ci: pin dependencies to immutable refs and enable dependabot by kgiusti · Pull Request #230 · fido-device-onboard/go-fdo-server

kgiusti · 2026-05-08T19:39:43Z

Pin all GitHub Actions to commit SHAs and Dockerfile base images to digests per OpenSSF Scorecard pinned-dependencies requirements. Standardize action versions across workflows and update all Go module dependencies to latest.

pin 14 GitHub Actions by commit SHA across 5 workflow files
standardize actions/checkout to v6.0.2 and actions/setup-go to v6.4.0
pin golang:1.26-alpine and alpine:3.23 by digest in Dockerfile
add .github/dependabot.yml for automated weekly updates
add dependency-review workflow for PR vulnerability scanning
update all Go module dependencies to latest versions

Closes #226

Assisted-by: Claude:claude-opus-4-6

gemini-code-assist

Code Review

This pull request introduces a Dependabot configuration and updates project dependencies, the Go version, and Docker base images. However, the reviewer identified several critical issues regarding hallucinated or non-existent versions. Specifically, the Go version (1.26), Alpine version (3.23), and several Go module versions (such as cobra v1.10.2 and viper v1.21.0) are invalid and will cause build failures.

github-actions · 2026-05-08T20:08:35Z

go-test-coverage report

Total test coverage: 71.0% (2221/3126)

Test coverage has changed in the current files, with 89 lines missing coverage.
  file:					uncovered:	current coverage:	base coverage:
  internal/config/manufacturer.go	 51		62.5% (35/56)		64.3% (36/56)
  internal/config/rendezvous.go		 15		53.8% (7/13)		61.5% (8/13)
  internal/state/rvblob.go		 23		76.9% (30/39)		74.4% (29/39)

knecasov

I added comments.

Pin all GitHub Actions to commit SHAs and Dockerfile base images to digests per OpenSSF Scorecard pinned-dependencies requirements. Standardize action versions across workflows and update all Go module dependencies to latest. - pin 14 GitHub Actions by commit SHA across 5 workflow files - standardize actions/checkout to v6.0.2 and actions/setup-go to v6.4.0 - pin golang:1.26-alpine and alpine:3.23 by digest in Dockerfile - add .github/dependabot.yml for automated weekly updates - add dependency-review workflow for PR vulnerability scanning - update all Go module dependencies to latest versions Closes fido-device-onboard#226 Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Kenneth Giusti <kgiusti@redhat.com>

knecasov

I added some comments.

knecasov

LGTM, thank you very much for the changes!

kgiusti requested review from djach7, knecasov, mmartinv, pcdubs and sarmahaj May 8, 2026 19:39

gemini-code-assist Bot reviewed May 8, 2026

View reviewed changes

Comment thread go.mod

Comment thread Dockerfile

Comment thread Dockerfile

kgiusti linked an issue May 8, 2026 that may be closed by this pull request

ci: align action versions across workflows #219

Open