Skip to content

Improves repo security#1785

Merged
Adam-it merged 1 commit into
pnp:devfrom
Adam-it:improves-security-in-pipelines
Jun 26, 2026
Merged

Improves repo security#1785
Adam-it merged 1 commit into
pnp:devfrom
Adam-it:improves-security-in-pipelines

Conversation

@Adam-it

@Adam-it Adam-it commented Jun 24, 2026

Copy link
Copy Markdown
Member

🎯 Aim

The aim of this PR is to improve repo security by:

  • Adds a missing SECURITY policy file that explains how repo/product vulnerabilities should be reported in private rather than in public
  • Adds dependabot 7 days cooldown to prevent rapid supply chain attacks
  • Adds timeouts to all workflows
  • Updates the build and test workflow to run tests from PR branch - till now it checked tests that were on dev branch for every PR
  • Adds minimal GH token permissions to each workflow
  • GH actions pinned by SHA tag to commit not by version tag

@gautamdsheth

Copy link
Copy Markdown
Collaborator

@Adam-it - LGTM , merge it at your convenience. Just wondering how we can handle updates to these ? Does dependabot handle it ?

@Adam-it

Adam-it commented Jun 26, 2026

Copy link
Copy Markdown
Member Author

@Adam-it - LGTM , merge it at your convenience. Just wondering how we can handle updates to these ? Does dependabot handle it ?

Yes, dependabot will update the SHA of te commit of the next v release of GH actions

@Adam-it Adam-it force-pushed the improves-security-in-pipelines branch from a853196 to 86e34ed Compare June 26, 2026 20:25
@Adam-it Adam-it merged commit 7c7ada2 into pnp:dev Jun 26, 2026
2 checks passed
@Adam-it Adam-it deleted the improves-security-in-pipelines branch June 26, 2026 20:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants