Skip to content

ci: harden GitHub Actions workflows#1412

Merged
sserrata merged 1 commit intomainfrom
ci/harden-workflows-security-review
Apr 10, 2026
Merged

ci: harden GitHub Actions workflows#1412
sserrata merged 1 commit intomainfrom
ci/harden-workflows-security-review

Conversation

@sserrata
Copy link
Copy Markdown
Member

@sserrata sserrata commented Apr 10, 2026

Summary

  • Fix stale version comments on SHA-pinned actions across all 7 workflows (checkout v4→v6.0.2, upload-artifact v4→v4.6.2, download-artifact v4→v8.0.1, codeql-action v3→v3.28.13/v3.34.1, compressed-size-action v2→v2.8.0)
  • Add --frozen-lockfile --prefer-offline --ignore-scripts to canary install in release.yaml
  • Switch validate downstream jobs (lint, test, cypress) to read-only actions/cache/restore
  • Increase Dependabot cooldown from 3 to 7 days for both ecosystems
  • Add concurrency groups to build-perf.yml and validate.yaml

Test plan

  • Verify validate.yaml jobs still pass (cache restore + yarn install)
  • Verify release.yaml canary job builds successfully with new install flags
  • Verify build-perf.yml concurrency cancels superseded runs on same PR
  • Confirm Dependabot respects new 7-day cooldown on next update cycle

🤖 Generated with Claude Code

@sserrata @claude
ci: harden GitHub Actions workflows
f6ab558 
Address findings from security review: fix stale version comments on
SHA-pinned actions, add frozen-lockfile and ignore-scripts to canary
install, switch validate downstream jobs to read-only cache, increase
Dependabot cooldown to 7 days, and add concurrency groups.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 10, 2026

Size Change: 0 B

Total Size: 2.26 MB

ℹ️ View Unchanged
Filename Size
demo/.docusaurus/codeTranslations.json 2 B
demo/.docusaurus/docusaurus.config.mjs 16.3 kB
demo/.docusaurus/globalData.json 69.2 kB
demo/.docusaurus/i18n.json 372 B
demo/.docusaurus/registry.js 100 kB
demo/.docusaurus/routes.js 94.6 kB
demo/.docusaurus/routesChunkNames.json 39.3 kB
demo/.docusaurus/site-metadata.json 1.58 kB
demo/build/assets/css/styles.********.css 171 kB
demo/build/assets/js/main.********.js 664 kB
demo/build/assets/js/runtime~main.********.js 23.2 kB
demo/build/index.html 95.6 kB
demo/build/petstore/add-pet/index.html 30 kB
demo/build/petstore/create-user/index.html 24.7 kB
demo/build/petstore/create-users-with-array-input/index.html 24.8 kB
demo/build/petstore/create-users-with-list-input/index.html 24.8 kB
demo/build/petstore/delete-order/index.html 24.5 kB
demo/build/petstore/delete-pet/index.html 24.8 kB
demo/build/petstore/delete-user/index.html 25 kB
demo/build/petstore/find-pets-by-status/index.html 25.5 kB
demo/build/petstore/find-pets-by-tags/index.html 25.7 kB
demo/build/petstore/get-inventory/index.html 23.8 kB
demo/build/petstore/get-order-by-id/index.html 24.8 kB
demo/build/petstore/get-pet-by-id/index.html 25.6 kB
demo/build/petstore/get-user-by-name/index.html 25.1 kB
demo/build/petstore/login-user/index.html 25.6 kB
demo/build/petstore/logout-user/index.html 24.4 kB
demo/build/petstore/new-pet/index.html 25 kB
demo/build/petstore/pet/index.html 23.2 kB
demo/build/petstore/place-order/index.html 24 kB
demo/build/petstore/schemas/apiresponse/index.html 25.2 kB
demo/build/petstore/schemas/cat/index.html 39 kB
demo/build/petstore/schemas/category/index.html 26.3 kB
demo/build/petstore/schemas/dog/index.html 39.3 kB
demo/build/petstore/schemas/honeybee/index.html 39.3 kB
demo/build/petstore/schemas/id/index.html 23.4 kB
demo/build/petstore/schemas/order/index.html 27.3 kB
demo/build/petstore/schemas/pet/index.html 38.8 kB
demo/build/petstore/schemas/tag/index.html 24.7 kB
demo/build/petstore/schemas/user/index.html 40.7 kB
demo/build/petstore/store/index.html 22.2 kB
demo/build/petstore/subscribe-to-the-store-events/index.html 30.9 kB
demo/build/petstore/swagger-petstore-yaml/index.html 30.9 kB
demo/build/petstore/update-pet-with-form/index.html 25 kB
demo/build/petstore/update-pet/index.html 25.4 kB
demo/build/petstore/update-user/index.html 25 kB
demo/build/petstore/upload-file/index.html 24.8 kB
demo/build/petstore/user/index.html 22.9 kB

compressed-size-action

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 10, 2026

Visit the preview URL for this PR (updated for commit f6ab558):

https://docusaurus-openapi-36b86--pr1412-6eyuc4vd.web.app

(expires Fri, 17 Apr 2026 17:27:03 GMT)

🔥 via Firebase Hosting GitHub Action 🌎

Sign: bf293780ee827f578864d92193b8c2866acd459f

@sserrata sserrata merged commit ef99cfd into main Apr 10, 2026
11 checks passed
@sserrata sserrata deleted the ci/harden-workflows-security-review branch April 10, 2026 17:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sserrata