Pin dependencies, with Dependabot cooldown and more code scanning #50
Conversation
It was the default not to commit lockfiles for library-only crates, at the time `.gitignore` here was written. Since then, however: - rust-lang/cargo#12382 - github/gitignore#4350 More importantly, tracking `Cargo.lock` helps in improving supply chain security, in two ways: 1. A supply chain attack is less often immediately successful. 2. Further mitigations, such as dependency cooldown, can be used.
Various adjustments related to supply chain security and CI: - Don't persist credentials in `actions/checkout`. - Pin actions to full SHA-1 OIDs with tool-readable tag comments. - Change cadence from weekly to monthly (due to more updates now). - Enable Dependabot for Cargo (Rust) dependencies, not just GHA. - Set best-effort 7-day cooldown period in Dependabot updates. - Set up Zizmor with customized workflow and pedantic persona. - Turn off two unwanted pedantic Zizmor checks. - Allow both workflows to run from Actions tab (and other events).
This is the GitHub template-generated workflow. It will be customized in the next commit.
- Rename it "CodeQL" (instead of "CodeQL Advanced"). - Expand and adjust event triggers, similar to other workflows. - More query packs: `security-extended` and `security-and-quality`. - Set empty workflow permissions (overridden at the job level). - Remove unneeded job-level permissions. - Clearly comment the job-level permissions that are kept. - Use v6 of `actions/checkout` (rather than v4). - Don't persist credentials in the `actions/checkout` step. - Pin CodeQL-related actions (and checkout) with full SHA OIDs. - Adjust style to match other workflow (where no reason not to).
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| run: make tests | ||
| - name: "Check (crossterm)" | ||
| uses: actions-rs/cargo@v1 | ||
| uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 |
Check warning
Code scanning / zizmor
action or reusable workflow from archived repository Warning
| - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 | ||
| with: | ||
| persist-credentials: false | ||
| - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 |
Check warning
Code scanning / zizmor
action or reusable workflow from archived repository Warning
| override: true | ||
| - name: "Check (crossterm)" | ||
| uses: actions-rs/cargo@v1 | ||
| uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 |
Check warning
Code scanning / zizmor
action or reusable workflow from archived repository Warning
| args: --features=render-tui,render-tui-crossterm,render-line,render-line-crossterm,signal-hook,render-line-autoconfigure,progress-tree --all --bins --tests --examples | ||
| - name: "Test (crossterm)" | ||
| uses: actions-rs/cargo@v1 | ||
| uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 |
Check warning
Code scanning / zizmor
action or reusable workflow from archived repository Warning
There was a problem hiding this comment.
Pull request overview
This PR enhances supply chain security and CI reproducibility by pinning dependencies and adding security scanning workflows. It tracks Cargo.lock for deterministic builds, configures Dependabot with cooldown periods to prevent update fatigue, and introduces automated security scanning through CodeQL and zizmor.
Changes:
- Added
Cargo.locktracking for reproducible dependency resolution - Configured Dependabot with monthly updates, 7-day cooldowns, and dependency grouping
- Pinned all GitHub Actions to specific commit SHAs with version annotations
- Added CodeQL and zizmor security scanning workflows
Reviewed changes
Copilot reviewed 5 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| Cargo.lock | Auto-generated lockfile for pinned Rust dependencies |
| .gitignore | Removed Cargo.lock exclusion to enable dependency tracking |
| .github/dependabot.yml | Added Cargo ecosystem config and cooldown periods for both ecosystems |
| .github/workflows/ci.yml | Pinned actions to commit SHAs, added persist-credentials: false, and workflow_dispatch trigger |
| .github/workflows/codeql.yml | New CodeQL security scanning workflow for Rust and GitHub Actions |
| .github/workflows/zizmor.yml | New zizmor security analysis workflow for GitHub Actions |
| .github/zizmor.yml | Configuration file disabling specific zizmor rules |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
EliahKagan
left a comment
EliahKagan
left a comment
There was a problem hiding this comment.
As in GitoxideLabs/cargo-smart-release#99, we have archived actions-rs actions in use here, which we should probably replace with something maintained--and here, we have more of them. However, this doesn't worsen that situation, it just catches it with Zizmor, which, as there, can help us avoid forgetting. So I think that's not a blocker for these changes.
1 participant
This is somewhat better for supply-chain security and reproducible CI. See commit messages for details.
Aside from tracking
Cargo.lock(e16e2ab), which was already done in thegitoxideandcargo-smart-releaserepositories, this is similar to changes in GitoxideLabs/gitoxide#2337 (as fixed in GitoxideLabs/gitoxide#2342) and GitoxideLabs/cargo-smart-release#99.