From c5d2e03215d897944cd5b2d949ab3fa95455446e Mon Sep 17 00:00:00 2001 From: Rico Gu Date: Tue, 26 May 2026 10:31:20 +0200 Subject: [PATCH 1/4] security: pin third-party action SHAs and add Dependabot cooldown - Pin EndBug/add-and-commit, myrotvorets/set-commit-status-action, mikepenz/release-changelog-builder-action, and softprops/action-gh-release to full commit SHAs to eliminate mutable-tag supply chain risk (Zizmor artipacked) - Add cooldown to .github/dependabot.yml (default-days: 7, semver-major-days: 14) to resolve Zizmor dependabot-cooldown Medium finding - Add zizmor: ignore[pull-request-target] suppression on codeql.yml; the trigger is intentional and already documented with a full security model in the file --- .github/dependabot.yml | 3 +++ .github/workflows/build-and-test.yml | 4 ++-- .github/workflows/codeql.yml | 2 +- .github/workflows/release.yml | 4 ++-- 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4f6ff3f..c810caf 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,3 +9,6 @@ updates: directory: ".github/actions/core" # Location of package manifests schedule: interval: "weekly" + cooldown: + default-days: 7 + semver-major-days: 14 diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index 4424ac7..80e19a9 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -51,7 +51,7 @@ jobs: - name: Commit build artifacts (same-repo PRs only) if: github.event.pull_request.head.repo.full_name == github.repository id: commit_dist - uses: EndBug/add-and-commit@v10 + uses: EndBug/add-and-commit@290ea2c423ad77ca9c62ae0f5b224379612c0321 # v10.0.0 with: add: "." message: "chore: build core action dist (auto)" @@ -216,7 +216,7 @@ jobs: fi - name: Set Commit Status - uses: myrotvorets/set-commit-status-action@master + uses: myrotvorets/set-commit-status-action@2c3557527522d8d38f410941902b64a4be75a0ec # master with: token: ${{ secrets.GITHUB_TOKEN }} status: ${{ steps.status.outputs.status }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 10f20d3..dcf0a0a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,7 +27,7 @@ name: "CodeQL Advanced" -on: +on: # zizmor: ignore[pull-request-target] push: branches: [main] pull_request: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 69b574b..46fdafb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,7 +40,7 @@ jobs: - name: Generate Changelog id: changelog - uses: mikepenz/release-changelog-builder-action@v6 + uses: mikepenz/release-changelog-builder-action@348e88fab4c37338b1e803ceb2d4a7a5db6c0833 # v6 with: configuration: "configuration.json" mode: "COMMIT" @@ -171,7 +171,7 @@ jobs: git push -f origin "v$MAJOR_VERSION" - name: Create Release - uses: softprops/action-gh-release@v3 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 with: tag_name: "v${{ inputs.version }}" name: "v${{ inputs.version }}" From 1f5c4e0bef4493a43c48508bc196737dc595c3fb Mon Sep 17 00:00:00 2001 From: Rico Gu Date: Tue, 26 May 2026 13:24:21 +0200 Subject: [PATCH 2/4] ci: retrigger workflows From 551d0c45372187a06163b80ce982181c77cb590c Mon Sep 17 00:00:00 2001 From: Rico Gu Date: Tue, 26 May 2026 13:45:43 +0200 Subject: [PATCH 3/4] style: normalize YAML branch filter syntax --- .github/workflows/build-and-test.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index 80e19a9..b562afd 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -2,8 +2,7 @@ name: Build & Test on: pull_request: - branches: - - main + branches: [main] types: - opened - synchronize From 5d48f9b7174cfef73d01b264fc13f32db9668191 Mon Sep 17 00:00:00 2001 From: Rico Gu Date: Tue, 26 May 2026 15:03:39 +0200 Subject: [PATCH 4/4] ci: verify GitHub Actions recovery