From 370f6f30fc380d709c8c8368586f53494fb89aac Mon Sep 17 00:00:00 2001 From: Merlin Beutlberger Date: Tue, 26 May 2026 17:44:17 +0200 Subject: [PATCH 1/4] [INTERNAL] Pin actions to commit hash --- .github/workflows/github-ci.yml | 2 +- .github/workflows/reuse-compliance.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/github-ci.yml b/.github/workflows/github-ci.yml index 5941c56c..bbd583cd 100644 --- a/.github/workflows/github-ci.yml +++ b/.github/workflows/github-ci.yml @@ -37,7 +37,7 @@ jobs: run: npm test - name: Send report to Coveralls - uses: coverallsapp/github-action@v2.3.7 + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 - name: Build e2e test image run: ./test/e2e/build-image.sh diff --git a/.github/workflows/reuse-compliance.yml b/.github/workflows/reuse-compliance.yml index 97a687be..3e09028a 100644 --- a/.github/workflows/reuse-compliance.yml +++ b/.github/workflows/reuse-compliance.yml @@ -18,4 +18,4 @@ jobs: steps: - uses: actions/checkout@v6 - name: Execute REUSE Compliance Check - uses: fsfe/reuse-action@v6 + uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0 From f5303cbd7cab76b9af95ca6000f7932c7ce8d286 Mon Sep 17 00:00:00 2001 From: Merlin Beutlberger Date: Tue, 26 May 2026 17:44:31 +0200 Subject: [PATCH 2/4] [INTERNAL] Enable two-day cooldown for dependabot --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ebf6ca75..9cc82895 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,6 +4,8 @@ updates: directory: "/" schedule: interval: "weekly" + cooldown: + default-days: 2 - package-ecosystem: npm directory: "/" schedule: @@ -17,3 +19,5 @@ updates: commit-message: prefix: "[DEPENDENCY] " prefix-development: "[INTERNAL] " + cooldown: + default-days: 2 From 38867f664790de0132246515563089b94b9b83c8 Mon Sep 17 00:00:00 2001 From: Merlin Beutlberger Date: Tue, 26 May 2026 17:44:40 +0200 Subject: [PATCH 3/4] [INTERNAL] Disallow npm dependencies from git See: https://github.blog/changelog/2026-02-18-npm-bulk-trusted-publishing-config-and-script-security-now-generally-available/#:~:text=New%20%2D%2Dallow%2Dgit%20flag,explicit%20control%20over%20this%20behavior. --- .npmrc | 1 + 1 file changed, 1 insertion(+) diff --git a/.npmrc b/.npmrc index 3eeeab4e..f5bb40b0 100644 --- a/.npmrc +++ b/.npmrc @@ -2,3 +2,4 @@ registry=https://registry.npmjs.org/ lockfile-version=3 ignore-scripts=true +allow-git=none From 1462206b69cda31103268df04fad7734a75d9b05 Mon Sep 17 00:00:00 2001 From: Merlin Beutlberger Date: Tue, 26 May 2026 17:44:52 +0200 Subject: [PATCH 4/4] [INTERNAL] Harden workflows Replace spoofable github.actor check in dependabot-auto-merge with github.event.pull_request.user.login. Note: spoofing the dependabot actor alone is not sufficient to trigger the auto-merge step. The dependabot/fetch-metadata action only emits outputs for genuine dependabot PRs, so the merge step's check on steps.metadata.outputs.update-type would no-op on a spoofed run. The change closes the gap defensively. --- .github/workflows/dependabot-auto-merge.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index d962d99c..8b32f879 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -11,7 +11,7 @@ permissions: jobs: dependabot: runs-on: ubuntu-latest - if: ${{ github.actor == 'dependabot[bot]' && github.event.pull_request.auto_merge == null }} + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.auto_merge == null }} steps: - name: Dependabot metadata id: metadata