WHAT
Improve security checks to help prevent future attacks related to GitHub Actions.
WHY
To strengthen security.
HOW
Apply the recommendation from :
https://mikael.barbero.tech/blog/post/2026-03-24-stop-trusting-mutable-references/\
[X] - Pin all third-party actions and reusable workflows to full commit SHAs.
[X] - Scan for unpinnable actions. Use poutine to identify actions where pinning alone does not guarantee immutability, and replace or vendor them.
[X] - Audit and minimize your action surface. Replace third-party actions with inline run: steps wherever practical.
[X] - Enable Dependabot for github-actions with a 7-day cooldown for version updates.
[X] - Add Harden-Runner in audit mode, then move selected jobs to block mode once a stable egress policy is established.
[X] - Default GITHUB_TOKEN to read-only. Elevate only where needed. Prefer OIDC over long-lived cloud secrets.
[X] - Pin Docker images by digest, not tag. Enable signature verification where available.
[X] - Lint workflows continuously with zizmor and poutine.
WHAT
Improve security checks to help prevent future attacks related to GitHub Actions.
WHY
To strengthen security.
HOW
Apply the recommendation from :
https://mikael.barbero.tech/blog/post/2026-03-24-stop-trusting-mutable-references/\
[X] - Pin all third-party actions and reusable workflows to full commit SHAs.
[X] - Scan for unpinnable actions. Use poutine to identify actions where pinning alone does not guarantee immutability, and replace or vendor them.
[X] - Audit and minimize your action surface. Replace third-party actions with inline run: steps wherever practical.
[X] - Enable Dependabot for github-actions with a 7-day cooldown for version updates.
[X] - Add Harden-Runner in audit mode, then move selected jobs to block mode once a stable egress policy is established.
[X] - Default GITHUB_TOKEN to read-only. Elevate only where needed. Prefer OIDC over long-lived cloud secrets.
[X] - Pin Docker images by digest, not tag. Enable signature verification where available.
[X] - Lint workflows continuously with zizmor and poutine.