security: Harden supply chain for GitHub Actions workflows

[erezrokah]

What does this PR do?

Hardens CI supply chain security by pinning an unpinned GitHub Action to its commit SHA and restricting the Bonk AI assistant workflow to authorized repository collaborators.

Changes:

• cla.yml: Pin contributor-assistant/github-action from tag v2.6.1 to commit SHA ca4a40a7d1004f18d9960b404b97e5f30a505a08
• bonk.yml: Add author_association check (MEMBER/OWNER/COLLABORATOR) so only authorized users can invoke the Bonk AI assistant

Additional recommendations

The following hardening steps are also recommended but not included in this PR:

• Add minimum-release-age (e.g. 3d) to workspace package.json under pnpm — prevents installing newly published packages before the community can detect malicious releases
• Add cooldown (e.g. default: 3) to .github/dependabot.yml — delays Dependabot PRs for new releases
• Add minimumReleaseAge and helpers:pinGitHubActionDigests to renovate.json — same cooldown for Renovate, plus automatic SHA pinning for Actions
• Add block-exotic-subdeps to .npmrc — prevents transitive dependencies from using install scripts, git URLs, or other exotic specifiers

Why this matters — real-world supply chain attacks

GitHub Actions tag hijacking

• tj-actions/changed-files (CVE-2025-30066, March 2025): Attacker compromised a maintainer PAT and rewrote all version tags to inject a credential-stealing step. Thousands of repos leaked CI secrets.
• reviewdog (CVE-2025-30154, March 2025): Similar tag poisoning attack affecting multiple reviewdog actions.
• Trivy (CVE-2026-33634): aquasecurity/trivy-action tag compromise injected mining code.
• KICS (CVE-2026-33634, March 2026): TeamPCP hijacked 35 tags on checkmarx/kics-github-action, injecting credential-stealing malware targeting AWS, Azure, GCP, SSH keys, and Kubernetes tokens.
• LiteLLM (CVE-2026-33634, March 2026): Downstream of the Trivy compromise — attackers exfiltrated LiteLLM's PyPI token via a compromised Trivy action in CI, then published backdoored litellm packages to PyPI with credential harvesting and remote code execution.

npm package hijacking

• event-stream (2018): Maintainer handed off a popular package to an attacker who added a dependency (flatmap-stream) that stole Bitcoin wallet keys.
• ua-parser-js (2021): Maintainer account compromised; malicious versions published with cryptominers and credential stealers. 7M+ weekly downloads affected.
• colors.js / faker.js (2022): Maintainer deliberately sabotaged packages, causing infinite loops in downstream projects.
• PyTorch torchtriton (2022): Dependency confusion attack on PyPI — attacker published torchtriton to the public registry, shadowing PyTorch's internal package.

Why cooldown / minimum-release-age matters

A 3-day minimum-release-age would have blocked all of the npm attacks above — each was detected and reverted within hours. The cooldown prevents your lockfile refresh from pulling a version before the community has time to flag it.

Type of change

• Chore (dependencies, CI, tooling)

Checklist

• I have read CONTRIBUTING.md
• pnpm typecheck passes
• pnpm --silent lint:json | jq '.diagnostics | length' returns 0
• pnpm test passes (or targeted tests for my change)
• pnpm format has been run
• I have added/updated tests for my changes (if applicable)
• I have added a changeset (if this PR changes a published package)
• New features link to an approved Discussion: https://github.com/emdash-cms/emdash/discussions/...

AI-generated code disclosure

• This PR includes AI-generated code

[changeset-bot]

⚠️ No Changeset found

Latest commit: 646a07e

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@emdash-cms/admin

npm i https://pkg.pr.new/@emdash-cms/admin@375

@emdash-cms/auth

npm i https://pkg.pr.new/@emdash-cms/auth@375

@emdash-cms/blocks

npm i https://pkg.pr.new/@emdash-cms/blocks@375

@emdash-cms/cloudflare

npm i https://pkg.pr.new/@emdash-cms/cloudflare@375

emdash

npm i https://pkg.pr.new/emdash@375

create-emdash

npm i https://pkg.pr.new/create-emdash@375

@emdash-cms/gutenberg-to-portable-text

npm i https://pkg.pr.new/@emdash-cms/gutenberg-to-portable-text@375

@emdash-cms/x402

npm i https://pkg.pr.new/@emdash-cms/x402@375

@emdash-cms/plugin-ai-moderation

npm i https://pkg.pr.new/@emdash-cms/plugin-ai-moderation@375

@emdash-cms/plugin-atproto

npm i https://pkg.pr.new/@emdash-cms/plugin-atproto@375

@emdash-cms/plugin-audit-log

npm i https://pkg.pr.new/@emdash-cms/plugin-audit-log@375

@emdash-cms/plugin-color

npm i https://pkg.pr.new/@emdash-cms/plugin-color@375

@emdash-cms/plugin-embeds

npm i https://pkg.pr.new/@emdash-cms/plugin-embeds@375

@emdash-cms/plugin-forms

npm i https://pkg.pr.new/@emdash-cms/plugin-forms@375

@emdash-cms/plugin-webhook-notifier

npm i https://pkg.pr.new/@emdash-cms/plugin-webhook-notifier@375

commit: 646a07e

[erezrokah]

Bonk GitHub permissions are quite wide so not sure we want everyone to be able to interact with it

If this is intentional I can revert this change

[erezrokah]

All other workflows in the repo are pinned

[Copilot]

Pull request overview

This PR hardens GitHub Actions supply-chain security by pinning an unpinned third-party action to an immutable commit SHA and tightening access to the Bonk assistant workflow to trusted repository affiliations.

Changes:

• Pin contributor-assistant/github-action in the CLA workflow from a tag (v2.6.1) to a specific commit SHA.
• Restrict the Bonk workflow so it only runs for comments created by MEMBER/OWNER/COLLABORATOR (and not bots).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/cla.yml	Pins CLA Assistant action to a commit SHA to reduce tag-hijack risk.
.github/workflows/bonk.yml	Adds an author_association gate to limit who can trigger the Bonk job.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[erezrokah]

I'd be happy to follow up on other recommendations (I'm using https://github.com/erezrokah/skills/blob/main/skills/supply-chain-auditor/SKILL.md), haven't done them as they have bigger impact on how dependencies are managed in the repo

[ascorbic]

Thanks, this is great!