Skip to content

[TASK] Harden GitHub Actions#636

Merged
eliashaeussler merged 1 commit into
mainfrom
task/actions
May 19, 2026
Merged

[TASK] Harden GitHub Actions#636
eliashaeussler merged 1 commit into
mainfrom
task/actions

Conversation

@eliashaeussler

@eliashaeussler eliashaeussler commented May 19, 2026

Copy link
Copy Markdown
Owner

Summary by CodeRabbit

Release Notes

Chores

  • Strengthened CI/CD security with explicit permission configurations and improved credential handling across all build workflows
  • Integrated automated security scanning into the continuous integration pipeline
  • Enhanced release process automation with refined checkout configurations and credential management
  • Optimized build caching behavior for improved workflow efficiency and faster builds

Review Change Stack

@eliashaeussler eliashaeussler added the maintenance Code base is being maintained label May 19, 2026
@eliashaeussler eliashaeussler self-assigned this May 19, 2026
@coderabbitai

coderabbitai Bot commented May 19, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@eliashaeussler has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 54 minutes and 54 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 43e0d466-104c-4c9a-a8b1-19d24f27170e

📥 Commits

Reviewing files that changed from the base of the PR and between 434c35e and 142b99e.

📒 Files selected for processing (3)
  • .github/workflows/cgl.yaml
  • .github/workflows/release.yaml
  • .github/workflows/tests.yaml

Walkthrough

The PR hardens GitHub Actions workflows by declaring explicit permissions blocks and disabling checkout credential persistence across three workflows. It adds Zizmor security scanning to the cgl workflow and modernizes the release workflow by introducing a shared environment variable for tag handling, updating caching strategies, and replacing the release-action action with a native gh CLI release command.

Changes

Workflow Security and Release Modernization

Layer / File(s) Summary
Permissions and checkout security hardening
.github/workflows/cgl.yaml, .github/workflows/tests.yaml, .github/workflows/release.yaml
Explicit workflow and job-level permissions blocks are added across all three workflows, granting read-only access to contents and other necessary permissions. All checkout steps are updated to set persist-credentials: false, disabling credential persistence in the tests, coverage, coverage-report, e2e, cgl, phar, docker, and release jobs.
Code quality scanning enhancement
.github/workflows/cgl.yaml
A new "Run zizmor" step using zizmorcore/zizmor-action is added to the cgl job after the migration/rector dry-run section.
Release workflow modernization
.github/workflows/release.yaml
The release workflow introduces a global REF_NAME environment variable derived from github.ref_name for consistent tag handling. The phar, docker, and release jobs add explicit permissions and update checkout configuration. Composer installation is adjusted to ignore cache. Docker metadata and tag validation logic switch to use REF_NAME. The docs job updates checkout credentials and changes Node caching from cache: npm to package-manager-cache: false. The release job replaces ncipollo/release-action with a gh release create command, using GH_TOKEN and the compiled PHAR and its detached signature as artifacts with --generate-notes.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main change across all three workflow files: adding security hardening measures (permissions, persist-credentials settings, and new Zizmor scanning).
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Comment thread .github/workflows/cgl.yaml Fixed
@coveralls

coveralls commented May 19, 2026

Copy link
Copy Markdown
Collaborator

Coverage Report for CI Build 26122437111

Coverage remained the same at 90.01%

Details

  • Coverage remained the same as the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.


Coverage Stats

Coverage Status
Relevant Lines: 1982
Covered Lines: 1784
Line Coverage: 90.01%
Coverage Strength: 10.18 hits per line

💛 - Coveralls

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2


ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3246ddd0-7ce9-4bc2-9743-7653e7654f07

📥 Commits

Reviewing files that changed from the base of the PR and between 0133090 and 434c35e.

📒 Files selected for processing (3)
  • .github/workflows/cgl.yaml
  • .github/workflows/release.yaml
  • .github/workflows/tests.yaml

Comment thread .github/workflows/release.yaml Outdated
Comment thread .github/workflows/release.yaml Outdated
@eliashaeussler eliashaeussler merged commit bd75701 into main May 19, 2026
34 of 35 checks passed
@eliashaeussler eliashaeussler deleted the task/actions branch May 19, 2026 20:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

maintenance Code base is being maintained

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants