chore(ci): pin actions to SHAs + gate dependabot auto-merge on tests#21
Merged
Conversation
- Pin every GitHub Action to a commit SHA (with a version comment) so a malicious force-re-tag of an action cannot slip in via auto-merge. - Rewrite dependabot-auto-merge to wait for the test suite to pass on the PR head SHA before merging (semver-minor/patch only; majors stay manual). Deliberately avoids branch protection / required status checks, which would block pint.yml and update-changelog.yml direct pushes to main. - Normalize fetch-metadata to v3.1.0 across both packages.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Two supply-chain hardening changes to the CI, following the question "is it safe to keep Dependabot auto-merge?".
1. Pin every GitHub Action to a commit SHA
All actions were tag-pinned (
@v6,@2.6, …), so a force-re-tag of an upstream action (the laravel-lang attack class) could be pulled silently — and auto-merged. Now everyuses:is pinned to a commit SHA with a# vXcomment; Dependabot still bumps the SHA + comment.2. Gate auto-merge on the test suite
Dependabot auto-merge previously used
gh pr merge --auto, butmainhas no required status checks, so--automerged as soon as the PR was mergeable — not when tests passed. The workflow now waits for the test run on the PR head SHA to finish and merges only on success (semver-minor/patch; majors stay manual).Why not branch protection / required checks? Because
pint.ymlandupdate-changelog.ymlpush directly tomainviagit-auto-commit-action; required checks onmainwould block those pushes. Gating inside the workflow achieves the same guarantee without breaking the release flow.Also normalized
fetch-metadatatov3.1.0across both packages (they had drifted).Verification
yq -e); zero@v/tag refs remain — every action SHA-pinned.pull_request_target+github.actor == dependabot[bot]), so it cannot be exercised by this PR — it will be proven on the next Dependabot github-actions bump.No release/tag; CI-only change.