forked from molecule-ai/molecule-core
c77a88c247
Supply-chain hardening for the CI pipeline. 23 workflow files
modified, 59 mutable-tag refs replaced with commit SHAs.
The risk
Every `uses:` reference in .github/workflows/*.yml was pinned to a
mutable tag (e.g., `actions/checkout@v4`). A maintainer of an
action — or a compromised maintainer account — can repoint that
tag to malicious code, and our pipelines silently pull it on the
next run. The tj-actions/changed-files compromise of March 2025 is
the canonical example: maintainer credential leak, attacker
repointed several `@v<N>` tags to a payload that exfiltrated
repository secrets. Repos that pinned to SHAs were unaffected.
The fix
Replace each `@v<N>` with `@<commit-sha> # v<N>`. The trailing
comment preserves human readability ("ah, this is v4"); the SHA
makes the reference immutable.
Actions covered (10 distinct):
actions/{checkout,setup-go,setup-python,setup-node,upload-artifact,github-script}
docker/{login-action,setup-buildx-action,build-push-action}
github/codeql-action/{init,autobuild,analyze}
dorny/paths-filter
imjasonh/setup-crane
pnpm/action-setup (already pinned in molecule-app, listed here for completeness)
Excluded:
Molecule-AI/molecule-ci/.github/workflows/disable-auto-merge-on-push.yml@main
— internal org reusable workflow; we control its repo, threat model
is different from third-party actions. Conventional to pin to @main
rather than SHA for internal reusables.
The maintenance cost
SHA pinning means upstream fixes require manual SHA bumps. Without
automation, pinned SHAs go stale. So this PR also enables Dependabot
across four ecosystems:
- github-actions (workflows)
- gomod (workspace-server)
- npm (canvas)
- pip (workspace runtime requirements)
Weekly cadence — the supply-chain attack window is "minutes between
repoint and pull"; weekly auto-bumps don't help with zero-days
regardless. The point is to pull in non-zero-day fixes without
operator effort.
Aligns with user-stated principle: "long-term, robust, fully-
automated, eliminate human error."
Companion PR: Molecule-AI/molecule-controlplane#308 (same pattern,
smaller surface).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
81 lines
2.5 KiB
YAML
81 lines
2.5 KiB
YAML
# Dependabot — auto-bump pinned dependencies.
|
|
#
|
|
# Why this exists:
|
|
#
|
|
# All `uses:` references in .github/workflows/*.yml are pinned to commit
|
|
# SHAs (with `# v<N>` comments for human readability) instead of mutable
|
|
# tags like `@v4`. Tag pinning is a known supply-chain risk: a maintainer
|
|
# (or compromised maintainer account) can repoint `@v4` to malicious code
|
|
# and our pipelines silently pull it. SHA pinning closes that risk.
|
|
#
|
|
# But SHA pinning has a maintenance cost: each upstream legitimate fix
|
|
# requires manually finding + bumping the SHA. Dependabot for Actions
|
|
# closes that gap by opening PRs to bump pinned SHAs whenever upstream
|
|
# tags a new version. Reviewer evaluates the bump like any other
|
|
# dependency PR.
|
|
#
|
|
# Combined: SHA pinning gives us security, Dependabot keeps us current.
|
|
|
|
version: 2
|
|
updates:
|
|
# GitHub Actions — every workflow file under .github/workflows/.
|
|
# Weekly cadence is enough for a CI surface this size; the supply-
|
|
# chain attack window is "minutes between repoint and pull," and
|
|
# weekly auto-bumps don't help with zero-days regardless. The point
|
|
# is to pull in non-zero-day fixes without operator effort, not to
|
|
# be real-time.
|
|
- package-ecosystem: github-actions
|
|
directory: "/"
|
|
schedule:
|
|
interval: weekly
|
|
open-pull-requests-limit: 5
|
|
labels:
|
|
- dependencies
|
|
- github-actions
|
|
commit-message:
|
|
prefix: chore(deps)
|
|
include: scope
|
|
|
|
# Go module — workspace-server. Bumps go.mod deps via PR weekly.
|
|
- package-ecosystem: gomod
|
|
directory: "/workspace-server"
|
|
schedule:
|
|
interval: weekly
|
|
open-pull-requests-limit: 5
|
|
labels:
|
|
- dependencies
|
|
- go
|
|
commit-message:
|
|
prefix: chore(deps)
|
|
include: scope
|
|
|
|
# npm — canvas (Next.js bundle). Largest dep tree in this repo;
|
|
# weekly cadence keeps the security surface fresh without flooding
|
|
# the queue. open-pull-requests-limit: 10 because npm churns more
|
|
# than the others.
|
|
- package-ecosystem: npm
|
|
directory: "/canvas"
|
|
schedule:
|
|
interval: weekly
|
|
open-pull-requests-limit: 10
|
|
labels:
|
|
- dependencies
|
|
- npm
|
|
commit-message:
|
|
prefix: chore(deps)
|
|
include: scope
|
|
|
|
# Python — workspace runtime requirements. Pip/requirements.txt-
|
|
# backed rather than pyproject.toml; Dependabot supports both.
|
|
- package-ecosystem: pip
|
|
directory: "/workspace"
|
|
schedule:
|
|
interval: weekly
|
|
open-pull-requests-limit: 5
|
|
labels:
|
|
- dependencies
|
|
- python
|
|
commit-message:
|
|
prefix: chore(deps)
|
|
include: scope
|