CI/CD Supply Chain Hardening

[homelabforge]

What changed

All GitHub Actions workflow references have been pinned to full-length commit SHAs instead of mutable version tags. Additionally:

• permissions: contents: read added to CI workflows (previously defaulted to broad write-all)
• Branch protection enabled on main with required status checks (Backend Tests, Frontend Tests, E2E Tests, Docker Build Test, API Types Freshness, CodeQL Analyze, Security Scan Summary)
• sha_pinning_required enabled at the repo level — GitHub now rejects any workflow run that references actions by tag

Why

The Trivy supply chain attack (March 2026) demonstrated how tag-based action references can be weaponized. An attacker force-pushes a tag on an action repo, and every downstream CI run executes their code with whatever permissions the workflow grants — including GHCR push access.

This project had 17 tag-based action references across 5 workflow files and zero SHA pins. All of them are now pinned.

What this means going forward

• Dependabot will automatically propose SHA updates via the github-actions ecosystem (monthly)
• Any PR that introduces a tag-based action reference (e.g. @v6 instead of @sha) will be rejected by GitHub before CI even runs
• Branch protection ensures gh pr merge --auto (used by Dependabot auto-merge) actually waits for CI to pass before merging