You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ci: port zizmor audit hardening to next (backport of #4200) (#4310)
Applies the GitHub Actions security hardening from #4200 (main) to the
next branch's reworked workflows:
- Add top-level least-privilege `permissions: {}` to ci.yml, release.yml
and gh-pages.yml, with scoped `permissions:` on jobs that need write
access (the release publish job's existing contents/id-token trusted
publishing permissions are preserved).
- Add `persist-credentials: false` to every actions/checkout step.
- Avoid expression injection in the release step by passing the version
through an environment variable.
- Mark the add-to-project pull_request_target trigger with a zizmor
dangerous-triggers ignore.
- Add a dependabot cooldown (default-days: 7).
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Samuel Attard <sattard@anthropic.com>
Co-authored-by: David Sanders <dsanders11@ucsbalum.com>
0 commit comments