Skip to content

chore: harden supply chain — pin actions, persist-credentials, deny.toml#87

Merged
brendanjryan merged 3 commits intomasterfrom
georgen/supply-chain-hardening
Apr 14, 2026
Merged

chore: harden supply chain — pin actions, persist-credentials, deny.toml#87
brendanjryan merged 3 commits intomasterfrom
georgen/supply-chain-hardening

Conversation

@decofe
Copy link
Copy Markdown
Member

@decofe decofe commented Apr 14, 2026

  • Pin all GH Actions to SHAs via pinact (17 refs across 4 workflows + 2 composite actions)
  • Add persist-credentials: false to every actions/checkout
  • Pin npm install -g @anthropic-ai/claude-code@2.1.105 in changelog workflow
  • Pin pip install build==1.2.2.post1 twine==6.2.0 in composite action
  • Scope binary.yml permissions per-job (build=contents: read, upload=contents: write)
  • Add save-if to rust-cache in release workflow to prevent cache poisoning
  • Add permissions: contents: read to ci.yml
  • Add deny.toml with advisories + sources policy
  • Add dependabot.yml for cargo + github-actions with 7-day cooldown

Prompted by: georgen

@decofe @grandizzy
chore: harden supply chain — pin actions, add persist-credentials, de…
af5d917 
…ny.toml, dependabot

- Pin all GH Actions to SHAs (pinact)
- Add persist-credentials: false to every checkout
- Pin npm install claude-code and pip install build/twine versions
- Scope binary.yml permissions per-job (build=read, upload=write)
- Add save-if to rust-cache in release workflow to prevent cache poisoning
- Add permissions: contents: read to ci.yml
- Add deny.toml with advisories + sources policy
- Add dependabot.yml for cargo + github-actions with 7-day cooldown

Co-Authored-By: grandizzy <38490174+grandizzy@users.noreply.github.com>
Amp-Thread-ID: https://ampcode.com/threads/T-019d8a55-43c3-7534-8f57-ef577697f48f
@socket-security
Copy link
Copy Markdown

socket-security bot commented Apr 14, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedcargo/​anyhow@​1.0.100 ⏵ 1.0.10281 +110093100100
Updatedcargo/​chrono@​0.4.43 ⏵ 0.4.449910093100100
Updatedcargo/​clap@​4.5.54 ⏵ 4.6.09910093100100
Updatedcargo/​inquire@​0.9.2 ⏵ 0.9.410010093100100
Updatedcargo/​rand@​0.9.2 ⏵ 0.9.4100100 +193100100
Updatedcargo/​regex@​1.12.2 ⏵ 1.12.310010093 -1100100
Updatedcargo/​semver@​1.0.27 ⏵ 1.0.2810010093100100
Updatedcargo/​tempfile@​3.24.0 ⏵ 3.27.098 -110093100100

View full report

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 14, 2026
edited
Loading

⚠️ Changelog not found.

A changelog entry is required before merging. We've generated a suggested changelog based on your changes:

Preview 
---
changelogs: patch
---

Hardened CI supply chain security by pinning all GitHub Actions to full commit SHAs, adding `persist-credentials: false` to checkout steps, scoping workflow permissions to least privilege, adding a `cargo deny` check via reusable workflow, and enabling Dependabot for automated dependency updates. Also bumped multiple Rust dependencies to their latest versions.

Add changelog to commit this to your branch.

decofe and others added 2 commits April 14, 2026 05:58
@grandizzy grandizzy marked this pull request as ready for review April 14, 2026 06:06
@brendanjryan brendanjryan merged commit 54f6936 into master Apr 14, 2026
6 checks passed
@Slokh Slokh mentioned this pull request Apr 14, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brendanjryan brendanjryan brendanjryan approved these changes

@Slokh Slokh Awaiting requested review from Slokh

@horsefacts horsefacts Awaiting requested review from horsefacts

Assignees

@grandizzy grandizzy

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@decofe @brendanjryan @grandizzy