Skip to content

fix: harden GitHub Actions against supply chain attacks#265

Merged
CybotTM merged 1 commit intomainfrom
fix/harden-github-actions
Mar 20, 2026
Merged

fix: harden GitHub Actions against supply chain attacks#265
CybotTM merged 1 commit intomainfrom
fix/harden-github-actions

Conversation

@CybotTM
Copy link
Member

@CybotTM CybotTM commented Mar 20, 2026

Summary

  • Pin all GitHub Actions references to immutable commit SHAs (prevents tag/branch force-push attacks)
  • Add Dependabot configuration for automatic GitHub Actions version updates

Context

On 2026-03-19, aquasecurity/trivy-action was compromised via a tag force-push attack that exfiltrated secrets from CI runners. SHA-pinning prevents this class of attack entirely.

The netresearch org now enforces sha_pinning_required=true — workflows using tag/branch references will fail.

Ref: netresearch/ofelia#535

Test plan

  • Verify CI passes with SHA-pinned actions
  • Verify Dependabot creates PRs for action updates

@CybotTM
fix: SHA-pin GitHub Actions and add Dependabot for actions updates
5e38d78 
This hardens the repository against supply chain attacks like the
aquasecurity/trivy-action compromise (2026-03-19).

Changes:
- Pin all GitHub Actions to immutable commit SHAs
- Add/update Dependabot configuration for github-actions ecosystem

Ref: netresearch/ofelia#535
Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Copilot AI review requested due to automatic review settings March 20, 2026 19:47
@gemini-code-assist
Copy link

gemini-code-assist bot commented Mar 20, 2026

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Dependabot support for GitHub Actions updates as part of hardening CI supply-chain security.

Changes:

  • Introduces .github/dependabot.yml to enable weekly GitHub Actions update PRs
  • Groups all GitHub Actions updates into a single Dependabot PR

@codecov
Copy link

codecov bot commented Mar 20, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.49%. Comparing base (b513e12) to head (5e38d78).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff            @@
##               main     #265   +/-   ##
=========================================
  Coverage     81.49%   81.49%           
  Complexity     2579     2579           
=========================================
  Files           172      172           
  Lines          7107     7107           
=========================================
  Hits           5792     5792           
  Misses         1315     1315
Flag Coverage Δ
integration 47.47% <ø> (ø)
unit 50.56% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@CybotTM CybotTM merged commit d5b2a9b into main Mar 20, 2026
24 checks passed
@CybotTM CybotTM deleted the fix/harden-github-actions branch March 20, 2026 22:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CybotTM