chore: deps hardening — pin actions, scope permissions (#419)

Co-authored-by: grandizzy <38490174+grandizzy@users.noreply.github.com>
Co-authored-by: horsefacts <horsefacts@tempo.xyz>

Author: 3 people

.changelog/supply-chain-hardening.md

@@ -0,0 +1,6 @@
+---
+tempo-wallet: patch
+tempo-request: patch
+---
+
+Pin all GitHub Actions to commit SHAs, fix template injection in CI workflows, scope permissions per-job, replace curl|sh with checksum-verified binary download, add Dependabot cooldown, and suppress unfixable transitive advisories in deny.toml.

.github/dependabot.yml

@@ -5,9 +5,13 @@ updates:
     schedule:
       interval: "weekly"
     open-pull-requests-limit: 10
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
     open-pull-requests-limit: 10
+    cooldown:
+      default-days: 7

.github/workflows/build.yml

@@ -7,16 +7,15 @@ on:
       - "tempo-wallet@*"
       - "tempo-request@*"
 
-permissions:
-  contents: write
-
 env:
   CARGO_TERM_COLOR: always
   CARGO_NET_GIT_FETCH_WITH_CLI: "true"
 
 jobs:
   parse-tag:
     name: Parse tag
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     outputs:
       packages: ${{ steps.parse.outputs.packages }}
@@ -57,6 +56,8 @@ jobs:
 
   build:
     name: Build ${{ matrix.package }} (${{ matrix.build.target }})
+    permissions:
+      contents: read
     needs: [parse-tag]
     runs-on: ${{ matrix.build.os }}
     strategy:
@@ -79,26 +80,31 @@ jobs:
     env:
       PACKAGE: ${{ matrix.package }}
     steps:
-      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
         with:
           target: ${{ matrix.build.target }}
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
         with:
           key: ${{ matrix.build.target }}
+          save-if: false
       - name: Configure git auth
         run: git config --global url."https://x-access-token:${{ secrets.GH_PAT }}@github.com/".insteadOf "https://github.com/"
       - name: Build release binary
         run: cargo build --release --target ${{ matrix.build.target }} -p ${{ env.PACKAGE }}
       - run: strip target/${{ matrix.build.target }}/release/${{ env.PACKAGE }}
       - run: mv target/${{ matrix.build.target }}/release/${{ env.PACKAGE }} ${{ env.PACKAGE }}-${{ matrix.build.suffix }}
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: ${{ env.PACKAGE }}-${{ matrix.build.suffix }}
           path: ${{ env.PACKAGE }}-${{ matrix.build.suffix }}
 
   publish:
     name: Publish ${{ matrix.package }}
+    permissions:
+      contents: write
     needs: [parse-tag, build]
     runs-on: ubuntu-latest
     strategy:
@@ -110,8 +116,10 @@ jobs:
       VERSION: ${{ needs.parse-tag.outputs.version }}
       RELEASE_TAG: ${{ needs.parse-tag.outputs.release_tag }}
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/download-artifact@v8
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: artifacts
           pattern: ${{ env.PACKAGE }}-*

.github/workflows/changelog-generate.yml

@@ -21,8 +21,11 @@ jobs:
     steps:
       - name: Determine PR source
         id: source
+        env:
+          HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
+          THIS_REPO: ${{ github.repository }}
         run: |
-          if [ "${{ github.event.pull_request.head.repo.full_name }}" = "${{ github.repository }}" ]; then
+          if [ "$HEAD_REPO" = "$THIS_REPO" ]; then
             echo "same_repo=true" >> "$GITHUB_OUTPUT"
           else
             echo "same_repo=false" >> "$GITHUB_OUTPUT"
@@ -42,18 +45,21 @@ jobs:
           fi
           echo "ref=$REF" >> "$GITHUB_OUTPUT"
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         if: steps.source.outputs.same_repo == 'true'
         with:
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
           token: ${{ secrets.GH_PAT }}
+          persist-credentials: false
 
       - name: Fetch base branch for diff comparison
         if: steps.source.outputs.same_repo == 'true'
+        env:
+          BASE_REF: ${{ github.base_ref }}
         run: |
-          git fetch origin "${{ github.base_ref }}"
+          git fetch origin "$BASE_REF"
 
       - name: Configure git credentials for private dependencies
         if: steps.source.outputs.same_repo == 'true'
@@ -62,20 +68,31 @@ jobs:
       - name: Check for existing changelog
         if: steps.source.outputs.same_repo == 'true'
         id: existing
+        env:
+          BASE_REF: ${{ github.base_ref }}
         run: |
-          if git diff "origin/${{ github.base_ref }}...HEAD" --name-only | grep -q '^\.changelog/.*\.md$'; then
+          if git diff "origin/${BASE_REF}...HEAD" --name-only | grep -q '^\.changelog/.*\.md$'; then
             echo "found=true" >> "$GITHUB_OUTPUT"
           else
             echo "found=false" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Install changelogs
         if: steps.source.outputs.same_repo == 'true' && steps.existing.outputs.found == 'false'
-        run: curl -sSL https://changelogs.sh | sh -s -- changelogs@0.6.2
+        run: |
+          EXPECTED_SHA256="34bca37144e400d167f936d83c092da4b032591a74ae8c0175c3a42d716cc54c"
+          CHANGELOGS_BIN="$RUNNER_TEMP/changelogs"
+          curl -fsSL "https://github.com/tempoxyz/changelogs/releases/download/changelogs%400.6.2/changelogs-linux-amd64" -o "$CHANGELOGS_BIN"
+          ACTUAL_SHA256=$(sha256sum "$CHANGELOGS_BIN" | cut -d' ' -f1)
+          if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then
+            echo "::error::changelogs checksum mismatch: expected $EXPECTED_SHA256, got $ACTUAL_SHA256"
+            exit 1
+          fi
+          chmod +x "$CHANGELOGS_BIN"
 
       - name: Install claude
         if: steps.source.outputs.same_repo == 'true' && steps.existing.outputs.found == 'false'
-        run: npm install -g @anthropic-ai/claude-code
+        run: npm install -g @anthropic-ai/claude-code@1.0.3
 
       - name: Extract bump level from label
         if: steps.source.outputs.same_repo == 'true' && steps.existing.outputs.found == 'false'
@@ -89,7 +106,9 @@ jobs:
         env:
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
           BUMP_LEVEL: ${{ steps.bump.outputs.level }}
+          BASE_REF: ${{ github.base_ref }}
         run: |
+          CHANGELOGS_BIN="$RUNNER_TEMP/changelogs"
           cat > /tmp/changelog-instructions.md << 'PROMPT'
           Generate a changelog entry for this git diff.
 
@@ -114,28 +133,35 @@ jobs:
           {diff}
           PROMPT
           sed -i "s/BUMP_LEVEL/$BUMP_LEVEL/g" /tmp/changelog-instructions.md
-          changelogs add --ai "claude -p" --ref "origin/${{ github.base_ref }}" \
+          "$CHANGELOGS_BIN" add --ai "claude -p" --ref "origin/${BASE_REF}" \
             --instructions "$(cat /tmp/changelog-instructions.md)"
 
       - name: Commit and push changelog
         if: steps.source.outputs.same_repo == 'true' && steps.existing.outputs.found == 'false'
+        env:
+          VALIDATED_REF: ${{ steps.ref.outputs.ref }}
         run: |
           set -euo pipefail
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git add .changelog/
           git commit -m "chore: add changelog"
-          git push origin "HEAD:${{ steps.ref.outputs.ref }}"
+          git push origin "HEAD:${VALIDATED_REF}"
 
       - name: Comment for fork PRs
         if: steps.source.outputs.same_repo != 'true'
         env:
           GH_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.number }}
+          REPO: ${{ github.repository }}
         run: |
-          gh pr comment "${{ github.event.number }}" --repo "${{ github.repository }}" --body "Changelog auto-generation is only supported for same-repo branches. For fork PRs, please add a changelog file manually under .changelog/."
+          gh pr comment "$PR_NUMBER" --repo "$REPO" --body "Changelog auto-generation is only supported for same-repo branches. For fork PRs, please add a changelog file manually under .changelog/."
 
       - name: Remove label
         if: always()
         env:
           GH_TOKEN: ${{ github.token }}
-        run: gh pr edit ${{ github.event.number }} --repo "${{ github.repository }}" --remove-label "${{ github.event.label.name }}"
+          PR_NUMBER: ${{ github.event.number }}
+          REPO: ${{ github.repository }}
+          LABEL: ${{ github.event.label.name }}
+        run: gh pr edit "$PR_NUMBER" --repo "$REPO" --remove-label "$LABEL"

.github/workflows/changelog.yml

@@ -14,16 +14,19 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Run changelog action (same-repo PRs)
         if: github.event.pull_request.head.repo.full_name == github.repository
         uses: tempoxyz/changelogs/check@b0179e7300997dfa5a631a6a7a2de248bf63310f # changelogs@0.6.3 + unified PR title + install from source
       - name: Verify changelog entry exists
         if: github.event.pull_request.head.repo.full_name != github.repository
+        env:
+          BASE_REF: ${{ github.base_ref }}
         run: |
-          CHANGELOGS=$(git diff --name-only origin/${{ github.base_ref }}...HEAD -- '.changelog/*.md' | grep -v config.toml || true)
+          CHANGELOGS=$(git diff --name-only "origin/${BASE_REF}...HEAD" -- '.changelog/*.md' | grep -v config.toml || true)
           if [ -z "$CHANGELOGS" ]; then
             echo "::error::A changelog entry is required for this PR. Add a .changelog/*.md file."
             exit 1

.github/workflows/lint.yml

@@ -26,13 +26,13 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: dtolnay/rust-toolchain@nightly
+      - uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly
         with:
           components: clippy
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
       - name: Run clippy
         run: cargo clippy --workspace --all-targets --all-features --locked
         env:
@@ -45,10 +45,10 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: dtolnay/rust-toolchain@nightly
+      - uses: dtolnay/rust-toolchain@5b842231ba77f5c045dba54ac5560fed2db780e2 # nightly
         with:
           components: rustfmt
       - name: Check formatting
@@ -61,7 +61,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Run Tempo Lints
@@ -79,7 +79,7 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - uses: crate-ci/typos@02ea592e44b3a53c302f697cddca7641cd051c3d # v1.45.0
@@ -91,10 +91,10 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
       - uses: taiki-e/install-action@7a4939c09608b2a1986b484eca1d16fd0db8ebef # v2.75.5
         with:
           tool: cargo-deny

.github/workflows/pr-audit.yml

@@ -6,6 +6,10 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   pr-audit:
     if: >-
@@ -16,4 +20,7 @@ jobs:
         contains(fromJson('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
       )
     uses: tempoxyz/gh-actions/.github/workflows/pr-audit.yml@1a49d3e9f9983a55832d7163faa970b7ba3c1af9
-    secrets: inherit
+    secrets:
+      EVENTS_KEY: ${{ secrets.EVENTS_KEY }}
+      EVENTS_CERT: ${{ secrets.EVENTS_CERT }}
+      EVENTS_ARGS: ${{ secrets.EVENTS_ARGS }}

.github/workflows/release.yml

@@ -7,9 +7,7 @@ on:
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 env:
   CARGO_TERM_COLOR: always
@@ -18,11 +16,15 @@ env:
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           token: ${{ secrets.GH_PAT }}
+          persist-credentials: false
 
       - name: Configure git auth
         run: git config --global url."https://x-access-token:${{ secrets.GH_PAT }}@github.com/".insteadOf "https://github.com/"

.github/workflows/skill.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 

.github/workflows/test.yml

@@ -25,11 +25,11 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
+      - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
       - name: Run tests
         run: cargo test --workspace --all-features --locked
 
@@ -40,10 +40,10 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
       - name: Build docs
         env:
           RUSTDOCFLAGS: -D warnings