chore: deps hardening — pin actions, scope permissions#419
Merged
horsefacts merged 5 commits intomainfrom Apr 13, 2026
Merged
Conversation
Contributor
✅ Changelog found on PR. |
grandizzy
changed the title
…scope permissions - Pin all GitHub Actions to commit SHAs (actions/checkout, dtolnay/rust-toolchain, Swatinem/rust-cache, actions/upload-artifact, actions/download-artifact) - Fix template injection in changelog-generate.yml and changelog.yml by moving attacker-controllable github.* context values from inline run: to env: blocks - Scope build.yml permissions per-job instead of workflow-level contents: write - Add persist-credentials: false to all checkout steps that handle secrets - Fix cache poisoning: disable cache save on release builds (save-if: false) - Pin npm install -g @anthropic-ai/claude-code to @1.0.3 - Suppress 3 unfixable CVEs in deny.toml (RUSTSEC-2025-0055, RUSTSEC-2024-0388, RUSTSEC-2026-0002) with upstream dependency chain documentation Co-Authored-By: grandizzy <38490174+grandizzy@users.noreply.github.com>
Co-Authored-By: grandizzy <38490174+grandizzy@users.noreply.github.com>
Co-Authored-By: grandizzy <38490174+grandizzy@users.noreply.github.com>
- Fix Swatinem/rust-cache SHA to use commit instead of tag object - Add permissions block and explicit secrets to pr-audit.yml - Add cooldown (7 days) to Dependabot config - Scope release.yml permissions per-job - Replace curl|sh with checksum-verified binary download for changelogs Co-Authored-By: grandizzy <38490174+grandizzy@users.noreply.github.com>
decofe
force-pushed
the
georgen/supply-chain-hardening
branch
from
6751d10 to
1141254
Compare
horsefacts
approved these changes
Apr 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Supply chain hardening for CI workflows and dependency auditing.
Changes
env:blocks)build.ymlpermissions per-job (least privilege)persist-credentials: falseto checkout steps@anthropic-ai/claude-codeversion in CIdeny.tomlwith justificationSwatinem/rust-cacheSHA to use dereferenced commit instead of tag objectpermissions:block and explicit secrets topr-audit.yml(dropsecrets: inherit)release.ymlpermissions per-job instead of top-levelcurl | shchangelogs installer with checksum-verified binary downloadPrompted by: georgen