Skip to content

ci: pin third-party action SHAs and add Dependabot cooldown#102

Merged
mdanish98 merged 8 commits into
mainfrom
security/pin-actions-and-dependabot-cooldown
Jun 3, 2026
Merged

ci: pin third-party action SHAs and add Dependabot cooldown#102
mdanish98 merged 8 commits into
mainfrom
security/pin-actions-and-dependabot-cooldown

Conversation

@ricogu
Copy link
Copy Markdown
Contributor

@ricogu ricogu commented May 26, 2026

Summary

Addresses open findings from the SAP Supply Chain Risk Monitoring Dashboard (Zizmor scanner). Fixes the one Medium severity finding and reduces Low severity findings by eliminating mutable action tags.

Changes Made

  • .github/dependabot.yml — Add cooldown block (default-days: 7, semver-major-days: 14) to resolve the Zizmor dependabot-cooldown Medium finding
  • .github/workflows/build-and-test.yml — Pin EndBug/add-and-commit@v10 and myrotvorets/set-commit-status-action@master to full commit SHAs
  • .github/workflows/release.yml — Pin mikepenz/release-changelog-builder-action@v6 and softprops/action-gh-release@v3 to full commit SHAs
  • .github/workflows/codeql.yml — Add zizmor: ignore[pull-request-target] suppression; the trigger is intentional and already documented with a full security model in the file header

Zizmor Finding Impact

Finding Severity Before After
dependabot-cooldown Medium open resolved
artipacked (×4 actions) Low open resolved (mutable tags eliminated)
pull_request_target Low open suppressed (documented justification)

Informational findings (template-injection, superfluous-actions) are confirmed false positives and are not addressed here.

Type of Change

  • Bug fix / security improvement (non-breaking)

Compatibility Analysis

All actions are pinned to the exact same commit they previously resolved to — no functional change. The cooldown field is a new Dependabot configuration option and does not affect existing open PRs.

@ricogu
security: pin third-party action SHAs and add Dependabot cooldown
c5d2e03 
- Pin EndBug/add-and-commit, myrotvorets/set-commit-status-action,
  mikepenz/release-changelog-builder-action, and softprops/action-gh-release
  to full commit SHAs to eliminate mutable-tag supply chain risk (Zizmor artipacked)
- Add cooldown to .github/dependabot.yml (default-days: 7, semver-major-days: 14)
  to resolve Zizmor dependabot-cooldown Medium finding
- Add zizmor: ignore[pull-request-target] suppression on codeql.yml; the trigger
  is intentional and already documented with a full security model in the file
@ricogu ricogu changed the title security: pin third-party action SHAs and add Dependabot cooldown ci: pin third-party action SHAs and add Dependabot cooldown May 26, 2026
@ricogu ricogu requested a review from mdanish98 May 26, 2026 08:45
@ricogu ricogu enabled auto-merge (squash) May 26, 2026 09:10
@ricogu ricogu closed this May 26, 2026
auto-merge was automatically disabled May 26, 2026 11:09

Pull request was closed

@ricogu ricogu reopened this May 26, 2026
mdanish98
mdanish98 previously approved these changes Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@mdanish98 mdanish98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@mdanish98 mdanish98 merged commit 10833fb into main Jun 3, 2026
14 checks passed
@mdanish98 mdanish98 deleted the security/pin-actions-and-dependabot-cooldown branch June 3, 2026 08:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mdanish98 mdanish98 mdanish98 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ricogu @mdanish98