Skip to content

ci: pin Actions and add dependency and code-security monitoring #331

Description

@WalksWithASwagger

Summary

Pin GitHub Actions and add least-privilege automated dependency monitoring and static analysis.

Context

  • Blocked by pipeline: make stop labels sticky and PR policy checks blocking #326 and security: add a dependency audit command and CI gate #330.
  • Roadmap phase: Phase 1 - supply-chain hardening
  • Relevant files: all active .github/workflows/*.yml, a new .github/dependabot.yml, new CodeQL and dependency-review workflows, and tests/agentic/test_workflows.py
  • Current behavior: Actions use mutable release tags and the repository has no Dependabot, CodeQL, or dependency-review configuration.
  • Desired behavior: every third-party action has immutable provenance and GitHub continuously reports dependency and code-security drift without auto-merging.

Implementation Notes

  • Pin every uses: reference to a full commit SHA with a nearby release-tag comment.
  • Configure weekly grouped updates for root npm, frontend npm, pip, and GitHub Actions.
  • Run CodeQL for Python and JavaScript/TypeScript on PRs, main, and a weekly schedule.
  • Run dependency review on PRs with minimal permissions.

Acceptance Criteria

  • Every active uses: reference is pinned to a 40-character commit SHA and documents the reviewed release tag.
  • Weekly grouped Dependabot updates cover root npm, frontend npm, pip, and GitHub Actions.
  • Dependency updates never auto-merge.
  • CodeQL analyzes Python and JavaScript/TypeScript on PRs, main, and a weekly schedule.
  • Dependency review runs on pull requests.
  • All new workflows use least-privilege permissions and expose no provider credentials.
  • Workflow tests enforce SHA pins and parse every new YAML file.

Tests/Evals

  • Add structural tests for full-SHA pins, permissions, triggers, and supported ecosystems.
  • The first successful GitHub Actions runs are part of acceptance.

Verification

  • python3 -m pytest tests/agentic/test_workflows.py -q
  • npm test
  • npm run verify:security
  • Confirm every active uses: value matches a 40-character SHA.
  • Link successful CodeQL and dependency-review runs from the PR or issue.

Agent Instructions

Human Checkpoints

  • Maintainer must review Action provenance and decide later whether new checks become branch-protection requirements.

Out of Scope

  • Fixing unrelated findings surfaced by CodeQL.
  • Dependency version upgrades beyond required workflow setup.
  • Required-check settings or merge automation.
  • Provider or deployment credentials.

Linear

Not applicable. Rafiki delivery is GitHub-only; do not create or update a Linear issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    blockedWork cannot proceed until a blocker is resolved.phase-1Phase 1 — Polish & StabilitypipelineCore pipeline toolingsecuritySecurity and secrets managementtech-debtTechnical debttestsTest coverage, smoke checks, and acceptance automationtype:taskImplementation task

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions