Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address a few security updates #91

Merged
merged 3 commits into from
Feb 26, 2025
Merged

Address a few security updates #91

merged 3 commits into from
Feb 26, 2025

Conversation

bsweger
Copy link
Collaborator

@bsweger bsweger commented Feb 25, 2025
edited
Loading

This PR:

  1. fixes a dependency vulnerability flagged by Dependabot
  2. adds a CODEOWNERS file to ensure GitHub workflow updates are reviewed by at least one member of the lab's "repo writers" team
  3. introduces Dependabot dependency scanning for the repo's GitHub actions (and sets a few third-party actions to commit hashes of older releases to see if Dependabot will flag them, since the docs are unclear about that....related Slack thread)

It can be reviewed commit by commit to isolate the above changes

@bsweger
Add a CODEOWNERS file github workflows
85b69a6 
This is a security precaution as recommended by GitHub
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-codeowners-to-monitor-changes
@bsweger
Address vuln in cryptography package
9afcd59 
Flagged by dependabot:
https://github.com/reichlab/cladetime/security/dependabot/12
@bsweger
Add dependabot dependency scanning for GitHub actions
77c6533 
This commmit also switches a few third-party actions specifying versions
via commit hash instead of tag (per security recommendations).

The commit hashes tag slightly older version of the actions so we can
verify whether or not dependabot will flag them as outdated (the docs
are not clear on this matter).
lshandross
lshandross approved these changes Feb 25, 2025
View reviewed changes
Copy link
Collaborator

@lshandross lshandross left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, with one question: if Dependabot does flag the hashes of older releases, will there be any changes made?

@bsweger
Copy link
Collaborator Author

bsweger commented Feb 26, 2025

LGTM, with one question: if Dependabot does flag the hashes of older releases, will there be any changes made?

Nope--I think it will open a PR if it finds any outdated dependencies, but it won't make any direct changes to the code.

@bsweger bsweger merged commit 1cff07c into main Feb 26, 2025
6 checks passed
@bsweger bsweger deleted the bs/security-updates/90 branch February 26, 2025 00:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lshandross lshandross lshandross approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bsweger @lshandross