Skip to content

chore: Lock the versions of GitHub Actions used in workflows to SHA hashes, other security improvements#727

Merged
anakinj merged 2 commits into
jwt:mainfrom
connorshea:main
May 23, 2026
Merged

chore: Lock the versions of GitHub Actions used in workflows to SHA hashes, other security improvements#727
anakinj merged 2 commits into
jwt:mainfrom
connorshea:main

Conversation

@connorshea
Copy link
Copy Markdown
Contributor

@connorshea connorshea commented May 23, 2026
edited
Loading

Description

  • SHA hashes to prevent compromised GitHub Actions from ever being used, also updated to the latest releases for each.
  • Disable the bundler-cache in the release job, to protect against the release job pulling a compromised cache and thus pushing a compromised gem.
  • Disable credential persistence in the checkout job, to make sure we can't ship it as part of the packaged artifacts by accident.
  • Set a 1 day cooldown on github actions updates, just to be safe and hopefully prevent any update to a malicious version of an action.

These changes were all made using zizmor / manual edits by me.

I'm not sure if this warrants a changelog entry?

Checklist

Before the PR can be merged be sure the following are checked:

  • There are tests for the fix or feature added/changed
  • A description of the changes and a reference to the PR has been added to CHANGELOG.md. More details in the CONTRIBUTING.md

@connorshea
chore: Lock the versions of GitHub Actions used in workflows to SHA h…
bcc86af 
…ashes, to prevent compromised actions from being used.

Also disable the bundler-cache in the release job, to protect against the release job pulling a compromised cache and thus pushing a compromised gem.

And set a 1 day cooldown on github actions updates, just to be safe and hopefully prevent any update to a malicious version of an action.

These changes were all made using zizmor / manual edits by me.
anakinj
anakinj reviewed May 23, 2026
View reviewed changes
Comment thread .github/dependabot.yml Outdated
@anakinj
Copy link
Copy Markdown
Member

anakinj commented May 23, 2026

I'm not sure if this warrants a changelog entry?

No changelog entry needed for this one

@anakinj anakinj merged commit daa377d into jwt:main May 23, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anakinj anakinj anakinj approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@connorshea @anakinj