Skip to content

chore(ci): pin GitHub Actions and add Dependabot cooldown#2

Open
michaelmeaney wants to merge 17 commits into
newday-baselinefrom
validate/github-actions-pin-sha
Open

chore(ci): pin GitHub Actions and add Dependabot cooldown#2
michaelmeaney wants to merge 17 commits into
newday-baselinefrom
validate/github-actions-pin-sha

Conversation

@michaelmeaney

Copy link
Copy Markdown

Summary

  • Pin GitHub Actions workflows to full commit SHAs using pinact
  • Add a repo-level pinact config for workflow pinning
  • Add Dependabot configuration with cooldown policy for pip and GitHub Actions
  • Document the pinning guidance in the repository Copilot instructions

Testing

  • Ran pinact run to update workflow action references
  • Validated the new Dependabot YAML structure

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 9, 2026 21:06

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s dependency/CI supply-chain posture by pinning GitHub Actions to immutable SHAs, introducing pinact configuration to enforce pinning policy, and adding Dependabot version-update automation with cooldown periods.

Changes:

  • Added .pinact.yml to configure pinact workflow pinning and minimum action age policy.
  • Pinned actions/checkout and actions/setup-python in CI workflow to full commit SHAs.
  • Added .github/dependabot.yml for pip and GitHub Actions updates with cooldown and commit-message conventions; documented the pinning guidance in Copilot instructions.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
.pinact.yml Adds repo-level pinact config for pinning workflows and enforcing a minimum-age policy.
.github/workflows/ci.yaml Pins third-party GitHub Actions to commit SHAs for supply-chain safety.
.github/dependabot.yml Adds Dependabot update automation with cooldown windows for pip and GitHub Actions.
.github/copilot-instructions.md Documents repo guidance (including action pinning via pinact) for contributors/agents.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .pinact.yml
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 9, 2026 21:23
michaelmeaney and others added 2 commits July 9, 2026 22:25
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Comment thread .github/dependabot.yml Outdated
Comment thread pyproject.toml Outdated
Comment thread .github/workflows/ci.yaml Outdated
Comment on lines 20 to 22
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Install poetry
Copilot AI review requested due to automatic review settings July 9, 2026 21:27

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Comment thread pyproject.toml Outdated
Comment on lines +64 to +66
[solver]
min-release-age = 7

Comment thread docs/draft-prd.md Outdated

### 1.1 Reference implementation

This baseline is not speculative: a sibling internal fork, `NewDayCards/guardette` (at `/Users/n16168/Documents/code/newday-security-engineering/guardette`), diverged from the same upstream merge-base (`f04012b`) and has already implemented most of the engineering, security, and Jira-integration scope described in this document. That fork went further than upstream contribution requires — it also replatformed the runtime from AWS Lambda to a container-first Azure deployment model, which is an internal deployment decision, not a generic upstream concern.
Comment thread docs/draft-prd.md Outdated
Comment on lines +1 to +5
# PRD: Guardette Upstream Contribution Baseline

## 1. Purpose

We intend to use Guardette as a supported redaction proxy between Span and our Jira instance.
Comment thread .github/workflows/ci.yaml Outdated
Comment on lines +20 to +21
- name: Checkout
uses: actions/checkout@v6
- name: Install poetry
run: pipx install poetry
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
Copilot AI review requested due to automatic review settings July 9, 2026 22:23

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 4 comments.

Comment thread .github/workflows/security.yml
Comment thread pyproject.toml Outdated
Comment thread docs/draft-prd.md Outdated

### 1.1 Reference implementation

This baseline is not speculative: a sibling internal fork, `NewDayCards/guardette` (at `/Users/n16168/Documents/code/newday-security-engineering/guardette`), diverged from the same upstream merge-base (`f04012b`) and has already implemented most of the engineering, security, and Jira-integration scope described in this document. That fork went further than upstream contribution requires — it also replatformed the runtime from AWS Lambda to a container-first Azure deployment model, which is an internal deployment decision, not a generic upstream concern.
Comment thread docs/draft-prd.md Outdated
This document captures the delta between:

- **BASELINE** — this repository (`NewDayTechnology/guardette`), currently rebased and in sync with upstream `Attuned-Corp/guardette` (`origin/main` == `upstream/main` at commit `2d43a05`).
- **ENHANCED** — a sibling fork at `/Users/n16168/Documents/code/newday-security-engineering/guardette` (`NewDayCards/guardette`, `main` at commit `016bd6d`), which diverged from the same upstream merge-base (`f04012b`, "Span Autofix VULN-308: Upgrade aiohttp to 3.14.0") and has since applied ~28 merged commits of security, tooling, architecture, and feature work.
Copilot AI review requested due to automatic review settings July 9, 2026 22:27

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 5 comments.

Comment thread .github/workflows/security.yml
Comment thread pyproject.toml Outdated
Comment on lines +64 to +66
[solver]
min-release-age = 7

Comment thread pyproject.toml
Comment on lines +96 to +101
ignore = [
"S101", # assert used; acceptable in tests
"PLR0913", # too many arguments; often noisy
"PLR2004", # magic value; often noisy in tests/config
"TRY003", # long exception messages; often over-prescriptive
]
Comment thread docs/draft-prd.md Outdated

### 1.1 Reference implementation

This baseline is not speculative: a sibling internal fork, `NewDayCards/guardette` (at `/Users/n16168/Documents/code/newday-security-engineering/guardette`), diverged from the same upstream merge-base (`f04012b`) and has already implemented most of the engineering, security, and Jira-integration scope described in this document. That fork went further than upstream contribution requires — it also replatformed the runtime from AWS Lambda to a container-first Azure deployment model, which is an internal deployment decision, not a generic upstream concern.
Comment thread docs/draft-prd.md Outdated
@@ -0,0 +1,725 @@
# PRD: Guardette Upstream Contribution Baseline
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 9, 2026 22:55

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 6 changed files in this pull request and generated 3 comments.

Comment thread .github/workflows/security.yml
Comment thread .github/workflows/ci.yaml
Comment thread pyproject.toml
Comment on lines +96 to +101
ignore = [
"S101", # assert used; acceptable in tests
"PLR0913", # too many arguments; often noisy
"PLR2004", # magic value; often noisy in tests/config
"TRY003", # long exception messages; often over-prescriptive
]
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 9, 2026 22:59

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.

Comment on lines +24 to +29
regex_pattern: >
\b(
\w{11,}|
[\d-]{5,}|
[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}
)\b
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 9 changed files in this pull request and generated 4 comments.

Comment on lines +24 to +29
regex_pattern: >
\b(
\w{11,}|
[\d-]{5,}|
[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}
)\b
Comment thread pyproject.toml
Comment on lines +101 to +106
[tool.ruff.lint.per-file-ignores]
"tests/**" = [
"S101", # asserts are normal in tests
"ARG001", # pytest fixtures can look unused
"PLR2004", # literals in tests are normal
]
Comment thread .github/workflows/ci.yaml
Comment thread .github/workflows/ci.yaml
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 10, 2026 08:01

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated 3 comments.

Comment on lines +24 to +29
regex_pattern: >
\b(
\w{11,}|
[\d-]{5,}|
[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}
)\b
Comment thread pyproject.toml Outdated
Comment thread pyproject.toml
Comment on lines +101 to +106
[tool.ruff.lint.per-file-ignores]
"tests/**" = [
"S101", # asserts are normal in tests
"ARG001", # pytest fixtures can look unused
"PLR2004", # literals in tests are normal
]
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 10, 2026 08:10

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated 2 comments.

Comment on lines +22 to +29
# Redact long tokens, long numeric/dash sequences, and email addresses.
# Review custom field schemas for tenant-specific secrets before shipping this to production.
regex_pattern: >
\b(
\w{11,}|
[\d-]{5,}|
[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}
)\b
Comment thread pyproject.toml
Comment on lines 67 to 70
[tool.ruff]
line-length = 120
target-version = "py313"
line-length = 88

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 10, 2026 08:16
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 2 comments.

Comment thread .github/workflows/ci.yaml
Comment thread .github/workflows/security.yml Outdated
Copilot AI review requested due to automatic review settings July 10, 2026 08:20
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.

Comment thread .github/workflows/ci.yaml
Comment on lines +15 to +17
permissions:
contents: read
actions: write
Comment thread .github/workflows/ci.yaml
Comment on lines +36 to +37
- name: Install Poetry
uses: step-security/install-poetry@8cee588dbbc9ca4f2882c176ce61917303942193 # v1.4.2
Comment thread .github/workflows/security.yml Outdated
Copilot AI review requested due to automatic review settings July 10, 2026 08:24

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 2 comments.

Comment thread pyproject.toml
Comment on lines 67 to +91
[tool.ruff]
target-version = "py313"
line-length = 120

[tool.ruff.lint]
select = ["E", "F", "W", "B", "I"]
select = [
"E", # pycodestyle errors
"W", # pycodestyle warnings
"F", # pyflakes
"I", # isort
"UP", # pyupgrade
"B", # flake8-bugbear
"C4", # flake8-comprehensions
"SIM", # flake8-simplify
"RET", # flake8-return
"ARG", # unused arguments
"PTH", # pathlib
"PL", # pylint subset
"RUF", # Ruff-specific rules
"S", # flake8-bandit security checks
"T20", # print statements
"TRY", # exception handling hygiene
"PERF", # performance footguns
"PIE", # misc Python improvements
]
Comment thread .pinact.yml
Comment on lines +1 to +4
version: 3
files:
- pattern: .github/workflows/*.yml
- pattern: .github/workflows/*.yaml
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 10, 2026 08:29

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.

Comment thread .github/workflows/ci.yaml
Comment on lines +15 to +18
permissions:
contents: read
actions: write

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 10, 2026 09:35

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 5 comments.

Comment thread .github/workflows/ci.yaml
Comment on lines +36 to +42
- name: Install Poetry
uses: step-security/install-poetry@8cee588dbbc9ca4f2882c176ce61917303942193 # v1.4.2
with:
virtualenvs-create: true
virtualenvs-in-project: true
virtualenvs-path: .venv

Comment thread pyproject.toml
Comment on lines +104 to +108
"tests/**" = [
"S101", # asserts are normal in tests
"ARG001", # pytest fixtures can look unused
"PLR2004", # literals in tests are normal
]
Comment on lines +14 to +18
zizmor:
name: Zizmor
runs-on: ubuntu-24.04
timeout-minutes: 10

Comment thread .pinact.yml
Comment on lines +1 to +7
version: 3
files:
- pattern: .github/workflows/*.yml
- pattern: .github/workflows/*.yaml
min_age:
value: 7
always: true
Comment on lines +40 to +44
codeql:
name: CodeQL (${{ matrix.language }})
runs-on: ubuntu-24.04
timeout-minutes: 10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants