CI: Improve GitHub Actions security#24
Conversation
… to prevent github action supply-chain attacks.
tig
left a comment
There was a problem hiding this comment.
✅ Approve — verified supply-chain hardening
Thanks @the-mentor — this is a clean, well-scoped security improvement. I verified it against the upstream actions rather than just reading the diff:
SHA authenticity (the critical check): all 5 full-SHA pins resolve to exactly the version in their # vX.Y.Z comment (checked via the GitHub API):
actions/checkout9c091bb…= v7.0.0actions/setup-dotnet26b0ec1…= v5.4.0actions/upload-artifact043fb46…= v7.0.1softprops/action-gh-release718ea10…= v3.0.1actions/github-script3a2844b…= v9.0.0
All are the current latest releases, and every uses: in ci-test.yml and release.yml is now pinned — nothing left unpinned.
Compatibility: I read action.yml at each pinned SHA — every input this repo relies on (fetch-depth, global-json-file/cache/cache-dependency-path, name/path, tag_name/prerelease/generate_release_notes/files, script) still exists. All five now run on node24, which also clears the prior "Node 20 is deprecated" warnings. upload-artifact immutability is a non-issue here (unique per-OS names; single upload in release).
Dependabot: valid config; the new github-actions block matches the existing structure and will keep these SHA pins current.
Nit (non-blocking): the new dependabot.yml block quotes its scalars ("github-actions", "/", "weekly") while the existing entries don't — could unquote for consistency.
Approving and merging.
Release: GitHub Actions security hardening (#24)
This PR improves the GitHub actions security posture by implementing the following