Skip to content

fix(ci): harden GitHub Actions security and enable Dependabot updates#26

Merged
rpignolet merged 3 commits into
OKDP:mainfrom
idirze:ci/security
Jun 19, 2026
Merged

fix(ci): harden GitHub Actions security and enable Dependabot updates#26
rpignolet merged 3 commits into
OKDP:mainfrom
idirze:ci/security

Conversation

@idirze

@idirze idirze commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Description

This PR hardens the GitHub Actions workflows and reusable actions used by this repository.

Main changes include:

  • Reduce default GITHUB_TOKEN permissions and scope write permissions only where needed.
  • Pin third-party GitHub Actions to immutable commit SHAs.
  • Move GitHub expression values into environment variables before shell execution to reduce injection risks.
  • Harden branch-name handling in .github/actions/git-branch/action.yml, including support for branch names containing /, such as ci/security.
  • Make secret passing more explicit in reusable workflow calls.
  • Add Dependabot configuration for GitHub Actions dependency updates.

Type of Change

  • Bug fix
  • New feature
  • Documentation update
  • Refactor / chore
  • Breaking change

Checklist

Comment thread .github/dependabot.yml Outdated
Co-authored-by: Pierre Sauvage <m.sauvage.pierre@gmail.com>
@rpignolet rpignolet merged commit bc1e45e into OKDP:main Jun 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants