-
Notifications
You must be signed in to change notification settings - Fork 0
ci: pin Actions and add dependency and code-security monitoring #331
Copy link
Copy link
Open
Labels
blockedWork cannot proceed until a blocker is resolved.Work cannot proceed until a blocker is resolved.phase-1Phase 1 — Polish & StabilityPhase 1 — Polish & StabilitypipelineCore pipeline toolingCore pipeline toolingsecuritySecurity and secrets managementSecurity and secrets managementtech-debtTechnical debtTechnical debttestsTest coverage, smoke checks, and acceptance automationTest coverage, smoke checks, and acceptance automationtype:taskImplementation taskImplementation task
Description
Metadata
Metadata
Assignees
Labels
blockedWork cannot proceed until a blocker is resolved.Work cannot proceed until a blocker is resolved.phase-1Phase 1 — Polish & StabilityPhase 1 — Polish & StabilitypipelineCore pipeline toolingCore pipeline toolingsecuritySecurity and secrets managementSecurity and secrets managementtech-debtTechnical debtTechnical debttestsTest coverage, smoke checks, and acceptance automationTest coverage, smoke checks, and acceptance automationtype:taskImplementation taskImplementation task
Summary
Pin GitHub Actions and add least-privilege automated dependency monitoring and static analysis.
Context
.github/workflows/*.yml, a new.github/dependabot.yml, new CodeQL and dependency-review workflows, andtests/agentic/test_workflows.pyImplementation Notes
uses:reference to a full commit SHA with a nearby release-tag comment.main, and a weekly schedule.Acceptance Criteria
uses:reference is pinned to a 40-character commit SHA and documents the reviewed release tag.main, and a weekly schedule.Tests/Evals
Verification
python3 -m pytest tests/agentic/test_workflows.py -qnpm testnpm run verify:securityuses:value matches a 40-character SHA.Agent Instructions
codex/issue-<this-issue>-supply-chain-baseline.Human Checkpoints
Out of Scope
Linear
Not applicable. Rafiki delivery is GitHub-only; do not create or update a Linear issue.