Skip to content

Supply-chain hardening: SHA-pin actions + Dependabot#5

Merged
swperb merged 1 commit into
mainfrom
hardening/pin-actions
Jun 15, 2026
Merged

Supply-chain hardening: SHA-pin actions + Dependabot#5
swperb merged 1 commit into
mainfrom
hardening/pin-actions

Conversation

@swperb

@swperb swperb commented Jun 15, 2026

Copy link
Copy Markdown
Owner

Part of the repository security lock-down.

  • SHA-pin third-party GitHub Actions (actions/checkout, softprops/action-gh-release) so a moved/compromised tag cannot execute with the workflow token — the release job has contents: write. Version kept in a trailing comment.
  • Dependabot (.github/dependabot.yml) keeps the action pins and the mcp/ npm deps patched weekly.

Complements the settings-level changes applied to the repo: branch protection on main, Dependabot alerts + security updates, private vulnerability reporting, and restricting Actions to GitHub-owned + the one third-party action in use.

🤖 Generated with Claude Code

@swperb @claude
ci: SHA-pin third-party actions + add Dependabot (supply-chain harden…
9bca04e 
…ing)

- Pin actions/checkout and softprops/action-gh-release to commit SHAs (with a
  version comment) so a moved or compromised tag can't run with the workflow
  token (which has contents:write in the release job).
- Add .github/dependabot.yml to keep the GitHub Actions pins and the MCP
  server's npm dependencies patched (weekly).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@swperb swperb merged commit 5c1035f into main Jun 15, 2026
4 of 5 checks passed
@swperb swperb deleted the hardening/pin-actions branch June 15, 2026 05:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@swperb