chore(ci): supply-chain hardening — SHA-pin actions, dependabot, deploy gate (#632)

frankbria · Test User · web-flow · commit ef2d5247dab8 · 2026-06-13T16:45:50.000-07:00
* chore(ci): supply-chain hardening — SHA-pin actions, dependabot, deploy gate Hardens the public repo's CI/CD ahead of beta traffic. - SHA-pin every third-party and first-party action across all workflows (was using mutable tags / @latest). Notably webfactory/ssh-agent (holds the VPS deploy key), anthropics/claude-code-action, codecov/codecov-action, and anomalyco/opencode (was @latest, a moving ref). Version kept in a trailing comment for readability. - Add .github/dependabot.yml (github-actions + pip + npm, weekly, grouped) so the new pins receive security/patch bumps instead of going stale. - Re-enable the test gate on the production deploy job (was commented out, so production could deploy without tests passing); clarify the staging gate. - Delete opencode-review.yml: it was already disabled (`if: false`) and flagged by its own comment as leaking GITHUB_TOKEN into PR comments, yet still carried issues:write + pull-requests:write. Removed rather than left parked. Settings applied out of band: Dependabot vulnerability alerts + automated security fixes enabled; branch protection on main set to strict (require up-to-date branch) + required conversation resolution. * chore(ci): align opencode.yml checkout to v4 SHA for pin consistency Addresses CodeRabbit: every other workflow pins actions/checkout to the v4 SHA; opencode.yml was on v6. No functional difference for a plain checkout. --------- Co-authored-by: Test User <test@example.com>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,31 @@
+version: 2
+updates:
+  # Keep GitHub Actions SHA pins current (security patches to pinned actions).
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      actions:
+        patterns: ["*"]
+        update-types: [minor, patch]
+
+  # Python dependencies (pyproject.toml).
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    groups:
+      python-minor-patch:
+        update-types: [minor, patch]
+
+  # Web UI dependencies.
+  - package-ecosystem: npm
+    directory: /web-ui
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5
+    groups:
+      npm-minor-patch:
+        update-types: [minor, patch]
diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml
@@ -33,7 +33,7 @@ jobs:
         if: |
           github.event.pull_request.changed_files >= 5 ||
           steps.calc.outputs.total >= 20
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 1
 
@@ -43,7 +43,7 @@ jobs:
           github.event.pull_request.changed_files >= 5 ||
           steps.calc.outputs.total >= 20
         id: claude-review
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@d5726de019ec4498aa667642bc3a80fca83aa102 # v1
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           prompt: |
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -26,13 +26,13 @@ jobs:
       actions: read # Required for Claude to read CI results on PRs
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 1
 
       - name: Run Claude Code
         id: claude
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@d5726de019ec4498aa667642bc3a80fca83aa102 # v1
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
 
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -34,7 +34,7 @@ jobs:
   deploy-staging:
     name: Deploy to Staging
     runs-on: ubuntu-latest
-    needs: test  # Temporarily disabled for debugging
+    needs: test  # Gate: do not deploy unless the test suite passes
     if: |
       (github.event_name == 'push' && github.ref == 'refs/heads/main') ||
       (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'staging')
@@ -44,10 +44,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up SSH
-        uses: webfactory/ssh-agent@v0.9.0
+        uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0
         with:
           ssh-private-key: ${{ secrets.SSH_KEY }}
 
@@ -248,7 +248,7 @@ jobs:
   deploy-production:
     name: Deploy to Production
     runs-on: ubuntu-latest
-    # needs: test  # Temporarily disabled for debugging
+    needs: test  # Gate: do not deploy to production unless the test suite passes
     if: |
       (github.event_name == 'release') ||
       (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'production')
@@ -258,10 +258,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up SSH
-        uses: webfactory/ssh-agent@v0.9.0
+        uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0
         with:
           ssh-private-key: ${{ secrets.SSH_KEY }}
 
diff --git a/.github/workflows/lifecycle.yml b/.github/workflows/lifecycle.yml
@@ -35,15 +35,15 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: ${{ env.PYTHON_VERSION }}
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4
         with:
           enable-cache: true
 
@@ -88,7 +88,7 @@ jobs:
 
       - name: Upload test artifacts on failure
         if: failure()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: lifecycle-failure-${{ github.run_id }}
           path: |
diff --git a/.github/workflows/opencode-review.yml b/.github/workflows/opencode-review.yml
diff --git a/.github/workflows/opencode.yml b/.github/workflows/opencode.yml
@@ -21,10 +21,10 @@ jobs:
       issues: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Run opencode
-        uses: anomalyco/opencode/github@latest
+        uses: anomalyco/opencode/github@77fc88c8ade8e5a620ebbe1197f3a572d29ae91a # latest
         env:
           ZHIPU_API_KEY: ${{ secrets.ZHIPU_API_KEY }}
         with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
