fix(v0.19.1): supply-chain hardening remainder — ci.yml SHA-pin + dependabot + bun.lock placeholder
Follow-up to c27b626 (release.yml pinning). Finishes H4 + H5.
ci.yml:
- 11 third-party actions SHA-pinned with # vN.m.k comments
- actions/checkout@34e114876b... (v4.3.1)
- actions/setup-node@49933ea5288... (v4.4.0)
- dtolnay/rust-toolchain@3c5f7ea28... (rust 1.94.1)
- Swatinem/rust-cache@c19371144... (v2.9.1)
.github/dependabot.yml (NEW):
- 3 ecosystems weekly: github-actions, npm, cargo
- PR cap 5, labels [dependencies, <ecosystem>]
- Auto-opens update PRs for SHA bumps — human reviews, not silent churn
_ts_packages/packages/mcp-server/bun.lock (NEW — placeholder):
- 13-line comment explaining H4 gate
- Instructs: 'cd _ts_packages/packages/mcp-server && bun install' before release
- release.yml (since v0.19.1) uses --frozen-lockfile with NO fallback —
missing real lockfile fails the build deliberately
BUILD.md:
- New 'Lockfile' section (19 LOC) documenting the pre-release workflow
CHANGELOG.md:
- [Unreleased] → Security: 3 bullets covering this + prior supply-chain commit
All SHAs E1 (verified via api.github.com or reused from release.yml).
NEXT STEP BEFORE TAGGING v0.19.1:
Populate real bun.lock locally, commit, then tag. Workflow will fail
on missing/stale lockfile — that's the point of H4 defense.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ca046e61c1