chore(ci): pin GitHub Actions and add Dependabot cooldown#2
Open
michaelmeaney wants to merge 17 commits into
Open
chore(ci): pin GitHub Actions and add Dependabot cooldown#2michaelmeaney wants to merge 17 commits into
michaelmeaney wants to merge 17 commits into
Conversation
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s dependency/CI supply-chain posture by pinning GitHub Actions to immutable SHAs, introducing pinact configuration to enforce pinning policy, and adding Dependabot version-update automation with cooldown periods.
Changes:
- Added
.pinact.ymlto configure pinact workflow pinning and minimum action age policy. - Pinned
actions/checkoutandactions/setup-pythonin CI workflow to full commit SHAs. - Added
.github/dependabot.ymlfor pip and GitHub Actions updates with cooldown and commit-message conventions; documented the pinning guidance in Copilot instructions.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.pinact.yml |
Adds repo-level pinact config for pinning workflows and enforcing a minimum-age policy. |
.github/workflows/ci.yaml |
Pins third-party GitHub Actions to commit SHAs for supply-chain safety. |
.github/dependabot.yml |
Adds Dependabot update automation with cooldown windows for pip and GitHub Actions. |
.github/copilot-instructions.md |
Documents repo guidance (including action pinning via pinact) for contributors/agents. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Comment on lines
20
to
22
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| - name: Install poetry |
Comment on lines
+64
to
+66
| [solver] | ||
| min-release-age = 7 | ||
|
|
|
|
||
| ### 1.1 Reference implementation | ||
|
|
||
| This baseline is not speculative: a sibling internal fork, `NewDayCards/guardette` (at `/Users/n16168/Documents/code/newday-security-engineering/guardette`), diverged from the same upstream merge-base (`f04012b`) and has already implemented most of the engineering, security, and Jira-integration scope described in this document. That fork went further than upstream contribution requires — it also replatformed the runtime from AWS Lambda to a container-first Azure deployment model, which is an internal deployment decision, not a generic upstream concern. |
Comment on lines
+1
to
+5
| # PRD: Guardette Upstream Contribution Baseline | ||
|
|
||
| ## 1. Purpose | ||
|
|
||
| We intend to use Guardette as a supported redaction proxy between Span and our Jira instance. |
Comment on lines
+20
to
+21
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
| - name: Install poetry | ||
| run: pipx install poetry | ||
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 |
|
|
||
| ### 1.1 Reference implementation | ||
|
|
||
| This baseline is not speculative: a sibling internal fork, `NewDayCards/guardette` (at `/Users/n16168/Documents/code/newday-security-engineering/guardette`), diverged from the same upstream merge-base (`f04012b`) and has already implemented most of the engineering, security, and Jira-integration scope described in this document. That fork went further than upstream contribution requires — it also replatformed the runtime from AWS Lambda to a container-first Azure deployment model, which is an internal deployment decision, not a generic upstream concern. |
| This document captures the delta between: | ||
|
|
||
| - **BASELINE** — this repository (`NewDayTechnology/guardette`), currently rebased and in sync with upstream `Attuned-Corp/guardette` (`origin/main` == `upstream/main` at commit `2d43a05`). | ||
| - **ENHANCED** — a sibling fork at `/Users/n16168/Documents/code/newday-security-engineering/guardette` (`NewDayCards/guardette`, `main` at commit `016bd6d`), which diverged from the same upstream merge-base (`f04012b`, "Span Autofix VULN-308: Upgrade aiohttp to 3.14.0") and has since applied ~28 merged commits of security, tooling, architecture, and feature work. |
Comment on lines
+64
to
+66
| [solver] | ||
| min-release-age = 7 | ||
|
|
Comment on lines
+96
to
+101
| ignore = [ | ||
| "S101", # assert used; acceptable in tests | ||
| "PLR0913", # too many arguments; often noisy | ||
| "PLR2004", # magic value; often noisy in tests/config | ||
| "TRY003", # long exception messages; often over-prescriptive | ||
| ] |
|
|
||
| ### 1.1 Reference implementation | ||
|
|
||
| This baseline is not speculative: a sibling internal fork, `NewDayCards/guardette` (at `/Users/n16168/Documents/code/newday-security-engineering/guardette`), diverged from the same upstream merge-base (`f04012b`) and has already implemented most of the engineering, security, and Jira-integration scope described in this document. That fork went further than upstream contribution requires — it also replatformed the runtime from AWS Lambda to a container-first Azure deployment model, which is an internal deployment decision, not a generic upstream concern. |
| @@ -0,0 +1,725 @@ | |||
| # PRD: Guardette Upstream Contribution Baseline | |||
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Comment on lines
+96
to
+101
| ignore = [ | ||
| "S101", # assert used; acceptable in tests | ||
| "PLR0913", # too many arguments; often noisy | ||
| "PLR2004", # magic value; often noisy in tests/config | ||
| "TRY003", # long exception messages; often over-prescriptive | ||
| ] |
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Comment on lines
+24
to
+29
| regex_pattern: > | ||
| \b( | ||
| \w{11,}| | ||
| [\d-]{5,}| | ||
| [A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,} | ||
| )\b |
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Comment on lines
+24
to
+29
| regex_pattern: > | ||
| \b( | ||
| \w{11,}| | ||
| [\d-]{5,}| | ||
| [A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,} | ||
| )\b |
Comment on lines
+101
to
+106
| [tool.ruff.lint.per-file-ignores] | ||
| "tests/**" = [ | ||
| "S101", # asserts are normal in tests | ||
| "ARG001", # pytest fixtures can look unused | ||
| "PLR2004", # literals in tests are normal | ||
| ] |
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Comment on lines
+24
to
+29
| regex_pattern: > | ||
| \b( | ||
| \w{11,}| | ||
| [\d-]{5,}| | ||
| [A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,} | ||
| )\b |
Comment on lines
+101
to
+106
| [tool.ruff.lint.per-file-ignores] | ||
| "tests/**" = [ | ||
| "S101", # asserts are normal in tests | ||
| "ARG001", # pytest fixtures can look unused | ||
| "PLR2004", # literals in tests are normal | ||
| ] |
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Comment on lines
+22
to
+29
| # Redact long tokens, long numeric/dash sequences, and email addresses. | ||
| # Review custom field schemas for tenant-specific secrets before shipping this to production. | ||
| regex_pattern: > | ||
| \b( | ||
| \w{11,}| | ||
| [\d-]{5,}| | ||
| [A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,} | ||
| )\b |
Comment on lines
67
to
70
| [tool.ruff] | ||
| line-length = 120 | ||
| target-version = "py313" | ||
| line-length = 88 | ||
|
|
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Comment on lines
+15
to
+17
| permissions: | ||
| contents: read | ||
| actions: write |
Comment on lines
+36
to
+37
| - name: Install Poetry | ||
| uses: step-security/install-poetry@8cee588dbbc9ca4f2882c176ce61917303942193 # v1.4.2 |
Comment on lines
67
to
+91
| [tool.ruff] | ||
| target-version = "py313" | ||
| line-length = 120 | ||
|
|
||
| [tool.ruff.lint] | ||
| select = ["E", "F", "W", "B", "I"] | ||
| select = [ | ||
| "E", # pycodestyle errors | ||
| "W", # pycodestyle warnings | ||
| "F", # pyflakes | ||
| "I", # isort | ||
| "UP", # pyupgrade | ||
| "B", # flake8-bugbear | ||
| "C4", # flake8-comprehensions | ||
| "SIM", # flake8-simplify | ||
| "RET", # flake8-return | ||
| "ARG", # unused arguments | ||
| "PTH", # pathlib | ||
| "PL", # pylint subset | ||
| "RUF", # Ruff-specific rules | ||
| "S", # flake8-bandit security checks | ||
| "T20", # print statements | ||
| "TRY", # exception handling hygiene | ||
| "PERF", # performance footguns | ||
| "PIE", # misc Python improvements | ||
| ] |
Comment on lines
+1
to
+4
| version: 3 | ||
| files: | ||
| - pattern: .github/workflows/*.yml | ||
| - pattern: .github/workflows/*.yaml |
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Comment on lines
+15
to
+18
| permissions: | ||
| contents: read | ||
| actions: write | ||
|
|
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Comment on lines
+36
to
+42
| - name: Install Poetry | ||
| uses: step-security/install-poetry@8cee588dbbc9ca4f2882c176ce61917303942193 # v1.4.2 | ||
| with: | ||
| virtualenvs-create: true | ||
| virtualenvs-in-project: true | ||
| virtualenvs-path: .venv | ||
|
|
Comment on lines
+104
to
+108
| "tests/**" = [ | ||
| "S101", # asserts are normal in tests | ||
| "ARG001", # pytest fixtures can look unused | ||
| "PLR2004", # literals in tests are normal | ||
| ] |
Comment on lines
+14
to
+18
| zizmor: | ||
| name: Zizmor | ||
| runs-on: ubuntu-24.04 | ||
| timeout-minutes: 10 | ||
|
|
Comment on lines
+1
to
+7
| version: 3 | ||
| files: | ||
| - pattern: .github/workflows/*.yml | ||
| - pattern: .github/workflows/*.yaml | ||
| min_age: | ||
| value: 7 | ||
| always: true |
Comment on lines
+40
to
+44
| codeql: | ||
| name: CodeQL (${{ matrix.language }}) | ||
| runs-on: ubuntu-24.04 | ||
| timeout-minutes: 10 | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Testing