chore: lock ga hash and use persist-credential false#99
Conversation
There was a problem hiding this comment.
This PR hardens GitHub Actions workflows by pinning all action references to specific commit SHAs instead of mutable version tags, adds persist-credentials: false to all checkout steps, and introduces a Dependabot configuration to automate weekly updates of GitHub Actions dependencies.
Changes
• .github/dependabot.yml added: configures weekly Dependabot updates for GitHub Actions, grouping minor and patch updates together
• .github/workflows/checks.yml: actions pinned to commit SHAs, persist-credentials: false added to checkout, blank lines added between steps
• .github/workflows/jekyll.yml: same SHA pinning and persist-credentials: false applied
• .github/workflows/publish.yml: same SHA pinning and persist-credentials: false applied
Impact
• Reduces supply-chain risk by preventing mutable version tags from being silently updated to malicious code
• Reduces credential exposure by disabling automatic git credential persistence after checkout
• Dependabot will open automated PRs to keep action SHAs current
No description provided.