From f0a5386258993607a091705b99ca74b2ce7e7a65 Mon Sep 17 00:00:00 2001 From: Gabriel Pan Gantes Date: Mon, 8 Jun 2026 11:58:30 +0200 Subject: [PATCH 1/2] chore(ci): pin PR-title action to commit SHA and add Dependabot Pin amannn/action-semantic-pull-request to its full commit SHA (48f256284bd46cdaab1048c3721360e808335d50, tag v6.1.1) instead of the mutable v6.1.1 tag. A SHA is immutable, so a compromised maintainer account cannot repoint it to malicious code in our CI. Add .github/dependabot.yml for the github-actions ecosystem so pinned actions still receive update PRs (keeping the # vX.Y.Z comment in sync) despite no longer floating on a tag. --- .github/dependabot.yml | 6 ++++++ .github/workflows/pr-title.yml | 5 ++++- 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..5ace460 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index a6f147f..fbf16fc 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -17,7 +17,10 @@ jobs: permissions: pull-requests: read steps: - - uses: amannn/action-semantic-pull-request@v6.1.1 + # Pinned to the full commit SHA (immutable) instead of the v6.1.1 tag, + # which is mutable and could be repointed if the maintainer is compromised. + # SHA corresponds to tag v6.1.1. + - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: From 38aad647d435d66fc8cc9c50d66939c717222a74 Mon Sep 17 00:00:00 2001 From: Gabriel Pan Gantes Date: Wed, 10 Jun 2026 10:50:43 +0200 Subject: [PATCH 2/2] chore(ci): also track maven deps with Dependabot Adds a maven update entry so Dependabot opens PRs for vulnerable/outdated Java dependencies (e.g. the gson CVE-2022-25647 handled manually in a separate PR), not just GitHub Actions. --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5ace460..c9b2105 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,3 +4,7 @@ updates: directory: "/" schedule: interval: "weekly" + - package-ecosystem: "maven" + directory: "/" + schedule: + interval: "weekly"