Skip to content

ci: harden GitHub Actions workflows#57

Merged
flavorjones merged 7 commits intomasterfrom
harden-github-actions
Mar 20, 2026
Merged

ci: harden GitHub Actions workflows#57
flavorjones merged 7 commits intomasterfrom
harden-github-actions

Conversation

@flavorjones
Copy link
Copy Markdown
Member

@flavorjones flavorjones commented Mar 20, 2026

Summary

  • Add zizmor and actionlint CI job
  • Configure dependabot with batched updates and cooldown periods
  • Pin all GitHub Actions to SHA hashes
  • Suppress unpinned-images for service containers
  • Fix excessive-permissions and artipacked findings
  • Scope all permissions to job-level

Test plan

  • CI passes (lint-actions job runs clean)
  • Existing test jobs unaffected

🤖 Generated with Claude Code

Copilot AI review requested due to automatic review settings March 20, 2026 20:26
Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s CI by scoping GitHub Actions permissions, pinning action dependencies, and adding automated workflow auditing plus Dependabot configuration.

Tip

If you aren't ready for review, convert to a draft PR.
Click "Convert to draft" or run gh pr ready --undo.
Click "Ready for review" or run gh pr ready to reengage.

Changes:

  • Add workflow-level permissions: {} and job-level least-privilege permissions, plus disable checkout credential persistence.
  • Introduce a new lint-actions job that runs actionlint and zizmor.
  • Add .github/dependabot.yml to manage GitHub Actions and Bundler updates (with grouping and pacing configuration).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
.github/workflows/build.yml Pins actions to SHAs, scopes permissions, adds workflow auditing, and annotates service container image pinning exceptions.
.github/dependabot.yml Adds Dependabot configuration for GitHub Actions and Bundler dependencies.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

flavorjones and others added 6 commits March 20, 2026 16:46
@flavorjones @claude
Add zizmor and actionlint CI job for GitHub Actions auditing
c3fc39d 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@flavorjones @claude
Configure dependabot for github-actions and bundler with batching and…
15e22db 
… cooldowns

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@flavorjones @claude
Pin all GitHub Actions to SHA hashes
ac8d246 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@flavorjones @claude
Suppress unpinned-images for redis service container
c6083a5 
Digest pinning for container images is nontrivial and version tags are
acceptable for CI service containers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@flavorjones @claude
Fix excessive-permissions and artipacked findings
225682f 
Set permissions: {} at workflow level and scope contents: read per job.
Add persist-credentials: false to all checkout steps.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@flavorjones @claude
Suppress unpinned-images for postgres and percona service containers
876f986 
Digest pinning for container images is nontrivial and version tags are
acceptable for CI service containers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@flavorjones flavorjones force-pushed the harden-github-actions branch from 716eb16 to 876f986 Compare March 20, 2026 20:46
@flavorjones @claude
Pin redis service container to major version tag
843d162 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 20, 2026 20:56
Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@flavorjones flavorjones merged commit 98c0998 into master Mar 20, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@flavorjones