security: harden supply chain across CI, Docker and dependencies#1032
Merged
Conversation
Owner
perber
commented
May 24, 2026
perber
commented
- Pin all GitHub Actions to SHA hashes (prevent tag-hijacking attacks)
- Pin all Docker base images to digest hashes in Dockerfile and Dockerfile.builder
- Add lint-actions.yml CI check that fails on any unpinned action or image
- Switch npm install to npm ci --ignore-scripts in both Dockerfiles
- Add .npmrc with ignore-scripts=true for frontend and e2e
- Add permissions: contents: read to all workflows (limit blast radius)
- Add govulncheck to backend CI for transitive Go dependency scanning
- Add dependency-review workflow to block PRs introducing HIGH/CRITICAL CVEs
- Add SLSA provenance attestation for release binaries
- Add --sbom and --provenance=mode=max to Docker image builds
- Update dependabot: monthly schedule, grouping, add github-actions ecosystem
- Pin golangci-lint to v2.3.0 (remove version: latest)
- Pin all GitHub Actions to SHA hashes (prevent tag-hijacking attacks) - Pin all Docker base images to digest hashes in Dockerfile and Dockerfile.builder - Add lint-actions.yml CI check that fails on any unpinned action or image - Switch npm install to npm ci --ignore-scripts in both Dockerfiles - Add .npmrc with ignore-scripts=true for frontend and e2e - Add permissions: contents: read to all 6 workflows (limit blast radius) - Add govulncheck to backend CI for transitive Go dependency scanning - Add dependency-review workflow to block PRs introducing HIGH/CRITICAL CVEs - Add SLSA provenance attestation for release binaries - Add --sbom and --provenance=mode=max to Docker image builds - Update dependabot: monthly schedule, grouping, add github-actions ecosystem - Pin golangci-lint to v2.3.0 (remove version: latest)
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens LeafWiki’s software supply chain by making CI/CD and container builds more deterministic and resistant to upstream tampering (action tag hijacks, mutable base images, and script-based dependency attacks), while adding additional automated security checks.
Changes:
- Pin GitHub Actions to commit SHAs and restrict workflow token permissions.
- Pin Docker base images by digest, enable SBOM + provenance on Docker builds, and switch to
npm ci --ignore-scriptswith repo-level.npmrcenforcement for UI/E2E. - Add new CI guardrails: action/image pinning lint, Go
govulncheck, GitHub dependency review policy, and release provenance attestation; update Dependabot configuration.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
ui/leafwiki-ui/.npmrc |
Enforces ignore-scripts=true for frontend installs to reduce supply-chain risk from lifecycle scripts. |
e2e/.npmrc |
Enforces ignore-scripts=true for E2E dependency installs. |
Makefile |
Adds --sbom and --provenance flags to Docker build/publish target. |
Dockerfile.builder |
Pins base images by digest and switches frontend install to npm ci --ignore-scripts. |
Dockerfile |
Pins base images by digest and switches frontend install to npm ci --ignore-scripts. |
.github/workflows/release.yml |
SHA-pins actions, limits permissions, and adds build provenance attestation step. |
.github/workflows/proxy-auth-e2e.yml |
SHA-pins actions and limits workflow permissions. |
.github/workflows/lint-actions.yml |
Adds CI check to fail on unpinned uses: actions and unpinned FROM base images in Dockerfiles. |
.github/workflows/frontend.yml |
SHA-pins actions, limits permissions, and keeps Trivy scan. |
.github/workflows/e2e.yml |
SHA-pins actions and limits permissions for E2E CI jobs. |
.github/workflows/dependency-review.yml |
Adds dependency review gating for high-severity vulnerabilities and disallowed licenses. |
.github/workflows/backend.yml |
SHA-pins actions, limits permissions, pins golangci-lint version, and adds govulncheck. |
.github/dependabot.yml |
Moves to monthly cadence, adds grouping, and adds GitHub Actions ecosystem updates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.