From 08b0a39f80eaeb5fd58840b989b37a3633915b98 Mon Sep 17 00:00:00 2001 From: chris-colinsky Date: Tue, 12 May 2026 19:30:00 -0700 Subject: [PATCH] chore: pin GitHub Actions to SHAs, add dependabot MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Tag refs are mutable; SHA pins are not. CodeQL flagged "unpinned 3rd-party action" findings 21 + 22 against the docs.yml workflow on PR #32; the same warning applied to every workflow but hadn't been triaged. Pin all sixteen action references across the four workflows to commit SHAs with the resolved version recorded as an inline comment. Action versions captured: - actions/checkout → v6.0.2 - astral-sh/setup-uv → v8.1.0 - cloudflare/wrangler-action → v4.0.0 (bumped from v3) - github/codeql-action → v3.35.4 - actions/upload-artifact → v7.0.1 - actions/download-artifact → v8.0.1 - pypa/gh-action-pypi-publish → release/v1 branch tip - softprops/action-gh-release → v2.6.2 The wrangler-action bump from v3 to v4 is the deliberate move: v4 uses node24, resolving the Node.js 20 deprecation warning that's been firing on every Docs workflow run. v4's only major change is bumping the bundled Wrangler CLI default from v3 to v4, which is transparent to our `pages deploy` invocation. The maintenance pair is .github/dependabot.yml — Dependabot watches the github-actions ecosystem and surfaces version bumps as PRs each month, so SHA-pinning's "no auto-updates" downside gets handled automatically. Monthly cadence keeps PR volume bounded; action releases cluster around new runner features and platform updates, so a month is long enough for batching without missing real security advisories. After merge, the open CodeQL findings 21 + 22 on PR #32 should be auto-dismissed once the next CodeQL scan re-runs against the pinned workflows. --- .github/dependabot.yml | 24 ++++++++++++++++++++++++ .github/workflows/ci.yml | 4 ++-- .github/workflows/codeql.yml | 6 +++--- .github/workflows/docs.yml | 6 +++--- .github/workflows/release.yml | 24 ++++++++++++------------ 5 files changed, 44 insertions(+), 20 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..ae43c534 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,24 @@ +# Dependabot configuration. +# +# All workflows pin third-party actions by commit SHA per CodeQL findings +# 21 + 22 on PR #32 and the chore/pin-action-shas plan in +# openarmature-coord/docs/future-work.md. SHA-pinning is a security +# posture choice — tag refs are mutable, SHAs are not — and Dependabot is +# the maintenance pair: it surfaces version bumps as PRs (with updated +# SHA + version comment), so the security benefit doesn't trade off +# against keeping actions current. +# +# Monthly cadence keeps the PR volume bounded. Action releases cluster +# around new GitHub Actions runner features and GH platform updates; a +# month is long enough for batched updates but short enough to catch +# real security advisories in time. +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "monthly" + open-pull-requests-limit: 10 + commit-message: + prefix: "chore" + include: "scope" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 05981a61..ec888591 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,13 +21,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # Conformance fixtures live in the openarmature-spec submodule. submodules: recursive - name: Install uv - uses: astral-sh/setup-uv@v8.1.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: enable-cache: true diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index fba94227..916cde9b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -40,10 +40,10 @@ jobs: language: [actions, python] steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3.35.4 with: languages: ${{ matrix.language }} # Reference the in-tree config so the rule-suppressions land. @@ -56,6 +56,6 @@ jobs: queries: security-and-quality - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3.35.4 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 8490357e..c2e0cfd0 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # mkdocstrings imports the package source; the spec submodule # is not referenced by docs but keep the conventional recursive @@ -41,7 +41,7 @@ jobs: submodules: recursive - name: Install uv - uses: astral-sh/setup-uv@v8.1.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: enable-cache: true @@ -62,7 +62,7 @@ jobs: # Only deploy on pushes to main. PR builds prove the site # builds but do not deploy. if: github.event_name == 'push' && github.ref == 'refs/heads/main' - uses: cloudflare/wrangler-action@v3 + uses: cloudflare/wrangler-action@ebbaa1584979971c8614a24965b4405ff95890e0 # v4.0.0 with: apiToken: ${{ secrets.CF_API_TOKEN }} accountId: ${{ secrets.CF_ACCOUNT_ID }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f8194896..c8447fac 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,13 +23,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: # Conformance fixtures live in the openarmature-spec submodule. submodules: recursive - name: Install uv - uses: astral-sh/setup-uv@v8.1.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: enable-cache: true @@ -86,12 +86,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - name: Install uv - uses: astral-sh/setup-uv@v8.1.0 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: enable-cache: true @@ -102,7 +102,7 @@ jobs: run: uv build - name: Upload dist artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: dist path: dist/ @@ -119,13 +119,13 @@ jobs: id-token: write steps: - name: Download dist artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: dist path: dist/ - name: Publish to TestPyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 branch tip with: repository-url: https://test.pypi.org/legacy/ @@ -145,13 +145,13 @@ jobs: id-token: write steps: - name: Download dist artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: dist path: dist/ - name: Publish to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 branch tip # GitHub Release with auto-generated notes from commits since the last # tag. Only fires on real releases (no suffix); pre-release tags leave @@ -164,16 +164,16 @@ jobs: contents: write steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Download dist artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: dist path: dist/ - name: Create GitHub Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 with: files: dist/* generate_release_notes: true