Skip to content

CI: Improve GitHub Actions security#24

Merged
tig merged 2 commits into
tui-cs:developfrom
the-mentor:ci-improve-github-action-security
Jun 28, 2026
Merged

CI: Improve GitHub Actions security#24
tig merged 2 commits into
tui-cs:developfrom
the-mentor:ci-improve-github-action-security

Conversation

@the-mentor

@the-mentor the-mentor commented Jun 28, 2026

Copy link
Copy Markdown
Collaborator

This PR improves the GitHub actions security posture by implementing the following

  • GitHub Actions sha pinning - will remediate attacks via releasing malicious versions of the actions.
  • Updated GitHub actions to their latest version at the time of the PR.
  • Adding Dependabot config for GitHub actions to automatically create PRs for actions updates.

@tig tig left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Approve — verified supply-chain hardening

Thanks @the-mentor — this is a clean, well-scoped security improvement. I verified it against the upstream actions rather than just reading the diff:

SHA authenticity (the critical check): all 5 full-SHA pins resolve to exactly the version in their # vX.Y.Z comment (checked via the GitHub API):

  • actions/checkout 9c091bb… = v7.0.0
  • actions/setup-dotnet 26b0ec1… = v5.4.0
  • actions/upload-artifact 043fb46… = v7.0.1
  • softprops/action-gh-release 718ea10… = v3.0.1
  • actions/github-script 3a2844b… = v9.0.0

All are the current latest releases, and every uses: in ci-test.yml and release.yml is now pinned — nothing left unpinned.

Compatibility: I read action.yml at each pinned SHA — every input this repo relies on (fetch-depth, global-json-file/cache/cache-dependency-path, name/path, tag_name/prerelease/generate_release_notes/files, script) still exists. All five now run on node24, which also clears the prior "Node 20 is deprecated" warnings. upload-artifact immutability is a non-issue here (unique per-OS names; single upload in release).

Dependabot: valid config; the new github-actions block matches the existing structure and will keep these SHA pins current.

Nit (non-blocking): the new dependabot.yml block quotes its scalars ("github-actions", "/", "weekly") while the existing entries don't — could unquote for consistency.

Approving and merging.

@tig tig merged commit 120af70 into tui-cs:develop Jun 28, 2026
tig added a commit that referenced this pull request Jun 28, 2026
Release: GitHub Actions security hardening (#24)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants