From 3915c2b760fbf0d892bd6c4719b52e8e1ae06358 Mon Sep 17 00:00:00 2001 From: Rob Hague Date: Fri, 10 Apr 2026 22:03:01 +0200 Subject: [PATCH 1/2] Harden actions - Pin all action references to full SHA hashes to prevent supply chain attacks - Add top-level `permissions: contents: read` to build.yml to restrict default token scope - Set `persist-credentials: false` on all checkout steps to prevent credential leakage - Add `environment: nuget-publish` to the NuGet publish job to gate secret access - Replace tag pattern matching with `release` event trigger for NuGet publishing - Exclude dependabot and copilot branches from push triggers (covered by PR trigger) - Pin docs.yml runner to ubuntu-24.04 instead of floating ubuntu-latest - Add cooldown configuration to all Dependabot ecosystems to prevent PR flooding --- .github/dependabot.yml | 6 +++++ .github/workflows/build.yml | 51 +++++++++++++++++++++++-------------- .github/workflows/docs.yml | 14 +++++----- 3 files changed, 46 insertions(+), 25 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5c54e4dd2..5e63cb5d5 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,6 +9,8 @@ updates: directory: "/test/Renci.SshNet.IntegrationTests/" schedule: interval: "monthly" + cooldown: + default-days: 7 - package-ecosystem: "nuget" directory: "/" @@ -26,8 +28,12 @@ updates: dependencies: patterns: - "*" + cooldown: + default-days: 7 - package-ecosystem: "github-actions" directory: "/" schedule: interval: "monthly" + cooldown: + default-days: 7 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bd49e0600..23e6c4666 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,21 +1,30 @@ name: Build on: - - push - - pull_request - - workflow_dispatch + push: + branches-ignore: + - 'dependabot/**' + - 'copilot/**' + pull_request: + release: + types: [published] + workflow_dispatch: + +permissions: + contents: read jobs: Linux: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # needed for Nerdbank.GitVersioning + persist-credentials: false - name: Setup .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 - name: Build Unit Tests .NET run: dotnet build -f net10.0 test/Renci.SshNet.Tests/ @@ -48,7 +57,7 @@ jobs: test/Renci.SshNet.IntegrationTests/ - name: Archive Coverlet Results - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: Coverlet Results Linux path: coverlet @@ -57,12 +66,13 @@ jobs: runs-on: windows-2025 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # needed for Nerdbank.GitVersioning + persist-credentials: false - name: Setup .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 - name: Build Solution run: dotnet build Renci.SshNet.slnx @@ -74,7 +84,7 @@ jobs: run: dotnet pack - name: Archive NuGet Package - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: NuGet Package path: src/Renci.SshNet/bin/Release/*.*nupkg @@ -108,12 +118,13 @@ jobs: runs-on: windows-2025 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # needed for Nerdbank.GitVersioning + persist-credentials: false - name: Setup .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 - name: Setup WSL2 uses: Vampire/setup-wsl@6a8db447be7ed35f2f499c02c6e60ff77ef11278 # v6.0.0 @@ -140,7 +151,7 @@ jobs: test\Renci.SshNet.IntegrationTests\ - name: Archive Coverlet Results - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: Coverlet Results Windows .NET Framework path: coverlet @@ -150,12 +161,13 @@ jobs: runs-on: windows-2025 steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 # needed for Nerdbank.GitVersioning + persist-credentials: false - name: Setup .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 - name: Setup WSL2 uses: Vampire/setup-wsl@6a8db447be7ed35f2f499c02c6e60ff77ef11278 # v6.0.0 @@ -182,7 +194,7 @@ jobs: test\Renci.SshNet.IntegrationTests\ - name: Archive Coverlet Results - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: Coverlet Results Windows .NET path: coverlet @@ -200,7 +212,7 @@ jobs: - Windows-Integration-Tests-Net steps: - name: Download NuGet Package - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: NuGet Package @@ -219,7 +231,8 @@ jobs: Publish-NuGet-Package: name: Publish NuGet Package runs-on: ubuntu-24.04 - if: startsWith(github.event.ref, 'refs/tags/20') + if: github.event_name == 'release' + environment: nuget-publish permissions: id-token: write needs: @@ -229,12 +242,12 @@ jobs: - Windows-Integration-Tests-Net steps: - name: Download NuGet Package - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: NuGet Package - name: NuGet login (OIDC → temp API key) - uses: NuGet/login@v1 + uses: NuGet/login@d22cc5f58ff5b88bf9bd452535b4335137e24544 # v1.1.0 id: login with: user: ${{ secrets.NUGET_USER }} diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 85c71df84..cbea1d8cb 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -19,16 +19,18 @@ jobs: environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Pages - uses: actions/configure-pages@v5 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0 - name: Setup .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 - name: Setup docfx run: dotnet tool update -g docfx @@ -37,10 +39,10 @@ jobs: run: docfx ./docfx/docfx.json - name: Upload documentation - uses: actions/upload-pages-artifact@v4 + uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0 with: path: './docfx/_site' - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 From f58945cb294caae77d2aaac19600ea2176d95fc1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Apr 2026 21:05:21 +0000 Subject: [PATCH 2/2] Bump the dependencies group with 9 updates Bumps coverlet.collector from 6.0.4 to 8.0.1 Bumps coverlet.msbuild from 6.0.4 to 8.0.1 Bumps GitHubActionsTestLogger from 3.0.1 to 3.0.3 Bumps Meziantou.Analyzer from 3.0.18 to 3.0.44 Bumps Microsoft.Bcl.Cryptography from 10.0.3 to 10.0.5 Bumps Microsoft.Extensions.Logging.Console from 10.0.3 to 10.0.5 Bumps SonarAnalyzer.CSharp from 10.20.0.135146 to 10.22.0.136894 Bumps System.Formats.Asn1 from 10.0.3 to 10.0.5 Bumps Testcontainers from 4.10.0 to 4.11.0 --- updated-dependencies: - dependency-name: coverlet.collector dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dependencies - dependency-name: coverlet.msbuild dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: dependencies - dependency-name: GitHubActionsTestLogger dependency-version: 3.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: Meziantou.Analyzer dependency-version: 3.0.44 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: Microsoft.Bcl.Cryptography dependency-version: 10.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: Microsoft.Extensions.Logging.Console dependency-version: 10.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: SonarAnalyzer.CSharp dependency-version: 10.22.0.136894 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: System.Formats.Asn1 dependency-version: 10.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: Testcontainers dependency-version: 4.11.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies ... Signed-off-by: dependabot[bot] --- Directory.Packages.props | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/Directory.Packages.props b/Directory.Packages.props index 8991d83e0..2b3c666ff 100644 --- a/Directory.Packages.props +++ b/Directory.Packages.props @@ -6,22 +6,22 @@ - - - - + + + + - + - + - + - - + +