Skip to content

chore: pin actions to SHA, fix workflow permissions, add OpenSSF Scorecard badge#254

Merged
fabiocaccamo merged 1 commit into
mainfrom
copilot/increase-security-level-workflows
Apr 17, 2026
Merged

chore: pin actions to SHA, fix workflow permissions, add OpenSSF Scorecard badge#254
fabiocaccamo merged 1 commit into
mainfrom
copilot/increase-security-level-workflows

Conversation

Copilot AI commented Apr 17, 2026

Copy link
Copy Markdown
Contributor

Hardens CI/CD supply chain security by pinning all GitHub Actions to immutable commit SHAs, scoping permissions to the minimum required, and adding the OpenSSF Scorecard badge.

Actions pinned to SHA

  • actions/checkoutde0fac2e (v6.0.2)
  • actions/setup-pythona309ff8b (v6.2.0)
  • codecov/codecov-action57e3a136 (v6.0.0)
  • peter-evans/create-pull-request5f6978fa (v8.1.1)
  • browniebroke/pre-commit-autoupdate-actionf5c3ec85 (v1.0.1) — was pinned to @main
  • test-room-7/action-update-filebe6fb6d9 (v2.0.0)
  • ffurrer2/extract-release-notes273da39a (v3.1.0)
  • ncipollo/release-action339a8189 (v1.21.0)
  • pypa/gh-action-pypi-publishcef22109 (v1.14.0) — was pinned to @release/v1 branch

Permissions tightened

  • All workflows now have permissions: {} at the top level
  • pre-commit-autoupdate.yml: contents: write + pull-requests: write moved to job level
  • update-data.yml: contents: write moved to job level
  • create-release.yml: added contents: write at job level (alongside existing id-token: write)
  • test-package.yml: already had contents: read at top level — no change needed

README

  • Added OpenSSF Scorecard badge after the ruff badge

Checklist before requesting a review

  • I have performed a self-review of my code.
  • I have added tests for the proposed changes.
  • I have run the tests and there are not errors.

@fabiocaccamo fabiocaccamo marked this pull request as ready for review April 17, 2026 08:14
Copilot AI review requested due to automatic review settings April 17, 2026 08:14
@codecov

codecov Bot commented Apr 17, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.61%. Comparing base (e160f37) to head (c78b315).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #254   +/-   ##
=======================================
  Coverage   97.61%   97.61%           
=======================================
  Files           6        6           
  Lines         335      335           
=======================================
  Hits          327      327           
  Misses          8        8           
Flag Coverage Δ
unittests 97.61% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens CI/CD supply chain security by pinning GitHub Actions to immutable SHAs, tightening default workflow permissions, and adding an OpenSSF Scorecard badge to the README.

Changes:

  • Pinned all referenced GitHub Actions to specific commit SHAs across workflows.
  • Set top-level permissions: {} and scoped required permissions at the job level where needed.
  • Added an OpenSSF Scorecard badge to README.md.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
README.md Adds OpenSSF Scorecard badge alongside existing project badges.
.github/workflows/update-data.yml Pins actions to SHAs and scopes contents: write to the job.
.github/workflows/test-package.yml Pins actions to SHAs (but currently introduces/contains invalid steps indentation).
.github/workflows/pre-commit-autoupdate.yml Pins actions to SHAs and moves write permissions to job scope.
.github/workflows/create-release.yml Pins actions to SHAs and scopes contents: write + id-token: write at job level.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 24 to 28
steps:

- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Set up Python ${{ matrix.python-version }}

Copilot AI Apr 17, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

steps: list items are indented at the same level as the steps: key (e.g., the - uses / - name entries), which makes the YAML invalid and will prevent the workflow from running. Indent all step entries under steps: so they are children of the steps: mapping.

Copilot uses AI. Check for mistakes.
@fabiocaccamo fabiocaccamo merged commit 5665f9a into main Apr 17, 2026
26 checks passed
@fabiocaccamo fabiocaccamo deleted the copilot/increase-security-level-workflows branch April 17, 2026 13:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants