From b820bdea739f2b3e74c08bf4c7934133e3e5684d Mon Sep 17 00:00:00 2001 From: Johannes Christ Date: Thu, 14 May 2026 09:32:31 +0200 Subject: [PATCH 1/4] Set dependency cooldown --- .github/dependabot.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index cdf639c15..ac84a2ea6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -10,9 +10,13 @@ updates: update-types: - version-update:semver-patch - version-update:semver-minor + cooldown: + default-days: 7 - package-ecosystem: "github-actions" directory: "/" schedule: interval: "daily" reviewers: - "python-discord/devops" + cooldown: + default-days: 7 From ee4d2328ec4a819a4a1d0559ee6df16a7d1173c9 Mon Sep 17 00:00:00 2001 From: Johannes Christ Date: Thu, 14 May 2026 09:33:58 +0200 Subject: [PATCH 2/4] Do not persist credentials from checkout --- .github/workflows/build-deploy.yaml | 3 +++ .github/workflows/lint-test.yaml | 2 ++ .github/workflows/sentry-release.yaml | 2 ++ .github/workflows/static-preview.yaml | 2 ++ 4 files changed, 9 insertions(+) diff --git a/.github/workflows/build-deploy.yaml b/.github/workflows/build-deploy.yaml index 1f373eb98..3fddfa312 100644 --- a/.github/workflows/build-deploy.yaml +++ b/.github/workflows/build-deploy.yaml @@ -18,6 +18,8 @@ jobs: - name: Checkout code uses: actions/checkout@v6 + with: + persist-credentials: false # The current version (v3) of Docker's build-push action uses # buildx, which comes with BuildKit features that help us speed @@ -63,6 +65,7 @@ jobs: with: repository: python-discord/infra path: infra + persist-credentials: false - uses: azure/setup-kubectl@v5.1.0 diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index eb64539d9..93aca0ae8 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -10,6 +10,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install uv uses: astral-sh/setup-uv@v7 diff --git a/.github/workflows/sentry-release.yaml b/.github/workflows/sentry-release.yaml index 175918b36..9b9aa2fc8 100644 --- a/.github/workflows/sentry-release.yaml +++ b/.github/workflows/sentry-release.yaml @@ -9,6 +9,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v6 + with: + persist-credentials: false - name: Create a Sentry.io release uses: getsentry/action-release@v3 diff --git a/.github/workflows/static-preview.yaml b/.github/workflows/static-preview.yaml index e19630681..93ce7428e 100644 --- a/.github/workflows/static-preview.yaml +++ b/.github/workflows/static-preview.yaml @@ -15,6 +15,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v4 From 758d1606b1da41bd789a6049385d050e3e218140 Mon Sep 17 00:00:00 2001 From: Johannes Christ Date: Thu, 14 May 2026 09:34:13 +0200 Subject: [PATCH 3/4] Prevent code injection via actions variables --- .github/workflows/static-preview.yaml | 4 +++- .github/workflows/status-embed.yaml | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/static-preview.yaml b/.github/workflows/static-preview.yaml index 93ce7428e..7beb2985f 100644 --- a/.github/workflows/static-preview.yaml +++ b/.github/workflows/static-preview.yaml @@ -50,8 +50,10 @@ jobs: run: | mkdir docker_build \ && docker run --entrypoint /bin/echo --name site \ - ghcr.io/python-discord/static-site:${{ inputs.sha-tag }} \ + ghcr.io/python-discord/static-site:${INPUTS_SHA_TAG} \ && docker cp site:/app docker_build/ + env: + INPUTS_SHA_TAG: ${{ inputs.sha-tag }} # Build directly to a local folder - name: Build Docker Image (PR) diff --git a/.github/workflows/status-embed.yaml b/.github/workflows/status-embed.yaml index f90b211b3..2f3ae223b 100644 --- a/.github/workflows/status-embed.yaml +++ b/.github/workflows/status-embed.yaml @@ -24,7 +24,7 @@ jobs: id: pr_info if: github.event.workflow_run.event == 'pull_request' run: | - curl -s -H "Authorization: token $GITHUB_TOKEN" ${{ github.event.workflow_run.artifacts_url }} > artifacts.json + curl -s -H "Authorization: token $GITHUB_TOKEN" ${GITHUB_EVENT_WORKFLOW_RUN_ARTIFACTS_URL} > artifacts.json DOWNLOAD_URL=$(cat artifacts.json | jq -r '.artifacts[] | select(.name == "pull-request-payload") | .archive_download_url') [ -z "$DOWNLOAD_URL" ] && exit 1 curl -sSL -H "Authorization: token $GITHUB_TOKEN" -o pull_request_payload.zip $DOWNLOAD_URL || exit 2 @@ -36,6 +36,7 @@ jobs: echo "pr_source=$(jq -r '.head.label // empty' pull_request_payload.json)" >> $GITHUB_OUTPUT env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_EVENT_WORKFLOW_RUN_ARTIFACTS_URL: ${{ github.event.workflow_run.artifacts_url }} # Send an informational status embed to Discord instead of the # standard embeds that Discord sends. This embed will contain From b68ade44785104fb4d9308f844dd69c58f2ebc42 Mon Sep 17 00:00:00 2001 From: Johannes Christ Date: Thu, 14 May 2026 09:38:44 +0200 Subject: [PATCH 4/4] Pin GitHub actions --- .github/workflows/build-deploy.yaml | 18 +++++++++--------- .github/workflows/fixup-commit-blocker.yaml | 2 +- .github/workflows/lint-test.yaml | 8 ++++---- .github/workflows/sentry-release.yaml | 4 ++-- .github/workflows/static-preview.yaml | 12 ++++++------ .github/workflows/status-embed.yaml | 2 +- 6 files changed, 23 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build-deploy.yaml b/.github/workflows/build-deploy.yaml index 3fddfa312..0e6ee6f1e 100644 --- a/.github/workflows/build-deploy.yaml +++ b/.github/workflows/build-deploy.yaml @@ -17,7 +17,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -28,10 +28,10 @@ jobs: # # See https://github.com/docker/build-push-action - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Login to Github Container Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -40,7 +40,7 @@ jobs: # Build the container, including an inline cache manifest to # allow us to use the registry as a cache source. - name: Build and push - uses: docker/build-push-action@v7 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7 with: context: . file: ./Dockerfile @@ -61,22 +61,22 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: repository: python-discord/infra path: infra persist-credentials: false - - uses: azure/setup-kubectl@v5.1.0 + - uses: azure/setup-kubectl@829323503d1be3d00ca8346e5391ca0b07a9ab0d # v5.1.0 - name: Authenticate with Kubernetes - uses: azure/k8s-set-context@v5 + uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5 with: method: kubeconfig kubeconfig: ${{ secrets.KUBECONFIG }} - name: Deploy to Kubernetes - uses: Azure/k8s-deploy@v6 + uses: Azure/k8s-deploy@c7ebd0d5f39477a23f1b5dea0f52e6db04adf28e # v6 with: namespace: web manifests: | @@ -84,7 +84,7 @@ jobs: images: 'ghcr.io/python-discord/site:${{ inputs.sha-tag }}' - name: Purge Cloudflare Edge Cache - uses: jakejarvis/cloudflare-purge-action@master + uses: jakejarvis/cloudflare-purge-action@eee6dba0236093358f25bb1581bd615dc8b3d8e3 # master env: CLOUDFLARE_ZONE: 989c984a358bfcd1e9b9d188cc86c1df CLOUDFLARE_TOKEN: ${{ secrets.CLOUDFLARE_CACHE_TOKEN }} diff --git a/.github/workflows/fixup-commit-blocker.yaml b/.github/workflows/fixup-commit-blocker.yaml index ca90a3d83..f61db0f11 100644 --- a/.github/workflows/fixup-commit-blocker.yaml +++ b/.github/workflows/fixup-commit-blocker.yaml @@ -10,4 +10,4 @@ concurrency: jobs: block-fixup-commits: if: github.ref != 'refs/heads/main' - uses: python-discord/.github/.github/workflows/block-fixup-commits.yaml@main + uses: python-discord/.github/.github/workflows/block-fixup-commits.yaml@d89f1b58aa1b844ad73eec63daaabc7e7d3e9d1b # main diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml index 93aca0ae8..42e93500e 100644 --- a/.github/workflows/lint-test.yaml +++ b/.github/workflows/lint-test.yaml @@ -9,12 +9,12 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 with: enable-cache: true cache-dependency-glob: "uv.lock" @@ -52,7 +52,7 @@ jobs: # This step will publish the coverage reports coveralls.io and # link the report to the commit - name: Publish Coverage Report - uses: coverallsapp/github-action@v2.3.7 + uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7 with: github-token: ${{ secrets.GITHUB_TOKEN }} file: ./coverage.lcov @@ -78,7 +78,7 @@ jobs: - name: Upload a Build Artifact if: always() && steps.prepare-artifact.outcome == 'success' continue-on-error: true - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: path: pull_request_payload.json archive: false diff --git a/.github/workflows/sentry-release.yaml b/.github/workflows/sentry-release.yaml index 9b9aa2fc8..9329aee96 100644 --- a/.github/workflows/sentry-release.yaml +++ b/.github/workflows/sentry-release.yaml @@ -8,12 +8,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Create a Sentry.io release - uses: getsentry/action-release@v3 + uses: getsentry/action-release@5657c9e888b4e2cc85f4d29143ea4131fde4a73a # v3 env: SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} SENTRY_ORG: python-discord diff --git a/.github/workflows/static-preview.yaml b/.github/workflows/static-preview.yaml index 7beb2985f..997d8a0f0 100644 --- a/.github/workflows/static-preview.yaml +++ b/.github/workflows/static-preview.yaml @@ -14,15 +14,15 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Login to Github Container Registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -31,7 +31,7 @@ jobs: # Build the container, including an inline cache manifest to # allow us to use the registry as a cache source. - name: Build Docker Image (Main) - uses: docker/build-push-action@v7 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7 if: github.ref == 'refs/heads/main' with: context: . @@ -57,7 +57,7 @@ jobs: # Build directly to a local folder - name: Build Docker Image (PR) - uses: docker/build-push-action@v7 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7 if: github.ref != 'refs/heads/main' with: context: . @@ -69,7 +69,7 @@ jobs: STATIC_BUILD=TRUE - name: Upload Build - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: static-build path: docker_build/app/build/ diff --git a/.github/workflows/status-embed.yaml b/.github/workflows/status-embed.yaml index 2f3ae223b..d53fa7026 100644 --- a/.github/workflows/status-embed.yaml +++ b/.github/workflows/status-embed.yaml @@ -43,7 +43,7 @@ jobs: # more information and we can fine tune when we actually want # to send an embed. - name: GitHub Actions Status Embed for Discord - uses: SebastiaanZ/github-status-embed-for-discord@v0.3.0 + uses: SebastiaanZ/github-status-embed-for-discord@67f67a60934c0254efd1ed741b5ce04250ebd508 # v0.3.0 with: # Our GitHub Actions webhook webhook_id: '784184528997842985'