feat: supply chain hardening — SHA pinning, allowlists, dependency locking

[ms280690]

Context

Track: B — Org/infrastructure governance
Pillar: 1 — Supply Chain & Dependency Hardening
Parent: (see GitHub Actions platform security parent)

Why this matters

CI/CD pipelines are high-value targets. A compromised action at @v2 can exfiltrate secrets, inject code, or pivot to cloud infrastructure. The attack surface is not hypothetical — tj-actions/changed-files (35,000+ repos) was compromised in 2024 and used to exfiltrate secrets via workflow logs.

Three controls

1. SHA pinning (immediate, per workflow)

All action references in sparkgeo/github-actions workflows must use full 40-character commit SHAs. See authoring standards (#25) for the per-workflow rule. This issue covers the org-level enforcement policy that prevents non-pinned workflows from being called.

Tooling:

• zizmor (cross-ref feat: workflow authoring standards + actionlint/zizmor gate #25) flags unpinned actions in PR linting
• Renovate (cross-ref feat: dependency management reusable workflows [parent] #8) configured to auto-update pinned SHAs in workflow files — add "github-actions" to the Renovate packageRules so dependency PRs update the SHA and the comment simultaneously:

{
  "packageRules": [
    {
      "matchManagers": ["github-actions"],
      "pinDigests": true,
      "automerge": false
    }
  ]
}

2. Org action allowlist

Configure at: Org Settings → Actions → General → Allow actions created by:

Recommended policy:

• ✅ Actions created by GitHub
• ✅ Actions by Verified Creators
• ✅ Specified actions/workflows (add approved third-party actions explicitly)
• ❌ All actions (disable)

Maintain an approved third-party actions list in this repo at docs/approved-actions.md. Any new action used in a workflow must be added to this list with a security review note before the workflow PR is merged.

3. Native workflow dependency locking (dependencies: block)

GitHub's 2026 Security Roadmap introduces a native dependencies: block in workflow YAML — operates like a lockfile (go.sum, package-lock.json) for both direct and transitive action dependencies. Execution halts before any job runs if a dependency hash does not match the lock.

# Future syntax — adopt when available (2026 roadmap)
dependencies:
  actions/checkout:
    version: "11bd71901bbe5b1630ceea73d27597364c9af683"
    hash: "sha256:abc123..."
  actions/setup-python:
    version: "...sha..."
    hash: "sha256:def456..."

Track the GitHub roadmap announcement and adopt this when it reaches GA.

Acceptance criteria

• Org action allowlist configured to Verified Creators + GitHub + approved list
• docs/approved-actions.md created and maintained in this repo
• Renovate (feat: dependency management reusable workflows [parent] #8) renovate.json extended with github-actions manager and pinDigests: true
• All workflows in this repo pass zizmor SHA pinning check (feat: workflow authoring standards + actionlint/zizmor gate #25)
• dependencies: block adoption tracked — issue updated when GitHub feature reaches GA