From a0ddabaa784d56bd8deefc8bd2eb986160a27ec3 Mon Sep 17 00:00:00 2001 From: Daniel Baker Date: Mon, 6 Jul 2026 08:43:49 -0700 Subject: [PATCH 1/2] ci: add a 7-day Dependabot cooldown Delay update PRs for freshly published releases by 7 days, so a compromised release has time to be caught and yanked before Dependabot auto-adopts it (zizmor dependabot-cooldown). --- .github/dependabot.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ee3b5fd..36aaaa3 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -10,5 +10,10 @@ updates: - "/.github/actions/*" schedule: interval: weekly + cooldown: + # Wait this many days before opening an update PR for a freshly + # published release, so a compromised release has time to be caught + # and yanked before it is auto-adopted (zizmor dependabot-cooldown). + default-days: 7 # Dependabot updates both tag-pinned and SHA-pinned action # references. PRs from Dependabot follow normal review. From 611ad1c8a34a4e3a806976bdba7992b27d351de4 Mon Sep 17 00:00:00 2001 From: Daniel Baker Date: Mon, 6 Jul 2026 08:43:51 -0700 Subject: [PATCH 2/2] ci: add workflow-security gate (zizmor + pinact) Add a workflow-security job to check.yml that runs on every PR and push: - nix run .#zizmor -- .github/ audits all workflows, the composite action, and dependabot.yml. - nix run .#pinact -- run --check verifies every action is SHA-pinned and its version comment matches the SHA. --- .github/workflows/check.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index e3f9d5e..e5b00b5 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -188,3 +188,20 @@ jobs: printf 'Version: %s\n' "$VERSION" printf 'Date: %s\n' "$RELEASE_DATE" printf '%s\n' "$NOTES" + + workflow-security: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + - uses: ./.github/actions/setup-nix + - name: Audit workflows with zizmor + env: + GH_TOKEN: ${{ github.token }} + run: nix run .#zizmor -- .github/ + - name: Verify action pins and version comments with pinact + env: + GITHUB_TOKEN: ${{ github.token }} + run: nix run .#pinact -- run --check