Skip to content

Harden and update GitHub Actions workflows#2168

Merged
jonathan343 merged 3 commits into
masterfrom
harden-ci-workflows-new
May 5, 2026
Merged

Harden and update GitHub Actions workflows#2168
jonathan343 merged 3 commits into
masterfrom
harden-ci-workflows-new

Conversation

@jonathan343

@jonathan343 jonathan343 commented May 5, 2026

Copy link
Copy Markdown
Collaborator

Overview

This PR updates GitHub Actions dependencies to their latest versions, hardens workflow security, and tightens the Dependabot update cadence.

Changes

  • Update and pin actions to commit SHAs: All actions are upgraded to their latest versions and pinned to exact commit hashes, preventing supply chain attacks via tag mutation:
    • actions/checkout: v2 → v6.0.2
    • actions/setup-python: v6 → v6.2.0
    • actions/setup-node: v6 → v6.4.0
    • aws-actions/stale-issue-cleanup: v4 → v7.1.1
  • Add persist-credentials: false: Checkout steps no longer persist Git credentials in the workspace, reducing the blast radius of a compromised step.
  • Scope workflow permissions: run-tests.yml now declares permissions: contents: read at the workflow level; stale-issue.yml scopes the job to issues: write only.
  • Fix stale-issue cron schedule: Corrected the schedule from */60 * * * * (every hour) to 0 0 * * * (daily).
  • Add Dependabot 7-day cooldown: New updates won't be proposed until a dependency has been available for at least 7 days, reducing noise from short-lived or yanked releases.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

jonathan343 added 3 commits May 5, 2026 17:44
@jonathan343
Harden GitHub Actions workflows
b7b6c27 
Pin actions to commit SHAs, scope GITHUB_TOKEN to least
privilege, disable credential persistence on checkout, and
slow stale-issue cron from hourly to daily.
@jonathan343
Add dependabot 7 day cooldown
1666f94
@jonathan343
Add github-actions to dependabot
dcadf15
@jonathan343 jonathan343 merged commit 8a066bc into master May 5, 2026
19 checks passed
@jonathan343 jonathan343 deleted the harden-ci-workflows-new branch May 5, 2026 23:37
This was referenced May 5, 2026
Closed
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ubaskota ubaskota ubaskota approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathan343 @ubaskota