From 20e37674aceab367ce357702c12efaa3b3cd4251 Mon Sep 17 00:00:00 2001 From: Oliver Kurz Date: Tue, 30 Jun 2026 14:20:50 +0200 Subject: [PATCH 1/2] feat(ci): pin GitHub Actions by commit hash Motivation: Secure GitHub Actions workflows against git tag hijacking attacks. Design Choices: Replace version tags with full 40-character SHA-1 hashes. Preserve tags as comments for easy reference. Benefits: Ensures workflow immutability and compliance with security best practices. Related issue: https://progress.opensuse.org/issues/203049 --- .github/dependabot.yml | 14 ++++++++++++++ .github/workflows/test.yml | 10 +++++----- 2 files changed, 19 insertions(+), 5 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..e09f777 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,14 @@ +version: 2 +updates: + - package-ecosystem: 'github-actions' + directory: '/' + schedule: + interval: 'weekly' + day: 'monday' + cooldown: + default-days: 7 + open-pull-requests-limit: 5 + groups: + all-actions: + patterns: + - "*" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9b9118b..2f35f14 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -25,10 +25,10 @@ jobs: PERL_CARTON_PATH: $GITHUB_WORKSPACE/local steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - run: perl -V - name: install deps using cpanm - uses: perl-actions/install-with-cpanm@v1 + uses: perl-actions/install-with-cpanm@10d60f00b4073f484fc29d45bfbe2f776397ab3d # v1 with: sudo: false args: --sudo --installdeps --with-develop --with-recommends . @@ -62,7 +62,7 @@ jobs: perl-versions: ${{ steps.action.outputs.perl-versions }} steps: - id: action - uses: perl-actions/perl-versions@v1 + uses: perl-actions/perl-versions@edf86e4f43a710eeafdedc8a6872b79d39f7fdde # v1 with: since-perl: v5.20 with-devel: true @@ -84,10 +84,10 @@ jobs: image: perldocker/perl-tester:${{ matrix.perl-version }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - run: perl -V - name: install deps using cpanm - uses: perl-actions/install-with-cpanm@v1 + uses: perl-actions/install-with-cpanm@10d60f00b4073f484fc29d45bfbe2f776397ab3d # v1 with: sudo: false args: -v --installdeps --with-develop --with-recommends . From 9af0229f77b26f1dddfada6f077eb27db483eb78 Mon Sep 17 00:00:00 2001 From: Oliver Kurz Date: Tue, 30 Jun 2026 14:44:46 +0200 Subject: [PATCH 2/2] fix(ci): format inline comments in workflows to pass yamllint Motivation: Workflow files failed yamllint checkstyle checks due to inline comments only having 1 space instead of the expected 2. Design Choices: Reformat comment prefixes to use 2 spaces before '#'. Benefits: Fixes CI checkstyle/yaml-syntax validation errors. Related issue: https://progress.opensuse.org/issues/203049 --- .github/workflows/test.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2f35f14..7147532 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -25,10 +25,10 @@ jobs: PERL_CARTON_PATH: $GITHUB_WORKSPACE/local steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - run: perl -V - name: install deps using cpanm - uses: perl-actions/install-with-cpanm@10d60f00b4073f484fc29d45bfbe2f776397ab3d # v1 + uses: perl-actions/install-with-cpanm@10d60f00b4073f484fc29d45bfbe2f776397ab3d # v1 with: sudo: false args: --sudo --installdeps --with-develop --with-recommends . @@ -62,7 +62,7 @@ jobs: perl-versions: ${{ steps.action.outputs.perl-versions }} steps: - id: action - uses: perl-actions/perl-versions@edf86e4f43a710eeafdedc8a6872b79d39f7fdde # v1 + uses: perl-actions/perl-versions@edf86e4f43a710eeafdedc8a6872b79d39f7fdde # v1 with: since-perl: v5.20 with-devel: true @@ -84,10 +84,10 @@ jobs: image: perldocker/perl-tester:${{ matrix.perl-version }} steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - run: perl -V - name: install deps using cpanm - uses: perl-actions/install-with-cpanm@10d60f00b4073f484fc29d45bfbe2f776397ab3d # v1 + uses: perl-actions/install-with-cpanm@10d60f00b4073f484fc29d45bfbe2f776397ab3d # v1 with: sudo: false args: -v --installdeps --with-develop --with-recommends .