Skip to content

Harden CI supply chain settings#49

Merged
vic merged 5 commits into
masterfrom
chore/supply-chain-hardening-stacked
May 26, 2026
Merged

Harden CI supply chain settings#49
vic merged 5 commits into
masterfrom
chore/supply-chain-hardening-stacked

Conversation

@k-asm
Copy link
Copy Markdown
Collaborator

@k-asm k-asm commented May 24, 2026

Changes

  • Pin actions/checkout and erlef/setup-beam to commit SHAs.
  • Update actions/checkout to v6.0.2.
  • Restrict the workflow GITHUB_TOKEN to contents: read.
  • Fetch only test dependencies with mix deps.get --check-locked --only test.
  • Tighten the dev-only ex_doc requirement to ~> 0.34.

Stacked on #48. No new workflows or CI jobs are added.

@k-asm k-asm mentioned this pull request May 24, 2026
Merged
k-asm added 3 commits May 26, 2026 12:07
@k-asm
chore: replace deprecated xref exclude with elixirc_options
800afe3
@k-asm
ci: update runner to ubuntu-24.04 and refresh test matrix
20637ec 
- ubuntu-20.04 runner image was removed from GitHub Actions in April 2025
- Add Elixir 1.19 (latest stable) and move lint target to 1.19 + OTP 28
- Drop Elixir 1.12, 1.13, 1.14 (no longer in security support upstream)
- Drop OTP < 24.3 since they are not provided on ubuntu-22.04/24.04
@k-asm
chore: bump minimum Elixir version to 1.15
0bb8a58 
Align the supported Elixir version with what the CI matrix actually tests.
Elixir < 1.15 is no longer in security support upstream and is not
exercised by CI.
@k-asm k-asm force-pushed the fix/deprecate-xref-exclude branch from e5dfaa3 to 0bb8a58 Compare May 26, 2026 03:08
@k-asm k-asm force-pushed the chore/supply-chain-hardening-stacked branch from fcef224 to c3a2d40 Compare May 26, 2026 03:09
Base automatically changed from fix/deprecate-xref-exclude to master May 26, 2026 03:37
@k-asm k-asm marked this pull request as ready for review May 26, 2026 03:41
@k-asm
Copy link
Copy Markdown
Collaborator Author

k-asm commented May 26, 2026

@vic #48 has been merged — thank you for the quick review!
Could you take a look at this one when you have a moment?

vic
vic reviewed May 26, 2026
View reviewed changes
Comment thread .github/workflows/ci.yml
@vic vic merged commit d451fb2 into master May 26, 2026
20 checks passed
@k-asm
Copy link
Copy Markdown
Collaborator Author

k-asm commented May 26, 2026

Thanks!

@k-asm k-asm deleted the chore/supply-chain-hardening-stacked branch May 26, 2026 05:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vic vic vic approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@k-asm @vic