Skip to content

Supply chain hardening#161

Merged
piceri merged 1 commit into
mainfrom
supply-chain-hardening
Jun 11, 2026
Merged

Supply chain hardening#161
piceri merged 1 commit into
mainfrom
supply-chain-hardening

Conversation

@piceri

@piceri piceri commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

This change adds some minor changes to improve supply chain security.

  • goflags (GOFLAGS: -mod=readonly)
  • dependabot cooldowns of 3 days and grouping

GitHub Advanced Security started work on behalf of piceri June 9, 2026 20:40 View session
GitHub Advanced Security finished work on behalf of piceri June 9, 2026 20:41
@piceri piceri marked this pull request as ready for review June 9, 2026 21:10
@piceri piceri requested review from a team and jkbschmid as code owners June 9, 2026 21:10
Copilot AI review requested due to automatic review settings June 9, 2026 21:10

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repo’s automation against unintended Go module file changes and reduces Dependabot update churn by introducing a minimum “cooldown” period before updates are proposed.

Changes:

  • Set GOFLAGS: -mod=readonly in Go-based GitHub Actions workflows (lint, build, integration tests).
  • Add Dependabot cooldown.default-days: 3 to delay updates until versions are at least 3 days old.
  • Add Dependabot grouping for Docker minor/patch updates (in addition to the cooldown).
Show a summary per file
File Description
.github/workflows/lint.yml Enforces -mod=readonly during lint workflow execution.
.github/workflows/integrationtests.yaml Enforces -mod=readonly during integration test workflow execution.
.github/workflows/build.yml Enforces -mod=readonly for runner-based Go build/test jobs (but not Dockerfile-contained Go commands).
.github/dependabot.yml Adds a 3-day cooldown across ecosystems; also introduces Docker update grouping for minor/patch.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 4/4 changed files
  • Comments generated: 2

Comment thread .github/workflows/build.yml
Comment thread .github/dependabot.yml
@piceri piceri merged commit 1cd7552 into main Jun 11, 2026
11 checks passed
@piceri piceri deleted the supply-chain-hardening branch June 11, 2026 15:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants