented Apr 7, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
site Ready Ready Preview, Comment Apr 7, 2026 3:42pm

Request Review

@stevenobiajulu stevenobiajulu enabled auto-merge April 7, 2026 15:42
@stevenobiajulu stevenobiajulu merged commit d6ffddd into main Apr 7, 2026
20 of 22 checks passed
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 7, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stevenobiajulu