Skip to content

chore: improve security on supply chain for CI/CD #186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
davidnbr wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

chore: improve security on supply chain for CI/CD #186

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
22a740a
ci: use pinned sha for actions and refine permissions
davidnbr May 15, 2026
0ea2c9a
chore: add gomod on dependabot
davidnbr May 15, 2026
4739c5c
ci: use feat as the gate for commit message on update
davidnbr May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,7 @@ updates:
directory: /
schedule:
interval: weekly
- package-ecosystem: gomod
directory: /cli
schedule:
interval: weekly
21 changes: 12 additions & 9 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,20 @@ concurrency:
group: build-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

jobs:
check:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Nix
uses: cachix/install-nix-action@v31
uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
- name: Setup Cachix
uses: cachix/cachix-action@v17
uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
with:
name: devenv
- name: Install devenv
Expand All @@ -42,11 +45,11 @@ jobs:
needs: [check]
steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Nix
uses: cachix/install-nix-action@v31
uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
- name: Setup Cachix
uses: cachix/cachix-action@v17
uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
with:
name: nixpkgs-terraform
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
Expand All @@ -68,11 +71,11 @@ jobs:
- terranix
steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Install Nix
uses: cachix/install-nix-action@v31
uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
- name: Setup Cachix
uses: cachix/cachix-action@v17
uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
with:
name: nixpkgs-terraform
extraPullNames: devenv
Expand Down
12 changes: 8 additions & 4 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,23 +15,27 @@ permissions:
jobs:
flakehub:
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.ref_name }}
- name: Install Nix
uses: cachix/install-nix-action@v31
uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
- name: Publish flake
uses: DeterminateSystems/flakehub-push@v6
uses: DeterminateSystems/flakehub-push@71f57208810a5d299fc6545350981de98fdbc860 # v6
with:
tag: ${{ github.ref_name }}
visibility: public

flakestry:
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
contents: read
steps:
- name: Publish flake
uses: flakestry/flakestry-publish@main
uses: flakestry/flakestry-publish@08cfeb3dc22bf4e2df64ba84e8dae19918e44e0b # main 2026-01-10
with:
version: ${{ github.ref_name }}
13 changes: 9 additions & 4 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,26 +10,31 @@ concurrency:
group: release
cancel-in-progress: true

permissions: {}

jobs:
release:
if: ${{ github.event.workflow_run.conclusion == 'success' }}
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
contents: write
id-token: write
steps:
- name: Create GH App token
uses: actions/create-github-app-token@v2
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
id: app-token
with:
app-id: ${{ vars.GH_APP_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.event.workflow_run.head_sha }}
- name: Install Nix
uses: cachix/install-nix-action@v31
uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
- name: Setup Cachix
uses: cachix/cachix-action@v17
uses: cachix/cachix-action@5f2d7c5294214f71b873db4b969586b980625e71 # v17
with:
name: devenv
- name: Install devenv
Expand Down
21 changes: 14 additions & 7 deletions .github/workflows/update.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,41 +10,47 @@ concurrency:
group: update
cancel-in-progress: true

permissions: {}

jobs:
update:
runs-on: macos-latest
timeout-minutes: 30
permissions:
contents: write
id-token: write
pull-requests: write
steps:
- name: Create GH App token
uses: actions/create-github-app-token@v2
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
id: app-token
with:
app-id: ${{ vars.GH_APP_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
- name: Checkout code
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: main
- name: Install Nix
uses: cachix/install-nix-action@v31
uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
- name: Install devenv
run: nix profile add --accept-flake-config github:cachix/devenv/latest
run: nix profile add --accept-flake-config github:cachix/devenv/v1.8
- name: Compile cli
run: devenv shell -- go build .
working-directory: cli
- name: Update versions
id: update
run: |
commit_message=$(cli/cli update)
if [[ -n "$commit_message" ]] && ! [[ "$commit_message" =~ ^feat: ]]; then
echo "Unexpected commit message format from cli/cli update; aborting"
exit 1
fi
echo "commit_message=$commit_message" >> "$GITHUB_OUTPUT"
env:
CLI_GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
- name: Create pull request
if: ${{ steps.update.outputs.commit_message }}
uses: peter-evans/create-pull-request@v8
uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
with:
commit-message: ${{ steps.update.outputs.commit_message }}
title: ${{ steps.update.outputs.commit_message }}
Expand All @@ -68,9 +74,10 @@ jobs:
notify:
if: failure()
runs-on: ubuntu-latest
timeout-minutes: 2
needs: [update]
steps:
- uses: slackapi/slack-github-action@v2
- uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1
with:
webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
webhook-type: webhook-trigger
Expand Down