Skip to content

fix: pin dependabot/fetch-metadata action to immutable SHA#280

Merged
BunsDev merged 1 commit into
mainfrom
codex/fix-mutable-action-vulnerability-in-workflow
Jul 1, 2026
Merged

fix: pin dependabot/fetch-metadata action to immutable SHA#280
BunsDev merged 1 commit into
mainfrom
codex/fix-mutable-action-vulnerability-in-workflow

Conversation

@BunsDev

@BunsDev BunsDev commented Jun 30, 2026

Copy link
Copy Markdown
Member

Motivation

  • The pull_request_target workflow granted contents: write and pull-requests: write, but it executed dependabot/fetch-metadata@v2 (a mutable tag) which creates a supply-chain risk if that action tag is compromised, so the action must be pinned to an immutable reviewed commit SHA.

Description

  • Replace the mutable uses: dependabot/fetch-metadata@v2 with the reviewed full commit SHA in /.github/workflows/dependabot-auto-merge.yml (uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0) while preserving the existing pull_request_target trigger, permissions, and merge behavior.

Testing

  • Verified the workflow now references a full 40-character SHA using a small Python regex check which succeeded.
  • Ran git diff --check which reported no trailing-whitespace or patch errors and succeeded.

Codex Task

Copilot AI review requested due to automatic review settings June 30, 2026 19:43

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR reduces GitHub Actions supply-chain risk in the Dependabot auto-merge workflow by pinning dependabot/fetch-metadata to an immutable commit SHA while keeping the existing pull_request_target permissions and merge gating behavior intact.

Changes:

  • Replace dependabot/fetch-metadata@v2 with a full 40-character commit SHA (08eff52…) annotated as v2.4.0.
  • Preserve the workflow’s existing trigger (pull_request_target), permissions, and security-update-only merge condition.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@BunsDev BunsDev force-pushed the codex/fix-mutable-action-vulnerability-in-workflow branch from 588a424 to 410961a Compare June 30, 2026 20:28
@BunsDev BunsDev merged commit 7c6faf1 into main Jul 1, 2026
15 checks passed
@BunsDev BunsDev deleted the codex/fix-mutable-action-vulnerability-in-workflow branch July 1, 2026 05:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants