Commit 22a884b
ci: fix the Security workflow (pin actions, dependabot cooldown, real security-check gate) (#279)
* chore(ci): pin GitHub Actions to commit SHAs across the monorepo
Pin every `uses:` reference to a full commit SHA (with a version comment
so Dependabot keeps them current) across the root workflows and all
packages/*/.github workflows. Resolves the semgrep
github-actions-mutable-action-tag findings.
Applied with pinact.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* chore(ci): add a 7-day Dependabot cooldown to every update entry
Add `cooldown: { default-days: 7 }` to each ecosystem in every
dependabot.yml across the monorepo (and normalise the one pre-existing
cooldown to 7 days). Resolves the semgrep dependabot-missing-cooldown
findings and delays pulling freshly-published (possibly compromised)
releases.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* fix(security-check): treat empty $guarded as a warning, not a failure
Backstage's 17 core models deliberately use `$guarded = []` because
writes go through validated Filament admin forms, not raw request mass
assignment. The security check flagged all of them as a high-severity
failure — a false positive relative to the architecture. Split the
mass-assignment check so empty $guarded is a medium warning while
sensitive fields in $fillable remain a hard failure.
Add a Pest test asserting `backstage:security-check --package-only`
exits 0, and record the decision in ADR-0003.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* chore(ci): pin actions pinact could not auto-resolve, add pinact config
Three pint.yml refs pointed at non-existent tags (laravel-pint-action
@latest / @2.4.0, git-auto-commit-action @v5.0) that pinact could not
resolve; pin them to valid release SHAs by hand. Add .pinact.yaml so
both the one-shot pin and the CI guard cover packages/*/.github
workflows, not just the root.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* ci(security): gate on the security check, add an action-pinning guard
The Backstage Security Check job never actually ran: this is a package
repo with no `artisan` binary, and it passed a non-existent `--ci`
flag, all masked by continue-on-error. Run it through the test harness
instead (a Pest test that boots the full provider stack), mirroring the
run-tests MySQL service + extensions + DB env, and drop
continue-on-error so it genuinely gates CI.
Add an Action Pinning job (pinact-action, fix disabled) that fails when
any workflow reintroduces an unpinned action.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent cbc9ce4 commit 22a884b
6 files changed
Lines changed: 16 additions & 12 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
5 | 5 | | |
6 | 6 | | |
7 | 7 | | |
| 8 | + | |
| 9 | + | |
8 | 10 | | |
9 | 11 | | |
10 | 12 | | |
11 | 13 | | |
12 | 14 | | |
13 | 15 | | |
14 | 16 | | |
| 17 | + | |
| 18 | + | |
15 | 19 | | |
16 | 20 | | |
17 | 21 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
14 | 14 | | |
15 | 15 | | |
16 | 16 | | |
17 | | - | |
| 17 | + | |
18 | 18 | | |
19 | 19 | | |
20 | 20 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
15 | 15 | | |
16 | 16 | | |
17 | 17 | | |
18 | | - | |
| 18 | + | |
19 | 19 | | |
20 | 20 | | |
21 | 21 | | |
22 | 22 | | |
23 | | - | |
| 23 | + | |
24 | 24 | | |
25 | 25 | | |
26 | | - | |
| 26 | + | |
27 | 27 | | |
28 | 28 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
16 | | - | |
| 16 | + | |
17 | 17 | | |
18 | 18 | | |
19 | | - | |
| 19 | + | |
20 | 20 | | |
21 | 21 | | |
22 | 22 | | |
23 | 23 | | |
24 | 24 | | |
25 | | - | |
| 25 | + | |
26 | 26 | | |
27 | 27 | | |
28 | 28 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
32 | 32 | | |
33 | 33 | | |
34 | 34 | | |
35 | | - | |
| 35 | + | |
36 | 36 | | |
37 | 37 | | |
38 | | - | |
| 38 | + | |
39 | 39 | | |
40 | 40 | | |
41 | 41 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
14 | 14 | | |
15 | 15 | | |
16 | 16 | | |
17 | | - | |
| 17 | + | |
18 | 18 | | |
19 | 19 | | |
20 | 20 | | |
21 | 21 | | |
22 | | - | |
| 22 | + | |
23 | 23 | | |
24 | 24 | | |
25 | 25 | | |
26 | 26 | | |
27 | 27 | | |
28 | | - | |
| 28 | + | |
29 | 29 | | |
30 | 30 | | |
31 | 31 | | |
| |||
0 commit comments