Skip to content

🩹 [Patch]: Pin GitHub Actions to specific versions for improved security #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MariusStorhaug merged 3 commits into from
Jan 22, 2026
Merged

🩹 [Patch]: Pin GitHub Actions to specific versions for improved security #23

MariusStorhaug merged 3 commits into from
Jan 22, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 22, 2026
edited by MariusStorhaug
Loading

GitHub Actions are now pinned to specific commit SHAs instead of version tags, improving security by preventing supply chain attacks through tag manipulation. Additionally, Dependabot has been configured to run daily with a 7-day cooldown to keep dependencies up-to-date automatically.

GitHub Actions SHA pinning

All workflow files now reference actions by their full commit SHA rather than version tags. This ensures workflows always use a verified, immutable version of each action.

Changed actions:

  • actions/checkout@v5actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 (v6.0.1)
  • PSModule/Auto-Release@v1PSModule/Auto-Release@eabd533035e2cb9822160f26f2eda584bd012356 (v1.9.5)
  • super-linter/super-linter@latestsuper-linter/super-linter@d5b0a2ab116623730dd094f15ddc1b6b25bf7b99 (v8.3.2)
  • PSModule/GitHub-Script@v1PSModule/GitHub-Script@2010983167dc7a41bcd84cb88e698ec18eccb7ca (v1.7.8)

Dependabot configuration

Dependabot now checks for updates daily with a 7-day cooldown between updates, replacing the previous weekly schedule. This provides faster awareness of security updates while avoiding excessive noise.

schedule:
  interval: daily
cooldown:
  default-days: 7

Linter configuration

Added configuration to disable validation checks that are not applicable to this repository:

  • VALIDATE_BIOME_FORMAT: false
  • VALIDATE_JSCPD: false

@MariusStorhaug
Fix dangerous-triggers linter error in Auto-Release workflow
a652ae0 
- Add explicit checkout ref to base branch to prevent untrusted PR code execution
- Add zizmor ignore annotation with justification for pull_request_target usage
- Security mitigation: Only base branch code is checked out, never PR code
- Zizmor linter now passes without errors

Co-authored-by: MariusStorhaug <17722253+MariusStorhaug@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix dangerous-triggers linter error in Auto-Release workflow Fix dangerous-triggers audit: secure pull_request_target in Auto-Release workflow Jan 22, 2026
Copilot AI requested a review from MariusStorhaug January 22, 2026 15:53
@MariusStorhaug
Copy link
Member

MariusStorhaug commented Jan 22, 2026

@copilot Lets change it and analyze the implications to it being run on pull_request trigger vs the pull_request_target.

@MariusStorhaug
Change from pull_request_target to pull_request trigger
968475d 
- Remove pull_request_target trigger and use pull_request instead
- Remove explicit base branch checkout (not needed with pull_request)
- Remove zizmor ignore annotation (no longer needed)
- Zizmor linter passes without errors

Co-authored-by: MariusStorhaug <17722253+MariusStorhaug@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Jan 22, 2026

@copilot Lets change it and analyze the implications to it being run on pull_request trigger vs the pull_request_target.

Changed to pull_request trigger in commit 968475d.

Key implications:

🔴 Breaking for fork PRs:

  • GITHUB_TOKEN becomes read-only (cannot create releases or comment)
  • No access to repository secrets
  • Auto-Release action will fail on fork PRs

Works for same-repo PRs:

  • Full write permissions maintained
  • All functionality works as expected

⚠️ Permissions mismatch:

  • Workflow declares contents: write and pull-requests: write
  • Fork PRs run with read-only token regardless of declaration
  • Could cause silent failures

Recommendation: This change is suitable if the repository is private or only accepts PRs from collaborators (not forks). For public repos accepting fork contributions, pull_request_target with security mitigations is necessary.

Copilot AI changed the title Fix dangerous-triggers audit: secure pull_request_target in Auto-Release workflow Fix dangerous-triggers audit: switch to pull_request trigger in Auto-Release workflow Jan 22, 2026
@MariusStorhaug MariusStorhaug marked this pull request as ready for review January 22, 2026 16:28
@MariusStorhaug MariusStorhaug changed the title Fix dangerous-triggers audit: switch to pull_request trigger in Auto-Release workflow 🩹 [Patch]: Pin GitHub Actions to specific versions for improved security Jan 22, 2026
@MariusStorhaug MariusStorhaug marked this pull request as draft January 22, 2026 16:30
@MariusStorhaug MariusStorhaug marked this pull request as ready for review January 22, 2026 16:37
@MariusStorhaug MariusStorhaug merged commit 1e63abf into main Jan 22, 2026
21 checks passed
@MariusStorhaug MariusStorhaug deleted the copilot/fix-dangerous-triggers-error branch January 22, 2026 16:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@MariusStorhaug MariusStorhaug MariusStorhaug approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@MariusStorhaug MariusStorhaug

Copilot code review Copilot

Labels

Patch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

🩹[Patch]: Fix dangerous-triggers linter error in Auto-Release workflow

2 participants

@MariusStorhaug