Skip to content

[8.x] Harden GitHub Actions workflows#1270

Merged
duncanmcclean merged 3 commits into
8.xfrom
zizmor
May 25, 2026
Merged

[8.x] Harden GitHub Actions workflows#1270
duncanmcclean merged 3 commits into
8.xfrom
zizmor

Conversation

@duncanmcclean

Copy link
Copy Markdown
Owner

This pull request hardens our GitHub Actions workflows against supply chain attacks and follows security best practices.

Changes:

  • Added 7-day Dependabot cooldown for GitHub Actions
  • Added permissions: {} at root level and job-level scoped permissions across all workflows
  • Added persist-credentials: false on all checkout steps (except pint-fix which needs to commit)
  • Added concurrency controls to all workflows
  • Replaced archived actions/create-release and actions/upload-release-asset with gh CLI in release workflow
  • Created new zizmor.yaml workflow for security analysis

@duncanmcclean duncanmcclean marked this pull request as ready for review May 25, 2026 16:03
@duncanmcclean duncanmcclean merged commit ec8428d into 8.x May 25, 2026
2 of 14 checks passed
@duncanmcclean duncanmcclean deleted the zizmor branch May 25, 2026 16:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant