Skip to content

Supply chain hardening for pnpm and GitHub Actions#130

Merged
Cahllagerfeld merged 1 commit intomainfrom
feature/supply-chain-hardening
Apr 1, 2026
Merged

Supply chain hardening for pnpm and GitHub Actions#130
Cahllagerfeld merged 1 commit intomainfrom
feature/supply-chain-hardening

Conversation

@strickvl
Copy link
Copy Markdown
Contributor

@strickvl strickvl commented Mar 31, 2026

Summary

Adds supply chain security hardening based on an audit of current configuration against best practices for package cooldowns and dependency management.

Changes

  • pnpm-workspace.yaml (new): Configures pnpm v10 supply chain protections:

    • minimumReleaseAge: 10080 — 7-day cooldown before newly published packages can be installed (blocks the window where most compromised packages get detected and yanked)
    • onlyBuiltDependencies: [esbuild] — only esbuild is allowed to run lifecycle scripts (postinstall); all others are blocked
    • blockExoticSubdeps: true — prevents transitive dependencies from pulling code from git repos or tarballs
    • trustPolicy: no-downgrade — blocks package versions that have weaker authentication than prior releases (catches credential compromise)

  • GitHub Actions pinned to commit SHAs: All 4 third-party actions (actions/checkout, anthropics/claude-code-action, openai/codex-action, actions/github-script) are pinned to full-length commit SHAs instead of mutable tag refs. This prevents tag hijacking attacks like the tj-actions/changed-files incident that affected 23,000+ repos.

  • persist-credentials: false added to all actions/checkout steps to prevent the GITHUB_TOKEN from leaking to subsequent steps.

  • .github/dependabot.yml (new): Enables Dependabot for the github-actions ecosystem with weekly checks and a 7-day cooldown on updates.

What's NOT included (follow-up)

  • Dependabot for npm ecosystem — tracked in a separate issue for team discussion

Test plan

  • Verify pnpm install succeeds locally with the new pnpm-workspace.yaml
  • Verify Claude Code and Codex workflows still trigger correctly on PRs (the SHA pins resolve to the same versions currently in use)
  • Confirm Dependabot starts opening PRs for GitHub Actions updates after merge

security: add supply chain hardening for pnpm and GitHub Actions
ef74bc8 
- Add pnpm-workspace.yaml with 7-day minimumReleaseAge cooldown,
  onlyBuiltDependencies allowlist (esbuild), blockExoticSubdeps,
  and trustPolicy: no-downgrade
- Pin all GitHub Actions to full-length commit SHAs to prevent
  tag hijacking attacks (e.g. tj-actions incident)
- Add persist-credentials: false to all checkout steps
- Add Dependabot config for GitHub Actions with 7-day cooldown
@strickvl strickvl mentioned this pull request Mar 31, 2026
Open
@strickvl strickvl changed the title security: supply chain hardening for pnpm and GitHub Actions Supply chain hardening for pnpm and GitHub Actions Mar 31, 2026
@Cahllagerfeld Cahllagerfeld merged commit 656b61f into main Apr 1, 2026
4 checks passed
@Cahllagerfeld Cahllagerfeld deleted the feature/supply-chain-hardening branch April 1, 2026 06:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Cahllagerfeld Cahllagerfeld Cahllagerfeld approved these changes

@bartmikolajczuk bartmikolajczuk Awaiting requested review from bartmikolajczuk

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@strickvl @Cahllagerfeld