From 52523df4f3c5f66e7d018c2f7045aa708083fd02 Mon Sep 17 00:00:00 2001 From: Merlin Beutlberger Date: Tue, 26 May 2026 17:43:24 +0200 Subject: [PATCH 1/3] [INTERNAL] Pin actions to commit hash --- .github/workflows/reuse-compliance.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reuse-compliance.yml b/.github/workflows/reuse-compliance.yml index 3dbdbb22ff9..77a0723bd80 100644 --- a/.github/workflows/reuse-compliance.yml +++ b/.github/workflows/reuse-compliance.yml @@ -18,4 +18,4 @@ jobs: steps: - uses: actions/checkout@v4 - name: Execute REUSE Compliance Check - uses: fsfe/reuse-action@v5 + uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5.0.0 From 235d38da08fab2bb814516a640cf1d62641550f1 Mon Sep 17 00:00:00 2001 From: Merlin Beutlberger Date: Tue, 26 May 2026 17:43:34 +0200 Subject: [PATCH 2/3] [INTERNAL] Disallow npm dependencies from git See: https://github.blog/changelog/2026-02-18-npm-bulk-trusted-publishing-config-and-script-security-now-generally-available/#:~:text=New%20%2D%2Dallow%2Dgit%20flag,explicit%20control%20over%20this%20behavior. --- .npmrc | 1 + 1 file changed, 1 insertion(+) diff --git a/.npmrc b/.npmrc index 3eeeab4e326..f5bb40b0e47 100644 --- a/.npmrc +++ b/.npmrc @@ -2,3 +2,4 @@ registry=https://registry.npmjs.org/ lockfile-version=3 ignore-scripts=true +allow-git=none From cf82b0da66becb3de1442f7bd14503f56c79267d Mon Sep 17 00:00:00 2001 From: Merlin Beutlberger Date: Wed, 27 May 2026 13:43:58 +0200 Subject: [PATCH 3/3] [INTERNAL] Harden workflows Replace spoofable github.actor check in dependabot-auto-merge with github.event.pull_request.user.login. Note: spoofing the dependabot actor alone is not sufficient to trigger the auto-merge step. The dependabot/fetch-metadata action only emits outputs for genuine dependabot PRs, so the merge step's check on steps.metadata.outputs.update-type would no-op on a spoofed run. The change closes the gap defensively. --- .github/workflows/dependabot-auto-merge.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 43d92c94fd6..fce19297203 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -11,7 +11,7 @@ permissions: jobs: dependabot: runs-on: ubuntu-latest - if: ${{ github.actor == 'dependabot[bot]' && github.event.pull_request.auto_merge == null }} + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.event.pull_request.auto_merge == null }} steps: - name: Dependabot metadata id: metadata