Pin GitHub Actions SHAs and harden Dependabot configuration

[Claude]

Thanks for asking me to work on this. I will get started on it and keep this PR's description up to date as I form a plan and make progress.

---

This section details on the original issue you should resolve

<issue_title>🔒 Pin GitHub Actions SHAs & harden Dependabot configuration</issue_title>
<issue_description># Bulk Task: Pin GitHub Actions SHAs & Harden Dependabot Configuration

Instructions for the model

You are given a list of repositories in the stroeer GitHub organization. For each repository:

1. Check if a PR already exists with a title containing "Pin GitHub Actions" or "harden Dependabot". If so, skip that repo and note that it was skipped.
2. Skip archived repositories and repositories with no .github/workflows/ directory.
3. For all remaining repos, create a pull request with the changes below.

Task Definition

🔒 Pin GitHub Actions SHAs & Harden Dependabot Configuration

Why this matters

Pinning GitHub Actions to full commit SHAs is a critical supply chain security measure. When workflows reference actions by tag, for example actions/checkout@v4, a compromised or hijacked tag could silently replace the action code with malicious content. By pinning to the exact commit SHA and adding a human-readable version comment, you get:

• Immutability: The SHA guarantees the exact code that runs cannot be changed after the fact.
• Auditability: The version comment, for example # v4, tells humans which version is pinned.
• Dependabot compatibility: Dependabot can still detect newer versions and propose SHA-pinned updates.

Part 1: Pin all GitHub Actions to full commit SHAs

For every .github/workflows/*.yml file:

1. Convert every uses: tag reference to a full 40-character commit SHA.
2. Append a version comment, for example: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
3. Do NOT upgrade or downgrade any action versions. Pin the exact tag already in use.
4. If an action is already SHA-pinned but missing the comment, just add the comment.
5. Do NOT pin reusable workflows referencing a branch, for example @main or @master. Leave those as-is.
6. Do not change any workflow logic, job config, step ordering, or non-uses: content.

Part 2: Harden Dependabot configuration (.github/dependabot.yml)

1. Respect existing team decisions: Preserve any rules, schedules, ignore patterns, or reviewer assignments that humans configured. Only override them if they are critically broken or pose a security risk.

2. Enable grouping: Add update grouping per ecosystem to reduce PR noise.

3. Ensure all used ecosystems are covered: If the repo uses npm, pip, maven, gradle, docker, terraform, github-actions, bundler, cargo, gomod, and so on, and they are missing from the config, add them.

4. Ensure github-actions ecosystem is present.

5. Ensure security patches are not blocked: open-pull-requests-limit must be greater than 0.

6. Add a cooldown of 8 days to every ecosystem entry https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-:

   cooldown:
     default-days: 8
   

7. Schedule interval at least weekly: Change daily to weekly unless explicitly justified.

8. Check for lockfile presence: If the package manager expects a lockfile (package-lock.json, yarn.lock, pnpm-lock.yaml, poetry.lock, Pipfile.lock, Gemfile.lock, go.sum, gradle.lockfile, Cargo.lock) and none is committed, highlight that in the PR description.

9. Remove dead code: Remove ecosystem entries for unused package managers, orphaned ignore rules, and commented-out blocks.

PR description must include

• Summary of all changes
• List of missing lockfiles, if any
• Note about preserved team rules and why
• Note about overridden rules, only if critical

PR title

🔒 Pin GitHub Actions SHAs & harden Dependabot configuration

Part 3: Configure minimum release age for package managers

To defend against supply chain attacks via newly published malicious packages, configure the package manager to refuse installing any package version published less than 8 days ago. See: https://daniakash.com/posts/simplest-supply-chain-defense/

Add the appropriate configuration for the package manager(s) used in this repo:

• npm (v11.10+): add min-release-age=8 to .npmrc
• pnpm (v10.16+): add minimumReleaseAge: 11520 to .npmrc (value in minutes)
• Yarn 4 (v4.10+): add npmMinimalAgeGate: "8d" to .yarnrc.yml
• Bun: add minimumReleaseAge = 691200 to bunfig.toml (value in seconds)
• Python/uv: add exclude-newer = "8d" to pyproject.toml

If the package manager version in use does not support this feature, note it in the PR description.</issue_description>

Comments on the Issue (you are @claude[agent] in this section)