Skip to content

Workflow supply-chain hardening: unpinned actions, Renovate config without the app, untriaged Dependabot PRs #34

Description

A few related gaps in the workflows:

  • Every uses: is a floating tag (actions/checkout@v4, oven-sh/setup-bun@v2, raven-actions/actionlint@v2, actions/github-script@v8, ...). setup-bun runs inside publish jobs that hold id-token: write and NPM_TOKEN, so a compromised tag there could exfiltrate the token or mint bad provenance. Pinning the publish chain to SHAs is the highest-value slice.
  • .github/renovate.json extends helpers:pinGitHubActionDigests with automerge rules, but the Renovate app isn't installed; zero Renovate PRs exist. Either install it (the config is ready) or delete the config.
  • Dependabot PRs chore(ci): bump github/codeql-action from 3 to 4 #1-chore(ci): bump actions/checkout from 3 to 7 #5 (checkout, codeql-action, github-script, setup-node, gitleaks-action bumps) sit unmerged, and there's no dependabot.yml in the tree to keep them coming.
  • No job anywhere sets timeout-minutes, so a hang burns the 6-hour default. codeql.yml and gitleaks.yml have no concurrency groups, so rapid pushes double-run them.
  • Branch protection on main requires the three CI checks but zero approving reviews, doesn't require CodeQL or the secret scan, and doesn't require branches to be up to date before merge.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestgithub_actionsPull requests that update GitHub Actions code

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions