Skip to content

sec: repo hygiene (pin actions, dependabot cooldown, postcss CVE)#18

Merged
valvesss merged 1 commit into
mainfrom
sec/repo-hygiene-batch
Jul 3, 2026
Merged

sec: repo hygiene (pin actions, dependabot cooldown, postcss CVE)#18
valvesss merged 1 commit into
mainfrom
sec/repo-hygiene-batch

Conversation

@valvesss

@valvesss valvesss commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Higiene de repo (semgrep + trivy). Sem mudança de runtime do control-plane — CI/deps/config só. Lane humana porque a forja do Brokk não consegue empurrar .github/workflows/* (o GitHub App dela não tem a permissão workflows → o run anterior no card de action-tag foi remote-rejected no push).

Fix Sev Findings
Pin de GitHub Actions em SHA (checkout, pnpm/action-setup, setup-node, codeql init/analyze) MED mutable-action-tag ×6
Dependabot cooldown: default-days 7 nas 2 entries LOW dependabot-missing-cooldown ×2
postcss CVE-2026-41305: override postcss@8.4.31 -> 8.5.15 (era pinado transitivo pelo next@15.5.19; direto do panel já é 8.5.15) MED trivy postcss

Verificação

  • pnpm install --frozen-lockfile no panel passa; lockfile sem bloco de resolução do 8.4.31 (dedup p/ 8.5.15, versão já usada pelo tailwind/autoprefixer no mesmo build).
  • Workflows pinados em SHA + comentário # v4/# v3; dependabot (ecosystem github-actions já configurado) mantém atualizados.

Notas

  • CI está dormente (quota do GitHub Actions esgotada) — pin é hygiene válida e prepara re-ativação.
  • unsafe-formatstring (worker + example) e npm-missing-minimum-release-age não entram aqui: triados como falso-positivo / wontfix (ver log).

🤖 Generated with Claude Code

Repo-hygiene findings from the Svalinn scan (semgrep + trivy). No control-plane
runtime change; these are CI/deps/config only. Handled in the human lane
because Brokk's forge cannot push .github/workflows/* — its GitHub App lacks the
`workflows` permission (its earlier run on the action-tag card was remote-
rejected on push).

- Pin GitHub Actions to full SHAs (semgrep github-actions-mutable-action-tag, 6
  occurrences): actions/checkout, pnpm/action-setup, actions/setup-node in
  ci.yml; actions/checkout + github/codeql-action init/analyze in codeql.yml.
  Mutable tags can be silently repointed by the action owner (supply chain).
  Dependabot's github-actions ecosystem (already configured) keeps them current.

- Dependabot cooldown (semgrep dependabot-missing-cooldown): a 7-day
  default-days on both update entries so a freshly published — possibly
  compromised — version isn't proposed until it has aged.

- postcss CVE-2026-41305 (trivy): the vulnerable postcss@8.4.31 was pinned
  transitively by next@15.5.19 (the panel's direct postcss is already 8.5.15).
  Add a pnpm override postcss@8.4.31 -> 8.5.15, deduping to the version already
  exercised by the tailwind/autoprefixer chain in this same build.

Note: CI workflows are currently dormant (GitHub Actions quota exhausted) —
pinning is still valid supply-chain hygiene and future-proofs re-enablement.

Findings: semgrep #16-21, #23-24, trivy postcss. See remediation log.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@valvesss valvesss merged commit 5b6765c into main Jul 3, 2026
2 checks passed
@valvesss valvesss deleted the sec/repo-hygiene-batch branch July 3, 2026 15:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant