ci: enable Dependabot for github-actions (and pin lint.yml checkout)#11
Merged
Conversation
- Add .github/dependabot.yml with weekly checks for the github-actions ecosystem so SHA-pinned Actions get update PRs as new releases ship. - Pin actions/checkout in lint.yml to the same SHA used in collect.yml (de0fac2e... # v6.0.2). PR #10 missed this file; Dependabot does not migrate tag refs to SHA refs on its own, so leaving lint.yml on @v6 would have left a gap in the supply-chain hardening intent of #4. Closes #6 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3 tasks
shigechika
added a commit
that referenced
this pull request
Apr 26, 2026
* docs(security): add SECURITY.md and SRI hashes for CDN scripts Following the formal security review pass requested in #8. Findings: - Token handling, public-only invariant, workflow permissions, shell injection, repoSlug() coercion, and dashboard XSS surface all check out (most were already addressed by PRs #2, #11, #12). - One finding remained: docs/index.html loaded chart.js and chartjs-adapter-date-fns from cdn.jsdelivr.net without integrity attributes, so a CDN/NPM compromise could swap the file at the same URL. Added SHA-384 SRI hashes plus crossorigin="anonymous" to both <script> tags. SECURITY.md captures the trust model (who can read/write what), private-vulnerability-reporting URL, the public-only invariant and where it's enforced, workflow trust boundaries, the frontend supply chain story, the Protect main ruleset, and a checklist for fork users covering PAT scope / Pages visibility / private-repo safety / secret naming / branch protection portability / rename detection. Closes #8 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(security): correct SRI hashes for CDN scripts The integrity values in the previous commit were computed from a transient bad curl response — both differed from the bytes jsdelivr actually serves. Verified by hashing each file three times in a row (stable) and grep-checking docs/index.html. Without this fix the browser would have rejected both <script> tags on SRI mismatch, leaving the dashboard blank. Correct hashes: - chart.js@4.4.1 sha384-9nhczxUqK87bcKHh20fSQcTGD4qq5GhayNYSYWqwBkINBhOfQLg/P5HG5lF1urn4 - chartjs-adapter-date-fns@3.0.0 sha384-cVMg8E3QFwTvGCDuK+ET4PD341jF3W8nO1auiXfuZNQkzbUUiBGLsIQUE+b1mxws Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/dependabot.ymlenabling weekly checks on thegithub-actionsecosystem. Once SHA-pinned Actions exist (Pin GitHub Actions to commit SHA for supply-chain hardening #4 / PR ci: pin actions/checkout to commit SHA (v6.0.2) #10), Dependabot will open update PRs that bump both the SHA and the trailing version comment when new releases ship.actions/checkoutin.github/workflows/lint.ymlto the same SHA used incollect.yml(de0fac2e...# v6.0.2). PR ci: pin actions/checkout to commit SHA (v6.0.2) #10 missed this file; Dependabot does not migrate@<tag>refs to@<sha>refs on its own, so leavinglint.ymlon@v6would have left a gap in the supply-chain hardening intent of Pin GitHub Actions to commit SHA for supply-chain hardening #4.Closes #6.
Test plan
Lintworkflow still runs (shellcheck scripts/*.sh) on push/PR touchingscripts/**References
🤖 Generated with Claude Code