🔒 Pin GitHub Actions SHAs & harden Dependabot configuration

[saefty]

Bulk Task: Pin GitHub Actions SHAs & Harden Dependabot Configuration

Instructions for the model

You are given a list of repositories in the stroeer GitHub organization. For each repository:

1. Check if a PR already exists with a title containing "Pin GitHub Actions" or "harden Dependabot". If so, skip that repo and note that it was skipped.
2. Skip archived repositories and repositories with no .github/workflows/ directory.
3. For all remaining repos, create a pull request with the changes below.

Task Definition

🔒 Pin GitHub Actions SHAs & Harden Dependabot Configuration

Why this matters

Pinning GitHub Actions to full commit SHAs is a critical supply chain security measure. When workflows reference actions by tag, for example actions/checkout@v4, a compromised or hijacked tag could silently replace the action code with malicious content. By pinning to the exact commit SHA and adding a human-readable version comment, you get:

• Immutability: The SHA guarantees the exact code that runs cannot be changed after the fact.
• Auditability: The version comment, for example # v4, tells humans which version is pinned.
• Dependabot compatibility: Dependabot can still detect newer versions and propose SHA-pinned updates.

Part 1: Pin all GitHub Actions to full commit SHAs

For every .github/workflows/*.yml file:

1. Convert every uses: tag reference to a full 40-character commit SHA.
2. Append a version comment, for example: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
3. Do NOT upgrade or downgrade any action versions. Pin the exact tag already in use.
4. If an action is already SHA-pinned but missing the comment, just add the comment.
5. Do NOT pin reusable workflows referencing a branch, for example @main or @master. Leave those as-is.
6. Do not change any workflow logic, job config, step ordering, or non-uses: content.

Part 2: Harden Dependabot configuration (.github/dependabot.yml)

1. Respect existing team decisions: Preserve any rules, schedules, ignore patterns, or reviewer assignments that humans configured. Only override them if they are critically broken or pose a security risk.

2. Enable grouping: Add update grouping per ecosystem to reduce PR noise.

3. Ensure all used ecosystems are covered: If the repo uses npm, pip, maven, gradle, docker, terraform, github-actions, bundler, cargo, gomod, and so on, and they are missing from the config, add them.

4. Ensure github-actions ecosystem is present.

5. Ensure security patches are not blocked: open-pull-requests-limit must be greater than 0.

6. Add a cooldown of 8 days to every ecosystem entry https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown-:

   cooldown:
     default-days: 8
   

7. Schedule interval at least weekly: Change daily to weekly unless explicitly justified.

8. Check for lockfile presence: If the package manager expects a lockfile (package-lock.json, yarn.lock, pnpm-lock.yaml, poetry.lock, Pipfile.lock, Gemfile.lock, go.sum, gradle.lockfile, Cargo.lock) and none is committed, highlight that in the PR description.

9. Remove dead code: Remove ecosystem entries for unused package managers, orphaned ignore rules, and commented-out blocks.

PR description must include

• Summary of all changes
• List of missing lockfiles, if any
• Note about preserved team rules and why
• Note about overridden rules, only if critical

PR title

🔒 Pin GitHub Actions SHAs & harden Dependabot configuration