Skip to content

ci: harden supply chain across all workflows#23527

Open
decofe wants to merge 9 commits intomainfrom
georgen/ci-supply-chain-hardening
Open

ci: harden supply chain across all workflows#23527
decofe wants to merge 9 commits intomainfrom
georgen/ci-supply-chain-hardening

Conversation

@decofe
Copy link
Copy Markdown
Member

@decofe decofe commented Apr 15, 2026
edited
Loading

Pin GH Actions to SHA, fix template injections, add least-privilege permissions, and upgrade vulnerable deps.

  • Pin all actions to SHA across 26 workflows (via pinact)
  • Fix template injections in bench-scheduled, bench, check-alloy, docker-tag-latest, docker-test, docker, release-reproducible, release, pr-audit
  • Add permissions: contents: read to 15 workflows missing it
  • Add persist-credentials: false to all checkout steps
  • Replace curl|sh uv install with pinned astral-sh/setup-uv action
  • Add 7-day cooldown to Dependabot config
  • Pin Dockerfile runtime base to ubuntu:24.04
  • Upgrade docs/vocs: hono 4.8.5→4.12.14, @hono/node-server→1.19.14, glob→11.1.0

Prompted by: georgen

@decofe @grandizzy
ci: harden supply chain across all workflows
473e52c 
Co-Authored-By: grandizzy <38490174+grandizzy@users.noreply.github.com>
@github-project-automation github-project-automation bot moved this to Backlog in Reth Tracker Apr 15, 2026
decofe and others added 6 commits April 15, 2026 10:32
@decofe @grandizzy
fix: correct reviewdog/action-actionlint SHA pin
39b0968 
Co-Authored-By: grandizzy <38490174+grandizzy@users.noreply.github.com>
@decofe @grandizzy
fix: correct astral-sh/setup-uv SHA pin
f5adb5b 
Co-Authored-By: grandizzy <38490174+grandizzy@users.noreply.github.com>
@decofe @grandizzy
fix: use rhysd/actionlint directly, pin to v1.7.12
e3a30ca 
Co-Authored-By: grandizzy <38490174+grandizzy@users.noreply.github.com>
@decofe @grandizzy
fix: restore original actionlint install from main
b0939cf 
Co-Authored-By: grandizzy <38490174+grandizzy@users.noreply.github.com>
@decofe @grandizzy
fix: remaining template injections in bench-scheduled, docker, release
b6265ec 
Co-Authored-By: grandizzy <38490174+grandizzy@users.noreply.github.com>
@decofe @grandizzy
fix: revert docker-compose images to latest
2619f9b 
Co-Authored-By: grandizzy <38490174+grandizzy@users.noreply.github.com>
@decofe decofe marked this pull request as ready for review April 15, 2026 11:16
decofe and others added 2 commits April 15, 2026 11:18
@decofe @grandizzy
merge: resolve conflicts with main (bench slack on-win)
fee60cd 
Co-Authored-By: grandizzy <38490174+grandizzy@users.noreply.github.com>
@decofe @grandizzy
fix: pin vocs to ~1.0.x to avoid breaking blog feature
ac04660 
Co-Authored-By: grandizzy <38490174+grandizzy@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gakonst gakonst Awaiting requested review from gakonst gakonst is a code owner

@DaniPopes DaniPopes Awaiting requested review from DaniPopes DaniPopes is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Reth Tracker
Status: Backlog

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@decofe