Bulk Task: Pin GitHub Actions SHAs & Harden Dependabot Configuration
Instructions for the model
You are given a list of repositories in the stroeer GitHub organization. For each repository:
- Check if a PR already exists with a title containing "Pin GitHub Actions" or "harden Dependabot". If so, skip that repo and note that it was skipped.
- Skip archived repositories and repositories with no
.github/workflows/ directory.
- For all remaining repos, create a pull request with the changes below.
Task Definition
🔒 Pin GitHub Actions SHAs & Harden Dependabot Configuration
Why this matters
Pinning GitHub Actions to full commit SHAs is a critical supply chain security measure. When workflows reference actions by tag, for example actions/checkout@v4, a compromised or hijacked tag could silently replace the action code with malicious content. By pinning to the exact commit SHA and adding a human-readable version comment, you get:
- Immutability: The SHA guarantees the exact code that runs cannot be changed after the fact.
- Auditability: The version comment, for example
# v4, tells humans which version is pinned.
- Dependabot compatibility: Dependabot can still detect newer versions and propose SHA-pinned updates.
Part 1: Pin all GitHub Actions to full commit SHAs
For every .github/workflows/*.yml file:
- Convert every
uses: tag reference to a full 40-character commit SHA.
- Append a version comment, for example:
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- Do NOT upgrade or downgrade any action versions. Pin the exact tag already in use.
- If an action is already SHA-pinned but missing the comment, just add the comment.
- Do NOT pin reusable workflows referencing a branch, for example
@main or @master. Leave those as-is.
- Do not change any workflow logic, job config, step ordering, or non-
uses: content.
Part 2: Harden Dependabot configuration (.github/dependabot.yml)
-
Respect existing team decisions: Preserve any rules, schedules, ignore patterns, or reviewer assignments that humans configured. Only override them if they are critically broken or pose a security risk.
-
Enable grouping: Add update grouping per ecosystem to reduce PR noise.
-
Ensure all used ecosystems are covered: If the repo uses npm, pip, maven, gradle, docker, terraform, github-actions, bundler, cargo, gomod, and so on, and they are missing from the config, add them.
-
Ensure github-actions ecosystem is present.
-
Ensure security patches are not blocked: open-pull-requests-limit must be greater than 0.
-
Add a cooldown of 8 days to every ecosystem entry https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-:
cooldown:
default-days: 8
-
Schedule interval at least weekly: Change daily to weekly unless explicitly justified.
-
Check for lockfile presence: If the package manager expects a lockfile (package-lock.json, yarn.lock, pnpm-lock.yaml, poetry.lock, Pipfile.lock, Gemfile.lock, go.sum, gradle.lockfile, Cargo.lock) and none is committed, highlight that in the PR description.
-
Remove dead code: Remove ecosystem entries for unused package managers, orphaned ignore rules, and commented-out blocks.
PR description must include
- Summary of all changes
- List of missing lockfiles, if any
- Note about preserved team rules and why
- Note about overridden rules, only if critical
PR title
🔒 Pin GitHub Actions SHAs & harden Dependabot configuration
Part 3: Configure minimum release age for package managers
To defend against supply chain attacks via newly published malicious packages, configure the package manager to refuse installing any package version published less than 8 days ago. See: https://daniakash.com/posts/simplest-supply-chain-defense/
Add the appropriate configuration for the package manager(s) used in this repo:
- npm (v11.10+): add
min-release-age=8 to .npmrc
- pnpm (v10.16+): add
minimumReleaseAge: 11520 to .npmrc (value in minutes)
- Yarn 4 (v4.10+): add
npmMinimalAgeGate: "8d" to .yarnrc.yml
- Bun: add
minimumReleaseAge = 691200 to bunfig.toml (value in seconds)
- Python/uv: add
exclude-newer = "8d" to pyproject.toml
If the package manager version in use does not support this feature, note it in the PR description.
Bulk Task: Pin GitHub Actions SHAs & Harden Dependabot Configuration
Instructions for the model
You are given a list of repositories in the
stroeerGitHub organization. For each repository:.github/workflows/directory.Task Definition
🔒 Pin GitHub Actions SHAs & Harden Dependabot Configuration
Why this matters
Pinning GitHub Actions to full commit SHAs is a critical supply chain security measure. When workflows reference actions by tag, for example
actions/checkout@v4, a compromised or hijacked tag could silently replace the action code with malicious content. By pinning to the exact commit SHA and adding a human-readable version comment, you get:# v4, tells humans which version is pinned.Part 1: Pin all GitHub Actions to full commit SHAs
For every
.github/workflows/*.ymlfile:uses:tag reference to a full 40-character commit SHA.uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4@mainor@master. Leave those as-is.uses:content.Part 2: Harden Dependabot configuration (
.github/dependabot.yml)Respect existing team decisions: Preserve any rules, schedules, ignore patterns, or reviewer assignments that humans configured. Only override them if they are critically broken or pose a security risk.
Enable grouping: Add update grouping per ecosystem to reduce PR noise.
Ensure all used ecosystems are covered: If the repo uses
npm,pip,maven,gradle,docker,terraform,github-actions,bundler,cargo,gomod, and so on, and they are missing from the config, add them.Ensure
github-actionsecosystem is present.Ensure security patches are not blocked:
open-pull-requests-limitmust be greater than0.Add a cooldown of 8 days to every ecosystem entry https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-:
Schedule interval at least weekly: Change
dailytoweeklyunless explicitly justified.Check for lockfile presence: If the package manager expects a lockfile (
package-lock.json,yarn.lock,pnpm-lock.yaml,poetry.lock,Pipfile.lock,Gemfile.lock,go.sum,gradle.lockfile,Cargo.lock) and none is committed, highlight that in the PR description.Remove dead code: Remove ecosystem entries for unused package managers, orphaned ignore rules, and commented-out blocks.
PR description must include
PR title
🔒 Pin GitHub Actions SHAs & harden Dependabot configurationPart 3: Configure minimum release age for package managers
To defend against supply chain attacks via newly published malicious packages, configure the package manager to refuse installing any package version published less than 8 days ago. See: https://daniakash.com/posts/simplest-supply-chain-defense/
Add the appropriate configuration for the package manager(s) used in this repo:
min-release-age=8to.npmrcminimumReleaseAge: 11520to.npmrc(value in minutes)npmMinimalAgeGate: "8d"to.yarnrc.ymlminimumReleaseAge = 691200tobunfig.toml(value in seconds)exclude-newer = "8d"topyproject.tomlIf the package manager version in use does not support this feature, note it in the PR description.