You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
chore: add dependabot.yml + SHA-pin all GitHub Actions (#728)
* chore: add dependabot.yml — cooldown + grouped monthly bumps
Adds an explicit version-updates policy on top of the security-updates
channel that fires automatically since uv.lock landed (#719). Posture is
supply-chain conservative:
- 14-day cooldown on minor/patch, 30-day on majors (Dependabot won't
PR a version until it's been live for that long). Buys a detection
window against maintainer-compromise attacks (Shai-Hulud, axios,
PyTorch Lightning, …) where malicious versions typically get yanked
within hours-to-days.
- Monthly schedule + grouped patch/minor — one batched PR, atomic
to revert, large enough to actually be reviewed instead of waved
through.
- Major bumps stay individual (potentially breaking, deserve
individual review).
- No auto-merge.
- github-actions ecosystem also enabled (companion to SHA-pinning
the workflows).
Cooldown does NOT apply to security updates — those still fire on
the CVE-publication timeline, which is the right tradeoff.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* chore: SHA-pin all GitHub Actions across workflows
Mutable action references (@v4, @V3, …) are the same failure mode that
took out tj-actions/changed-files (23k+ repos compromised in Q1 2026)
and trivy-action. An attacker who compromises an action's maintainer
account can silently re-point a tag at a malicious SHA, and every
workflow that references that tag pulls the new code on the next run.
Pinning each action by full commit SHA — with the human-readable tag
preserved as a trailing comment — closes that vector. Dependabot's
github-actions ecosystem (enabled in the companion commit) proposes
SHA bumps with the new tag annotated in the PR body, so updates remain
reviewable.
All four workflows pinned; SHAs resolved against current refs as of
this commit, no behavioral change intended.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
0 commit comments