Harden CI

[maennchen]

What’s changed

• Actions pinned to commit SHAs – Every third-party Action reference now points to an immutable Git commit instead of a moving tag.
• Least-privilege permissions – The workflow’s top-level token is limited to contents:read; individual jobs elevate only to the scopes they actually need (e.g., contents:write).

Why it matters

Pinning Actions guards against supply-chain attacks and unexpected upstream changes, giving us deterministic, auditable builds. Restricting the default token to read-only follows GitHub’s least-privilege guidance, reducing the blast radius if a job is ever compromised while still allowing specific jobs to perform their required tasks.

[SteffenDE]

Thank you! Can we get dependabot to send PRs for updating actions?

[maennchen]

That’s already set up:

phoenix/.github/dependabot.yml

Line 4 in 2d945b8

- package-ecosystem: "github-actions"

Dependabot understands the sha / comment combo and will update both at the same time.

[maennchen]

Elixir Example: elixir-lang/elixir#14537

[Gazler]

Thanks <3

[maennchen]

Btw for anybody wanting to do the same to their project: I used this tool to generate the changes: https://app.stepsecurity.io/secure-workflow (minus the step-security/harden-runner part)