chore: pin actions to SHA, fix workflow permissions, add OpenSSF Scorecard badge#254
Conversation
Agent-Logs-Url: https://github.com/fabiocaccamo/python-codicefiscale/sessions/a1fba745-54b5-4029-9cfb-18b9b4bf0df6 Co-authored-by: fabiocaccamo <1035294+fabiocaccamo@users.noreply.github.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #254 +/- ##
=======================================
Coverage 97.61% 97.61%
=======================================
Files 6 6
Lines 335 335
=======================================
Hits 327 327
Misses 8 8
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
Hardens CI/CD supply chain security by pinning GitHub Actions to immutable SHAs, tightening default workflow permissions, and adding an OpenSSF Scorecard badge to the README.
Changes:
- Pinned all referenced GitHub Actions to specific commit SHAs across workflows.
- Set top-level
permissions: {}and scoped required permissions at the job level where needed. - Added an OpenSSF Scorecard badge to
README.md.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| README.md | Adds OpenSSF Scorecard badge alongside existing project badges. |
| .github/workflows/update-data.yml | Pins actions to SHAs and scopes contents: write to the job. |
| .github/workflows/test-package.yml | Pins actions to SHAs (but currently introduces/contains invalid steps indentation). |
| .github/workflows/pre-commit-autoupdate.yml | Pins actions to SHAs and moves write permissions to job scope. |
| .github/workflows/create-release.yml | Pins actions to SHAs and scopes contents: write + id-token: write at job level. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| steps: | ||
|
|
||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
|
|
||
| - name: Set up Python ${{ matrix.python-version }} |
There was a problem hiding this comment.
steps: list items are indented at the same level as the steps: key (e.g., the - uses / - name entries), which makes the YAML invalid and will prevent the workflow from running. Indent all step entries under steps: so they are children of the steps: mapping.
Hardens CI/CD supply chain security by pinning all GitHub Actions to immutable commit SHAs, scoping permissions to the minimum required, and adding the OpenSSF Scorecard badge.
Actions pinned to SHA
actions/checkout→de0fac2e(v6.0.2)actions/setup-python→a309ff8b(v6.2.0)codecov/codecov-action→57e3a136(v6.0.0)peter-evans/create-pull-request→5f6978fa(v8.1.1)browniebroke/pre-commit-autoupdate-action→f5c3ec85(v1.0.1) — was pinned to@maintest-room-7/action-update-file→be6fb6d9(v2.0.0)ffurrer2/extract-release-notes→273da39a(v3.1.0)ncipollo/release-action→339a8189(v1.21.0)pypa/gh-action-pypi-publish→cef22109(v1.14.0) — was pinned to@release/v1branchPermissions tightened
permissions: {}at the top levelpre-commit-autoupdate.yml:contents: write+pull-requests: writemoved to job levelupdate-data.yml:contents: writemoved to job levelcreate-release.yml: addedcontents: writeat job level (alongside existingid-token: write)test-package.yml: already hadcontents: readat top level — no change neededREADME
Checklist before requesting a review