Skip to content

Commit 7d1155d

Browse files
cailmdaleyclaude
andauthored
chore: add dependabot.yml + SHA-pin all GitHub Actions (#728)
* chore: add dependabot.yml — cooldown + grouped monthly bumps Adds an explicit version-updates policy on top of the security-updates channel that fires automatically since uv.lock landed (#719). Posture is supply-chain conservative: - 14-day cooldown on minor/patch, 30-day on majors (Dependabot won't PR a version until it's been live for that long). Buys a detection window against maintainer-compromise attacks (Shai-Hulud, axios, PyTorch Lightning, …) where malicious versions typically get yanked within hours-to-days. - Monthly schedule + grouped patch/minor — one batched PR, atomic to revert, large enough to actually be reviewed instead of waved through. - Major bumps stay individual (potentially breaking, deserve individual review). - No auto-merge. - github-actions ecosystem also enabled (companion to SHA-pinning the workflows). Cooldown does NOT apply to security updates — those still fire on the CVE-publication timeline, which is the right tradeoff. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore: SHA-pin all GitHub Actions across workflows Mutable action references (@v4, @V3, …) are the same failure mode that took out tj-actions/changed-files (23k+ repos compromised in Q1 2026) and trivy-action. An attacker who compromises an action's maintainer account can silently re-point a tag at a malicious SHA, and every workflow that references that tag pulls the new code on the next run. Pinning each action by full commit SHA — with the human-readable tag preserved as a trailing comment — closes that vector. Dependabot's github-actions ecosystem (enabled in the companion commit) proposes SHA bumps with the new tag annotated in the PR body, so updates remain reviewable. All four workflows pinned; SHAs resolved against current refs as of this commit, no behavioral change intended. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent f2957c1 commit 7d1155d

5 files changed

Lines changed: 79 additions & 17 deletions

File tree

.github/dependabot.yml

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
# Dependabot config — supply-chain conservative posture.
2+
#
3+
# Why this exists:
4+
# - We now ship a `uv.lock`, so Dependabot's security-updates channel fires
5+
# automatically on GHSAs touching transitive deps. This file adds
6+
# *version-updates* policy on top: routine bumps that don't fall out
7+
# of a security advisory.
8+
# - 2025-2026 has seen a wave of maintainer-compromise attacks across npm
9+
# and PyPI (Shai-Hulud / Mini Shai-Hulud, axios, PyTorch Lightning,
10+
# tj-actions/changed-files, …). The published-to-Dependabot-PR-lag is
11+
# often minutes. Cooldown buys a detection window for free.
12+
#
13+
# Policy:
14+
# - 14-day cooldown on minor/patch (30 days on majors). Anything malicious
15+
# is usually caught and yanked within a few days; the cooldown lets that
16+
# happen before it reaches us.
17+
# - Monthly schedule + grouped patch/minor PRs — one batched PR per month,
18+
# atomic to revert, large enough to actually be reviewed.
19+
# - Major bumps stay as individual PRs (potentially breaking; each
20+
# deserves its own review).
21+
# - No auto-merge anywhere. Lockfile diffs are uninspectable; we eyeball
22+
# the version metadata and source links before merging.
23+
#
24+
# Note: cooldown does NOT apply to security-updates (the GHSA-driven PRs).
25+
# Those still fire on the CVE-publication timeline, which is the right
26+
# tradeoff for shapepipe — fix CVEs fast, but don't auto-merge them either.
27+
28+
version: 2
29+
30+
updates:
31+
# Python dependencies tracked via uv.lock
32+
- package-ecosystem: "uv"
33+
directory: "/"
34+
schedule:
35+
interval: "monthly"
36+
day: "monday"
37+
cooldown:
38+
default-days: 14
39+
semver-major-days: 30
40+
groups:
41+
lockfile-minor-patch:
42+
patterns: ["*"]
43+
update-types: ["minor", "patch"]
44+
open-pull-requests-limit: 3
45+
labels:
46+
- "dependencies"
47+
48+
# GitHub Actions versions (SHA-pinned in workflows; Dependabot proposes
49+
# SHA bumps with the new tag annotated in the PR body).
50+
- package-ecosystem: "github-actions"
51+
directory: "/"
52+
schedule:
53+
interval: "monthly"
54+
cooldown:
55+
default-days: 14
56+
groups:
57+
actions:
58+
patterns: ["*"]
59+
open-pull-requests-limit: 2
60+
labels:
61+
- "dependencies"
62+
- "github-actions"

.github/workflows/cd.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,10 @@ jobs:
1313
runs-on: ubuntu-latest
1414

1515
steps:
16-
- uses: actions/checkout@v2
16+
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
1717

1818
- name: Set up conda
19-
uses: conda-incubator/setup-miniconda@v2
19+
uses: conda-incubator/setup-miniconda@9f54435e0e72c53962ee863144e47a4b094bfd35 # v2.3.0
2020
with:
2121
auto-update-conda: true
2222
python-version: 3.9
@@ -38,7 +38,7 @@ jobs:
3838
sphinx-build -E docs/source docs/_build
3939
4040
- name: Deploy API documentation
41-
uses: peaceiris/actions-gh-pages@v3.5.9
41+
uses: peaceiris/actions-gh-pages@cf301857435c1f95963b21d58f452a7617770d60 # v3.5.9
4242
with:
4343
github_token: ${{ secrets.GITHUB_TOKEN }}
4444
publish_dir: docs/_build

.github/workflows/ci-release.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ jobs:
1919
python-version: [3.11]
2020

2121
steps:
22-
- uses: actions/checkout@v4
22+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
2323

2424
- name: Install Linux dependencies
2525
if: runner.os == 'Linux'
@@ -35,7 +35,7 @@ jobs:
3535
brew reinstall gcc
3636
3737
- name: Set up conda
38-
uses: conda-incubator/setup-miniconda@v3
38+
uses: conda-incubator/setup-miniconda@fc2d68f6413eb2d87b895e92f8584b5b94a10167 # v3.3.0
3939
with:
4040
auto-update-conda: true
4141
python-version: ${{ matrix.python-version }}

.github/workflows/deploy-image.yml

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -11,39 +11,39 @@ jobs:
1111
packages: write
1212
steps:
1313
- name: Checkout repository
14-
uses: actions/checkout@v4
14+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
1515

1616
- name: Log in to the Container registry
17-
uses: docker/login-action@v3
17+
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
1818
with:
1919
registry: ${{ env.REGISTRY }}
2020
username: ${{ github.actor }}
2121
password: ${{ secrets.GITHUB_TOKEN }}
2222

2323
- name: Set up Docker Buildx
24-
uses: docker/setup-buildx-action@v3
24+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
2525
with:
2626
driver-opts: network=host
2727

2828
# Two parallel tag sets. `dev` is the default (no suffix, e.g. `:latest`,
2929
# `:develop`); `runtime` carries a `-runtime` suffix.
3030
- name: Tags — dev (default)
3131
id: meta-dev
32-
uses: docker/metadata-action@v5
32+
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
3333
with:
3434
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
3535

3636
- name: Tags — runtime
3737
id: meta-runtime
38-
uses: docker/metadata-action@v5
38+
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
3939
with:
4040
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
4141
flavor: |
4242
suffix=-runtime,onlatest=true
4343
4444
# Build runtime first (smaller, used to smoke-test pipeline binaries)
4545
- name: Build runtime (load)
46-
uses: docker/build-push-action@v6
46+
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
4747
with:
4848
context: .
4949
target: runtime
@@ -70,7 +70,7 @@ jobs:
7070
7171
# Build dev (reuses cached `base` layer)
7272
- name: Build dev (load)
73-
uses: docker/build-push-action@v6
73+
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
7474
with:
7575
context: .
7676
target: dev
@@ -90,7 +90,7 @@ jobs:
9090
9191
# Push both targets
9292
- name: Push runtime
93-
uses: docker/build-push-action@v6
93+
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
9494
with:
9595
context: .
9696
target: runtime
@@ -100,7 +100,7 @@ jobs:
100100
cache-from: type=gha
101101

102102
- name: Push dev
103-
uses: docker/build-push-action@v6
103+
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
104104
with:
105105
context: .
106106
target: dev

.github/workflows/doc-tests.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,10 +8,10 @@ jobs:
88
runs-on: ubuntu-latest
99

1010
steps:
11-
- uses: actions/checkout@v2
11+
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
1212

1313
- name: Set up conda
14-
uses: conda-incubator/setup-miniconda@v2
14+
uses: conda-incubator/setup-miniconda@9f54435e0e72c53962ee863144e47a4b094bfd35 # v2.3.0
1515
with:
1616
auto-update-conda: true
1717
python-version: 3.8
@@ -33,7 +33,7 @@ jobs:
3333
sphinx-build -E docs/source docs/_build
3434
3535
- name: Archive API build
36-
uses: actions/upload-artifact@v2
36+
uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
3737
with:
3838
name: api-docs
3939
retention-days: 14

0 commit comments

Comments
 (0)