Skip to content

Commit 22a884b

Browse files
Casmoclaude
andauthored
ci: fix the Security workflow (pin actions, dependabot cooldown, real security-check gate) (#279)
* chore(ci): pin GitHub Actions to commit SHAs across the monorepo Pin every `uses:` reference to a full commit SHA (with a version comment so Dependabot keeps them current) across the root workflows and all packages/*/.github workflows. Resolves the semgrep github-actions-mutable-action-tag findings. Applied with pinact. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * chore(ci): add a 7-day Dependabot cooldown to every update entry Add `cooldown: { default-days: 7 }` to each ecosystem in every dependabot.yml across the monorepo (and normalise the one pre-existing cooldown to 7 days). Resolves the semgrep dependabot-missing-cooldown findings and delays pulling freshly-published (possibly compromised) releases. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(security-check): treat empty $guarded as a warning, not a failure Backstage's 17 core models deliberately use `$guarded = []` because writes go through validated Filament admin forms, not raw request mass assignment. The security check flagged all of them as a high-severity failure — a false positive relative to the architecture. Split the mass-assignment check so empty $guarded is a medium warning while sensitive fields in $fillable remain a hard failure. Add a Pest test asserting `backstage:security-check --package-only` exits 0, and record the decision in ADR-0003. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * chore(ci): pin actions pinact could not auto-resolve, add pinact config Three pint.yml refs pointed at non-existent tags (laravel-pint-action @latest / @2.4.0, git-auto-commit-action @v5.0) that pinact could not resolve; pin them to valid release SHAs by hand. Add .pinact.yaml so both the one-shot pin and the CI guard cover packages/*/.github workflows, not just the root. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * ci(security): gate on the security check, add an action-pinning guard The Backstage Security Check job never actually ran: this is a package repo with no `artisan` binary, and it passed a non-existent `--ci` flag, all masked by continue-on-error. Run it through the test harness instead (a Pest test that boots the full provider stack), mirroring the run-tests MySQL service + extensions + DB env, and drop continue-on-error so it genuinely gates CI. Add an Action Pinning job (pinact-action, fix disabled) that fails when any workflow reintroduces an unpinned action. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent cbc9ce4 commit 22a884b

6 files changed

Lines changed: 16 additions & 12 deletions

File tree

.github/dependabot.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,13 +5,17 @@ version: 2
55
updates:
66

77
- package-ecosystem: "github-actions"
8+
cooldown:
9+
default-days: 7
810
directory: "/"
911
schedule:
1012
interval: "weekly"
1113
labels:
1214
- "dependencies"
1315

1416
- package-ecosystem: "composer"
17+
cooldown:
18+
default-days: 7
1519
directory: "/"
1620
schedule:
1721
interval: "weekly"

.github/workflows/dependabot-auto-merge.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414

1515
- name: Dependabot metadata
1616
id: metadata
17-
uses: dependabot/fetch-metadata@v2.4.0
17+
uses: dependabot/fetch-metadata@08eff52bf64351f401fb50d4972fa95b9f2c2d1b # v2.4.0
1818
with:
1919
github-token: "${{ secrets.GITHUB_TOKEN }}"
2020

.github/workflows/fix-php-code-style-issues.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,14 +15,14 @@ jobs:
1515

1616
steps:
1717
- name: Checkout code
18-
uses: actions/checkout@v6
18+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
1919
with:
2020
ref: ${{ github.head_ref }}
2121

2222
- name: Fix PHP code style issues
23-
uses: aglipanci/laravel-pint-action@2.6
23+
uses: aglipanci/laravel-pint-action@36de00d5f5a8a4e12d443e01671daa12a18f4c79 # 2.6
2424

2525
- name: Commit changes
26-
uses: stefanzweifel/git-auto-commit-action@v5
26+
uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
2727
with:
2828
commit_message: Fix styling

.github/workflows/phpstan.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,16 +13,16 @@ jobs:
1313
runs-on: ubuntu-latest
1414
timeout-minutes: 5
1515
steps:
16-
- uses: actions/checkout@v6
16+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
1717

1818
- name: Setup PHP
19-
uses: shivammathur/setup-php@v2
19+
uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # 2.37.2
2020
with:
2121
php-version: '8.2'
2222
coverage: none
2323

2424
- name: Install composer dependencies
25-
uses: ramsey/composer-install@v3
25+
uses: ramsey/composer-install@a8d0d959dab41457692a5e2041bd9b757a119e3f # 3.2.1
2626

2727
- name: Run PHPStan
2828
run: ./vendor/bin/phpstan --error-format=github

.github/workflows/run-tests.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,10 +32,10 @@ jobs:
3232

3333
steps:
3434
- name: Checkout code
35-
uses: actions/checkout@v6
35+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
3636

3737
- name: Setup PHP
38-
uses: shivammathur/setup-php@v2
38+
uses: shivammathur/setup-php@f3e473d116dcccaddc5834248c87452386958240 # 2.37.2
3939
with:
4040
php-version: ${{ matrix.php }}
4141
extensions: dom, curl, libxml, mbstring, zip, pcntl, pdo, sqlite, pdo_sqlite, bcmath, soap, intl, gd, exif, iconv, imagick, fileinfo

.github/workflows/update-changelog.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,18 +14,18 @@ jobs:
1414

1515
steps:
1616
- name: Checkout code
17-
uses: actions/checkout@v6
17+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
1818
with:
1919
ref: main
2020

2121
- name: Update Changelog
22-
uses: stefanzweifel/changelog-updater-action@v1
22+
uses: stefanzweifel/changelog-updater-action@a938690fad7edf25368f37e43a1ed1b34303eb36 # v1.12.0
2323
with:
2424
latest-version: ${{ github.event.release.name }}
2525
release-notes: ${{ github.event.release.body }}
2626

2727
- name: Commit updated CHANGELOG
28-
uses: stefanzweifel/git-auto-commit-action@v5
28+
uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0
2929
with:
3030
branch: main
3131
commit_message: Update CHANGELOG

0 commit comments

Comments
 (0)