ci: SHA-pin actions, add Dependabot + gitleaks secret scan#4
Merged
Conversation
…t scan Brings this repo in line with the OpenSSF supply-chain posture already used by OpenDPP/opendpp-node and OpenDPP/opendpp-interop. CI runs on free public-repo minutes. - SHA-pin every action (actions/checkout v4->v7.0.0, actions/setup-node v4->v6.4.0, actions/github-script v7->v9.0.0) instead of mutable tags. - Add .github/dependabot.yml (github-actions ecosystem only — validate.mjs is zero-dependency, so no npm ecosystem) so the new SHA pins don't silently rot. - Add a gitleaks secret-scan job, mirroring opendpp-interop's pinned manual download (gitleaks-action needs a GITLEAKS_LICENSE for org repos, so it can't be used here). - timeout-minutes on both jobs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Supply-chain hygiene to match the OpenSSF posture already used by
OpenDPP/opendpp-nodeandOpenDPP/opendpp-interop. This was the one repo of the three with no Dependabot, tag-pinned (mutable) actions, and no secret scan. Public repo → free Actions minutes.Changes
actions/checkoutv4→v7.0.0,actions/setup-nodev4→v6.4.0,actions/github-scriptv7→v9.0.0 (mutable tags → immutable commit SHAs, with a# vX.Y.Zcomment Dependabot keeps in sync)..github/dependabot.yml—github-actionsecosystem only (CI is the zero-dependencyvalidate.mjs, no npm lockfile, so no npm ecosystem). Without this the new SHA pins would freeze forever.gitleakssecret-scan job — mirrorsopendpp-interop's pinned manual download. (gitleaks-actionrequires aGITLEAKS_LICENSEfor org-owned repos, so the action form can't be used here; the manual8.30.1download needs no license.)timeout-minuteson both jobs.Validation
actionlintclean;node validate.mjs→✓ OKF bundle valid (211 concepts).