Skip to content

Apply security best practices for GitHub Repo Supply Chain #1180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jul 15, 2025
Merged

Apply security best practices for GitHub Repo Supply Chain #1180

merged 8 commits into from
Jul 15, 2025

Conversation

Nick2bad4u
Copy link
Contributor

@Nick2bad4u Nick2bad4u commented Jun 19, 2025
edited
Loading

Updates GitHub repo to use best practices against supply chain attacks by:

  1. Pinning github action versions
  2. Pinning docker versions
  3. Add dependency review workflow
  4. Update dependabot config. (You may want to remove this depending on how you manage npm updates)
  5. add codeql for code-scanning/security (optional but highly recommended by GitHub)

Motivation and Context

protects repo against supply chain attacks

Literature recommending these changes:

How Has This Been Tested?

ran actions in my own fork - worked.

Screenshots / Logs (if applicable)

Types of Changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation (no code change)
  • Refactor (refactoring production code)
  • [ X ] Other

Repo Security Change

Checklist:

  • [ x ] My code follows the code style of this project.
  • [ x ] I have updated the documentation accordingly.
  • [ x ] I have formatted the code with rustfmt.
  • [ x ] I checked the lints with clippy.
  • I have added tests to cover my changes.
  • [ x ] All new and existing tests passed.

step-security-bot and others added 2 commits June 19, 2025 13:56
@step-security-bot
[StepSecurity] Apply security best practices
5d9b003 
Signed-off-by: StepSecurity Bot <[email protected]>
@Nick2bad4u
Protect against Supply Chain Attacks
71f6239 
Updates GitHub repo to use best practices against supply chain attacks by:

1. Pinning github action versions
2. Pinning docker versions
3. Add dependency review workflow
4. Add dependabot config.
5. add codeql for code-scanning/security
@Copilot Copilot AI review requested due to automatic review settings June 19, 2025 14:02
@Nick2bad4u Nick2bad4u requested a review from orhun as a code owner June 19, 2025 14:02
@welcome Welcome
Copy link

welcome bot commented Jun 19, 2025

Thanks for opening this pull request! Please check out our contributing guidelines! ⛰️

Copilot
Copilot AI reviewed Jun 19, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enforces supply chain security best practices by pinning versions for Docker images and GitHub Actions while introducing workflows for dependency review and CodeQL scanning.

  • Updated Dockerfile to use image digests instead of mutable tags.
  • Revised multiple workflows to replace floating version tags with pinned commit SHAs.
  • Added new workflows for dependency review, CodeQL scanning, and Dependabot configuration.

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file
File Description
Dockerfile Pinned image digests for both cargo-chef and debian base images.
.github/workflows/website.yml Updated checkout, setup-node, and other actions to use pinned SHAs.
.github/workflows/test-fixtures.yml Updated the checkout action version to a pinned SHA.
.github/workflows/docker.yml Pinned versions for Docker metadata, QEMU, Buildx, cache, and login steps.
.github/workflows/dependency-review.yml Introduced a new dependency review workflow with pinned action versions.
.github/workflows/codeql.yml Added a CodeQL analysis workflow with pinned versions for actions.
.github/workflows/ci.yml Updated CI workflows by pinning various action versions for consistency.
.github/workflows/check-semver.yml Pinned versions for semver check and pull request comment actions.
.github/workflows/cd.yml Revised CD workflows with pinned action versions and build steps.
.github/dependabot.yml Added configuration for Docker and NPM dependency updates.

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@Nick2bad4u Nick2bad4u changed the title [StepSecurity] Apply security best practices Apply security best practices for GitHub Repo Supply Chain Jun 19, 2025
@codecov-commenter
Copy link

codecov-commenter commented Jun 19, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 43.34%. Comparing base (c156fc5) to head (dc9d3ba).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1180      +/-   ##
==========================================
+ Coverage   43.30%   43.34%   +0.05%     
==========================================
  Files          22       22              
  Lines        2042     2040       -2     
==========================================
  Hits          884      884              
+ Misses       1158     1156       -2
Flag Coverage Δ
unit-tests 43.34% <ø> (+0.05%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

orhun
orhun reviewed Jun 22, 2025
View reviewed changes
@Nick2bad4u
switch daily to monthly, add groups and pull request limit to new npm…
d98f483 
… ecosystem.

I don't think docker group support update types but I can test it and get back to you but on the GitHub documentation it's not listed as supported under group types
@Nick2bad4u
format: pre-order list so npm is under the same header. add comment a…
75b84ae 
…bout docker depends

makes it in line with previous. formatting fix
@Nick2bad4u
format: remove blank line
3d538b8
@orhun
Copy link
Owner

orhun commented Jul 11, 2025

Sorry for the delay. Would love to merge this if you can rebase this on main and fix the conflicts 🙏🏼

Nick2bad4u and others added 3 commits July 15, 2025 11:15
@Nick2bad4u
Copy link
Contributor Author

Sorry for the delay. Would love to merge this if you can rebase this on main and fix the conflicts 🙏🏼

Done, ready for merge.

@orhun orhun merged commit a32deca into orhun:main Jul 15, 2025
91 checks passed
@welcome Welcome
Copy link

welcome bot commented Jul 15, 2025

Congrats on merging your first pull request! ⛰️

@orhun
Copy link
Owner

orhun commented Jul 15, 2025

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@orhun orhun orhun approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Nick2bad4u @codecov-commenter @orhun @step-security-bot