Proposal: Pin GitHub Actions to commit SHAs for supply-chain security

[ysknsid25]

resolve: #1475

---

Summary by cubic

Pinned all GitHub Actions to commit SHAs and added a CI check to enforce pinning for better supply‑chain security. Set CI to use pnpm 11 and enforced a 7‑day minimumReleaseAge to avoid too‑new releases.

• New Features

  • Added pinact workflow using suzuki-shunsuke/pinact-action@cf51507… to verify pins on PRs; fixed persist-credentials indentation.

• Dependencies

  • Pinned actions/checkout to de0fac2… (v6.0.2) across workflows.
  • In the composite action: pinned pnpm/action-setup@b906aff… (v4.3.0) with version: 11, actions/setup-node@48b55a… (v6.4.0), and denoland/setup-deno@667a34… (v2.0.4).
  • Added .github/dependabot.yml for grouped monthly github-actions updates.

^{Written for commit 05ea979. Summary will update on new commits.}

[vercel]

@ysknsid25 is attempting to deploy a commit to the Open Circle Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7c4b993e-9726-47e7-af0e-314d66be882a

📥 Commits

Reviewing files that changed from the base of the PR and between 0e94783 and 05ea979.

📒 Files selected for processing (1)

• pnpm-workspace.yaml

---

Walkthrough

This pull request pins GitHub Actions to specific commit SHAs across the repository's CI, publish, and environment setup workflows. The environment composite action pins pnpm/action-setup, actions/setup-node, and denoland/setup-deno to SHAs. All checkout steps in ci.yml and publish.yml now use a pinned actions/checkout v6.0.2 SHA instead of floating @v6. A Dependabot configuration enables monthly GitHub Actions scans with grouped updates, and a new pinact workflow validates pinned actions on pull requests affecting .github paths.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately and specifically describes the main objective: pinning GitHub Actions to commit SHAs for supply-chain security, which is the core focus of all changes.
Description check	✅ Passed	The PR description clearly explains the changes made (pinning actions, adding Dependabot config, updating pnpm settings) and links to the related issue #1475, providing relevant context.
Linked Issues check	✅ Passed	The PR substantially addresses the linked issue #1475: all GitHub Actions are pinned to commit SHAs with version comments, Dependabot config added for github-actions ecosystem, pnpm upgraded with minimumReleaseAge set (though to 7 days rather than the suggested default of 1 day active with 10080 as commented option).
Out of Scope Changes check	✅ Passed	All changes directly support the supply-chain security objectives in issue #1475: action pinning, Dependabot configuration, pnpm version management, and minimumReleaseAge settings. No unrelated changes detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/ci.yml (1)

14-15: Consider setting persist-credentials: false for additional supply-chain hardening.

While SHA pinning prevents tag-rewrite attacks, the static analysis tool flags that checkout steps don't set persist-credentials: false. When credentials persist in .git/config, they could potentially be exposed if build artifacts or caches are compromised. For workflows that don't need to push commits or tags, setting persist-credentials: false removes this attack surface.

Example hardening for checkout steps

- name: Checkout repository
  uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
  with:
    persist-credentials: false

This is out of scope for SHA pinning but aligns with the PR's supply-chain security theme.

Also applies to: 24-25, 37-38, 50-51, 63-64, 76-77, 89-90, 102-103, 115-116, 128-129, 141-142

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 14 - 15, The checkout steps using
"uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" should set
persist-credentials: false to avoid leaving tokens in .git/config; update each
Checkout repository step (all occurrences of the actions/checkout@... usage) to
include a with: persist-credentials: false block so workflows that don't push
won't retain credentials.

.github/workflows/publish.yml (1)

21-22: Consider setting persist-credentials: false for publish workflows.

The same credential persistence consideration from ci.yml applies here. Since these publish jobs use id-token: write for provenance and don't push commits, setting persist-credentials: false on checkout steps would reduce the attack surface.

See the operational advice in the ci.yml review for the pattern. This hardening is particularly relevant for publish workflows handling release credentials.

Also applies to: 41-42, 55-56, 75-76, 94-95, 114-115

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml around lines 21 - 22, The checkout steps
labeled "Checkout repository" in the publish workflow currently use
actions/checkout@de0fac2... and retain persisted credentials; update each of
those checkout steps (all occurrences of the "Checkout repository" job steps in
.github/workflows/publish.yml) to include persist-credentials: false so the
runner does not leave GITHUB_TOKEN credentials around (these publish jobs
already use id-token: write and do not push commits), applying the same change
to every checkout instance noted in the review.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/pinact.yml:
- Line 16: The checkout step using
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd should explicitly
disable credential persistence to avoid storing the GITHUB_TOKEN in local git
config; update the checkout step to include the input persist-credentials: false
(i.e., add persist-credentials: false under the actions/checkout step) so
credentials are not persisted for subsequent steps or artifacts.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 14-15: The checkout steps using "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" should set
persist-credentials: false to avoid leaving tokens in .git/config; update each
Checkout repository step (all occurrences of the actions/checkout@... usage) to
include a with: persist-credentials: false block so workflows that don't push
won't retain credentials.

In @.github/workflows/publish.yml:
- Around line 21-22: The checkout steps labeled "Checkout repository" in the
publish workflow currently use actions/checkout@de0fac2... and retain persisted
credentials; update each of those checkout steps (all occurrences of the
"Checkout repository" job steps in .github/workflows/publish.yml) to include
persist-credentials: false so the runner does not leave GITHUB_TOKEN credentials
around (these publish jobs already use id-token: write and do not push commits),
applying the same change to every checkout instance noted in the review.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 41b0cae5-8ba5-47cd-adea-2c490ddbe715

📥 Commits

Reviewing files that changed from the base of the PR and between fa43437 and ab38175.

📒 Files selected for processing (5)

• .github/actions/environment/action.yml
• .github/dependabot.yml
• .github/workflows/ci.yml
• .github/workflows/pinact.yml
• .github/workflows/publish.yml

[cubic-dev-ai]

1 issue found across 5 files

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pnpm-workspace.yaml`:
- Line 6: Replace the current minimumReleaseAge value (20160) with the required
default of 1 day (1440 minutes) in pnpm-workspace.yaml and add a commented
override showing a 7-day value (10080 minutes); specifically update the
minimumReleaseAge key to 1440 and add a commented line like "# alternative:
minimumReleaseAge: 10080" so the file reflects the PR requirements instead of
the 14-day setting.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f5066c75-1bb7-4d27-b5a8-dc087f1bc043

📥 Commits

Reviewing files that changed from the base of the PR and between bf79ef7 and 0e94783.

📒 Files selected for processing (1)

• pnpm-workspace.yaml

[ysknsid25]

@fabian-hiller
I have an implementation question 🙏

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic</sub>