Skip to content

chore: add dependabot.yml + SHA-pin all GitHub Actions#728

Open
cailmdaley wants to merge 2 commits into
developfrom
chore/dependabot-config
Open

chore: add dependabot.yml + SHA-pin all GitHub Actions#728
cailmdaley wants to merge 2 commits into
developfrom
chore/dependabot-config

Conversation

@cailmdaley
Copy link
Copy Markdown
Contributor

@cailmdaley cailmdaley commented May 27, 2026

Summary

Two related supply-chain-conservative hygiene changes for the post-uv.lock era:

  1. .github/dependabot.yml — explicit version-updates policy with 14-day cooldown on minor/patch (30 days on majors), monthly grouped lockfile PRs, and github-actions ecosystem opted in. Companion to the security-updates channel that fires automatically since uv.lock landed (chore: switch Dockerfile to slim Python + uv lockfile #719).
  2. SHA-pin every GitHub Action across all four workflows. Human-readable tag preserved as trailing comment so reviewers can still see what version they're looking at.

No behavioral change intended; SHAs resolved against current refs of the same tags that were referenced before.

Why now

Six dependabot security PRs accumulated against uv.lock between 2026-05-05 and now (being triaged separately). That backlog made the absence of a dependabot.yml visible. While digging in, two things sharpened the posture:

  • Maintainer-compromise attacks (Shai-Hulud / Mini Shai-Hulud worm, axios March 2026, PyTorch Lightning, intercom-client) — attackers take over real maintainer accounts and push compromised versions of legitimate packages. In the axios case, Dependabot was PR'ing the malicious version to public repos within 5 minutes of upload. Cooldown is the documented primitive defense — a 7-day cooldown alone would have caught 8 of the 10 biggest 2025 attacks before they reached anyone's PRs. We're using 14 days.
  • Mutable action tagstj-actions/changed-files (23k+ repos compromised in Q1 2026), Trivy, Nx — all via attackers re-pointing @v4-style tags at malicious SHAs. SHA-pinning closes that vector at the cost of less-readable workflow files; the trailing tag comment + Dependabot's SHA-bump PRs keep it tractable.

Policy summary

What Why
Cooldown 14d minor/patch, 30d major Detection window for upstream compromise
Schedule Monthly grouped One reviewable PR > six waved-through
Majors Individual PRs Breaking; each deserves attention
Auto-merge Off Lockfile diffs are uninspectable; humans gate
Security PRs Still auto (separate channel) Fix CVEs fast

Test plan

  • CI passes (build-and-push-image should be unaffected — same actions, just SHA-pinned).
  • After merge, no spurious Dependabot PRs immediately fire (cooldown should hold them back).
  • Next month, observe whether the lockfile-minor-patch group fires as expected with a single grouped PR.
  • Dependabot opens a github-actions PR proposing SHA bumps with new-tag annotations.

— Claude on behalf of Cail

cailmdaley and others added 2 commits May 27, 2026 12:49
@cailmdaley @claude
chore: add dependabot.yml — cooldown + grouped monthly bumps
5ee1997 
Adds an explicit version-updates policy on top of the security-updates
channel that fires automatically since uv.lock landed (#719). Posture is
supply-chain conservative:

  - 14-day cooldown on minor/patch, 30-day on majors (Dependabot won't
    PR a version until it's been live for that long). Buys a detection
    window against maintainer-compromise attacks (Shai-Hulud, axios,
    PyTorch Lightning, …) where malicious versions typically get yanked
    within hours-to-days.
  - Monthly schedule + grouped patch/minor — one batched PR, atomic
    to revert, large enough to actually be reviewed instead of waved
    through.
  - Major bumps stay individual (potentially breaking, deserve
    individual review).
  - No auto-merge.
  - github-actions ecosystem also enabled (companion to SHA-pinning
    the workflows).

Cooldown does NOT apply to security updates — those still fire on
the CVE-publication timeline, which is the right tradeoff.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@cailmdaley @claude
chore: SHA-pin all GitHub Actions across workflows
8ca7b56 
Mutable action references (@v4, @V3, …) are the same failure mode that
took out tj-actions/changed-files (23k+ repos compromised in Q1 2026)
and trivy-action. An attacker who compromises an action's maintainer
account can silently re-point a tag at a malicious SHA, and every
workflow that references that tag pulls the new code on the next run.

Pinning each action by full commit SHA — with the human-readable tag
preserved as a trailing comment — closes that vector. Dependabot's
github-actions ecosystem (enabled in the companion commit) proposes
SHA bumps with the new tag annotated in the PR body, so updates remain
reviewable.

All four workflows pinned; SHAs resolved against current refs as of
this commit, no behavioral change intended.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cailmdaley